Chapter One ; Intermediate Windows Servers
You enter the ipconfig /all command and see the information shown in the image below. If you enter the nslookup command on this same system, which of the following do you expect to see as the address of the default server?
163.128.80.93
You are the administrator for the corp.westsim.com domain. The network has two child domains, acct.corp.westsim.com and sales.corp.westsim.com. You need to configure DNS name resolution properties on the srv2.sales.corp.westsim.com server. You decide to change the network interface's TCP/IP settings to do this. When an unqualified name is submitted for name resolution, you want the server to search using the following suffixes: sales.corp.westsim.com acct.corp.westsim.com corp.westsim.com westsim.com What should you do?
Click Advanced and from the DNS tab, configure custom search suffixes of sales.corp.westsim.com, acct.corp.westsim.com, corp.westsim.com, and westsim.com.
You are the network administrator for Corpnet.com. The company has three domains named corpnet.com, east.corpnet.com and west.corpnet.com. The DNS servers in each domain are only authoritative for the zones for their domains and are all member servers. You sign the corpnet.com DNS zone with DNSSEC. You need to enable the DNS servers that are not authoritative for the corpnet.com zone to perform DNSSEC validation of DNS responses for the corpnet.com zone. What should you do?
Distribute a Trust Anchor to all DNS servers that are not authoritative for the corpnet.com zone.
You manage the DNS servers for the eastsim.com domain. You have a domain controller named DNS1 running Windows Server 2016 that holds a standard primary zone for the eastsim.com zone. You would like to configure DNS1 to use forwarders for all unknown zones. You edit the DNS server properties for DNS1. On the forwarders tab, you find that the Use root hints if no forwarders are available option is disabled. You also find that you are unable to edit the forwarders list. What should you do?
Enable recursion on DNS1.
You are the network administrator for a single domain with three subnets. Two subnets have all Windows 10 computers. The conference room uses the third subnet. Traveling salesmen come to the conference room and plug in their laptops to gain network access. You have configured a DHCP server to deliver configuration information to hosts on this subnet. DNS is configured for dynamic updates. Over time, you notice that the size of the DNS database continues to grow. It is beginning to have an adverse effect on DNS server performance. What should you do?
Enable scavenging of stale resource records on the zone.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016 Standard edition. All of the clients run Windows 10. A domain controller named DC1 functions as a DNS server that hosts a standard primary zone, eastsim.com. All of the other domain controllers host standard secondary zones for eastsim.com. A new corporate directive requires that all DNS communication be secure. The DNS records must be cryptographically signed by the DNS server so that clients can validate that the DNS server responses are authentic and have not been subject to tampering. You must configure DNS to comply with the new policy. What should you do?
Implement DNS Security Extensions (DNSSEC).
You are responsible for managing a Windows Server 2016 system named DNS1 that functions as a DNS server. One of the domains owned by your organization is westsim.com, which is not integrated with Active Directory. Your DNS server is authoritative for this zone. Two other DNS servers in your organization named DNS2 and DNS3 contain a copy of the zone data in a multi-master configuration. You want to use DNSSEC to digitally sign zone data. You want to use DNS1 as the Key Master for DNSSEC. Which should you do?
In DNS Manager, right-click the westsim.com zone and click DNSSEC > Sign the Zone.
You are the network administrator for corpnet.com. A new corporate policy requires that DNSSEC be implemented on the corpnet.com zone. A server named DNS1 is authoritative for the corpnet.com zone. You sign the corpnet.com zone and distribute trust anchors to all non-authoritative DNS servers that will perform DNSSEC validation of data from the zone. You need to prepare the clients to perform DNSSEC validation for the corpnet.com. What should you do?
In Group Policy, configure a Name Resolution Policy.
A user reports that they can't browse to a specific website on the internet. From their computer, you find that a ping test to the web server succeeds. A traceroute test shows 17 hops to the destination web server. What is the most likely cause of the problem?
Incorrect DNS server address
The image shows the current scavenging settings for the eastsim.com domain. Host (A) records within the zone are configured to refresh themselves every 7 days. You notice that sometimes a host record will be removed from the database, even though the host still exists on the network. You need to make sure that records are only removed when the host no longer exists. What should you do?
Increase the refresh interval setting.
You configured the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same client computer using the same browser. You get an error that this site cannot be reached. You have not changed the server's IP configuration since the successful test of the night before. You ping WEB3 using its IP address, and you get a response back. Next, you ping WEB3 using its fully qualified domain name (FQDN), and you get a message indicating that the host could not be found. What can you assume from this message?
Name resolution is not working properly.
You are the DNS manager for the southsim.com domain. You want to configure your single DNS server so that it never uses forwarders for name resolution. What should you do?
