Younetwork contains one Active Directory domain named adatum.com. The domain contains a DNS
server named Server1 that runs Windows Server 2012 R2.
All domain computers use Server1 for DNS.
Yousign adatum.com by using DNSSEC.
You need to configure the domain computers to validate DNS responses for adatum.com records.
What should you configure in Group Policy?
A.
Network List Manager Policies
B.
Network Access Protection (NAP)
C.
Name Resolution Policy
D.
Public Key Policy
Explanation:
Name resolution policy needs to be configured in group policy.
“In both example 1 and example 2, validation is not required for the secure.contoso.com zone
because the Name Resolution Policy Table (NRPT) is not configured to require validation.”
https://technet.microsoft.com/en-us/library/jj200221.aspx
C
https://technet.microsoft.com/en-us/library/ee649182(v=ws.10).aspx
“To configure the NRPT
On a domain controller or member computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc and press ENTER.
If you configured a Group Policy object (GPO) for DNS client computers, click the name of the GPO and then click OK.
If you created an OU for DNS client computers, open the OU, click the Create New Group Policy Object icon, type a name for the new GPO, and then click OK.OK.
In the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.
Enter the area of the namespace to which the policy applies. Typically, this will be the name of a signed zone. From the drop-down menu, select the appropriate setting and then type the namespace information. For example, you might choose Suffix and type secure.woodgrovebank.com. The following settings define how the rule will apply to a namespace:
FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain.
Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains.
Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here.
Subnet (IPv4): Select this if you are configuring a policy for reverse IPv4 lookup queries.
Subnet (IPv6): Select this if you are configuring a policy for reverse IPv6 lookup queries.
Verify that Certification Authority (optional) is blank. Certificate based authentication will be configured using connection security rules for IPsec.
On the DNSSEC tab, select the Enable DNSSEC in this rule check box.
Select the Require DNS clients to check that name and address data has been validated by the DNS server check box.
Select the Use IPsec in communication between the DNS client and DNS server check box, and then next to Encryption type choose No encryption (integrity only) from the drop-down menu.
To add this rule to the NRPT, click Create. The rule will now appear in the table under Name Resolution Policy Table.
Repeat these steps as needed to add rules for other areas of the namespace.”
0
0