HOTSPOT
Your network contains an Active Directory domain named contoso.com. All servers run Windows
Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the
following table.
On DC1, you create an Active Directory-integrated zone named Zone1. You verify that Zone1
replicates to DC2.
You use DNSSEC to sign Zone1.
You discover that the updates to Zone1 fail to replicate to DC2.
You need to ensure that Zone1 replicates to DC2.
What should you configure on DC1?
To answer, select the appropriate tab in the answer area.
Answer: 
Explanation:
We most allow and configure zone transfers.
To modify zone transfer settings using the Windows interface
Open DNS Manager.
Right-click a DNS zone, and then click Properties.
On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add
the IP address of one or more DNS servers.Modify Zone Transfer Settings
I dont understand this. If it successfuly replicated, why would signing zone1 mean that the zone transfers need setting up again…?
according to (https://technet.microsoft.com/en-gb/library/ee649277(v=ws.10).aspx) Theres nothing special about using DNSSEC with zone transfers.
0
0
It’s because DC2 is an RODC.
In https://technet.microsoft.com/en-GB/library/dn593674.aspx#rodc
“In Windows Server 2012 and Windows Server 2012 R2, an RODC loads unsigned zones from Active Directory with no change in functionality from Windows Server 2008 R2. However, if the RODC finds a DNSSEC-signed zone in Active Directory, it does not load the zone as Active Directory-integrated. Instead, it creates a secondary copy of the zone, and then configures the closest writeable domain controller for the domain as the primary server. The RODC then attempts to perform a zone transfer. Zone transfers must be enabled on the primary DNS server for this transfer to succeed. If zone transfers are not enabled, the RODC logs an error event and takes no further action. In this scenario, you must manually enable zone transfers on the primary server that is selected by the RODC. Alternately, you can choose to reconfigure the RODC to point to a different primary DNS server that has zone transfers enabled.”
0
0