On the DNS server, disable recursion
You are the DNS manager for the eastsim.com domain. You have a domain controller named DC1 that holds an Active Directory-integrated zone for the eastsim.com zone. Users have complained about multiple DNS name resolution errors. You have examined the configuration, but can't see anything wrong. To help identify the problem, you would like to track the DNS packets sent and received by the server. You would also like to filter by IP address. What should you do?
On the DNS server, enable debug logging.
You manage the DNS servers that are authoritative for the private.westsim.com zone. Two servers are authoritative for the zone. DNS1 hosts the primary DNS zone, and DNS2 holds a secondary copy of the zone. You have just manually created an A resource record for a new web server on your network that is configured with a static IP address. From a client computer, you open a browser and try to connect to the new web server. You get an error message stating that the web site is not found. You run ipconfig /all and find that he client is correctly configured to use the DNS1 server as its preferred DNS server. But, as you continue to troubleshoot the problem, you discover that you incorrectly typed the server's IP address while creating its A resource record. You correct the IP address in the A record and retry connecting to the web site. However, you get the same error on your workstation. What should you do?
On the client computer, run ipconfig /flushdns.
You configured the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same client computer using the same browser. You get an error message stating that this site cannot be reached. You have not changed the server's IP configuration since the successful test the night before. Which troubleshooting step should you try first to discover what the problem might be?
Ping WEB3 using its IP address.
Which utility is used to create and configure DNS policies?
PowerShell
Which type of DNS policy allows DNS servers to resolve a hostname to an IP address based on the geographical location of both the client and the host?
Query Resolution Policy
What is the first action that a DNS client will take when attempting to resolve a single-label name to an IP address?
Query a DNS server for a host name formed by appending the client's primary DNS suffix to the single-label name.
The image shows the current scavenging settings for the eastsim.com zone. Automatic scavenging has been configured on the zone to run every hour. You want to modify the existing settings so that DNS records are deleted within 10 days after they have not been refreshed. What should you do?
Set the refresh interval to 3.
Match each DNS policy type on the left with its description and associated PowerShell command on the right. Each option may be used once, more than once, or not at all.
This type of policy specifies how incoming resolution queries are handled by a DNS server: Answer: Query Resolution Policies This type of policy controls how the DNS server performs recursion for a query. Answer: Recursion Policies This type of policy controls whether a zone transfer is allowed or not. Answer: Zone Transfer Policies Add-DnsServerQueryResolutionPolicy Answer: Query Resolution Policies Add-DnsServerZoneTransferPolicy Answer: Zone Transfer Policies Add-DnsServerRecursionScope Answer: Recursion Policies
Match each statistic on the right with the section in the output of the Get-DnsServerStatistics cmdlet where it can be found on the left. Each section may be used once, more than once, or not at all.
Total number of dynamic update requests received. Answer: Zone Update Statistics Number of queries for A records not responded to. Answer: Zone Query Statistics Number of queries for CNAME records received. Answer: Zone Query Statistics Total number of zone transfer requests sent as a secondary server. Answer: Zone Transfer Statistics Total number of dynamic updates rejected. Answer: Zone Update Statistics
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016. All of the clients run Windows 10. Clients routinely access a web application on a server named web1.westsim.com. During the course of the business day, you receive complaints that users attempting to access web1.westsim.com were directed to an unknown IP address on the Internet. They accessed a website that looked similar to the web application on web1.westsim.com, but were provided no functionality. After researching the internet IP address, you find that it belongs to a group of attackers suspected of hacking into company web sites. You determine that the compromise occurred because of DNS cache poisoning. To protect the server, you need to ensure that cache records on the DNS server cannot be overwritten until the Time to Live (TTL) period has expired. What should you do?
You should implement the DNS Cache Locking feature.
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. The company has one main office. There is one server named DNS1 with the DNS Server role installed. A new company security directive states that servers should not use port 49308. All other port ranges are acceptable and should not be excluded. You need to configure DNS1 to adhere to the new security requirement without any loss of DNS functionality. What should you do?
You should set the SocketPoolExcludedPortRanges setting in the registry on the DNS servers to 49308-49308.
After reconfiguring the static address of an internal web server named WEB3, your client computer can no longer connect to WEB3. However, other users are still able to connect to the same web server. You suspect that your computer still has the old IP address for WEB3 in its DNS cache. Which command can you use to verify that this is the case before clearing the DNS cache on your computer?
ipconfig /displaydns
A client's primary DNS suffix is east.corpsim.com. The client is also configured with a DNS suffix search list containing west.corpsim.com and ny.east.corpsim.com. Which FQDNs will be included in DNS queries when DNS devolution is used by the client to resolve a single-label name of srv42? (Select two.)
srv42.east.corpsim.com srv42.corpsim.com