Your network contains an Active Directory domain named contoso.com. All servers

run Windows Server 2012 R2. Client computers run either Windows 7 or Windows 8.

All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A Group Policy object (GPO) named GPO1 is linked to the Clients OU. A

ll of the client computers use a DNS server named Server1.

You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the contoso.com DNS zone.

You need to ensure that the client computers locate the ISATAP router.

What should you do?

A. Run the

Set-DnsServerGlobalQueryBlockList

cmdlet on Server1.

B. Configure the Network Options Group Policy preference of GPO1.

C. Run the

Add-DnsServerResourceRecord

cmdlet on Server1.

D. Configure the DNS Client Group Policy setti

ng of GPO1.

Explanation:

The Set-DnsServerGlobalQueryBlockList command will change the settings of a global query block list which you can use to ensure that client computers locate the ISATAP router.

Windows Server 2008 introduced a new featur

e, called -Global Query Block list-, which prevents some arbitrary machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone from just joining your network, and setting himself up as a proxy. The dynamic update

feature of Domain Name System (DNS)makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name. This reduces the need for manual administr

ation of zone records. This convenience comes at a cost, however, because any authorized client can register any unused host name, even a host name that might have special significance for certain Applications. This can allow a malicious user to take over

a special name and divert certain types of network traffic to that user-s computer. Two commonly deployed protocols are particularly vulnerable to this type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel

Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to use them are vulnerable to the takeover that DNS dynamic update enables. Most commonly, ISATAP hosts construct their PRLs by using DNS to locate

a host named is a tap on the local domain. For example, if the local domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 D

NS Server service maintains a list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. Consequently, a malicious user can spoof an ISATAP router in much the same way as a mali

cious user can spoof a WPAD server:A malicious user can use dynamic update to register the user-s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. The initial contents of the block list de

pend on whether WPAD or ISATAP is already deployed when you add the DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier version of Windows Server running the DNS Server service. Add- DnsServerResourceRecord – The Ad

d-DnsServerResourceRecord cmdlet adds a resource record for a Domain Name System (DNS) zone on a DNS server. You can add different types of resource records. Use different switches for different record types. By using this cmdlet, you can change a value fo

r a record, configure whether a record has a time stamp, whether any authenticated user can update a record with the same owner name, and change lookup timeout values, Windows Internet Name Service (WINS) cache settings, and replication settings. Set-DnsSe

rverGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockList cmdlet changes settings of a global query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS server does not resolve with the na

mes that you specify. If you need the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are two commonly deploye

d protocols that are particularly vulnerable to hijacking.

References:

Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 4: Deploying domain controllers, Lesson 4: Configuring IPv6/IPv4 Interoperability, p. 254-256

http://technet.

microsoft.com/en-us/library/jj649942(v=wps.620).aspx

http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx

http://technet.microsoft.com/en-us/library/jj649874.aspx

http://technet.microsoft.com/en-us/library/jj649909.aspx