Your network contains one active directory domain.the domain contains the servers configured as
shown in the following table.
server1 domain controllers
dns server
server2 domain controllers
dns server
server3 dns server
server1 hasthe zones shown in the following table:
zone name zone type Isautocreated Isdsintegrated Isreverselookupzone Issigned
adatum.com primary false false false false
contoso.com primary false true false false
litwareinc.com secondary false true false false
server3 has the following output:
zone name zone type Isautocreated Isdsintegrated Isreverselookupzone Issigned
contoso.com secondary false true false false
litwareinc.com primary false true false false
use the drop down list must select trhe answer choice that completes each assignment.
—you can protect [answer choice] by using dnssec:
only adatum.com
only contoso.com
only litwareinc.com
only contoso.com and adatum.com
contoso.com,adatum.com and litwareinc.com
—on server1,you configure permissions for the contoso.com zone.the permission will be efficitive
on [answer choice]:
server1 only
server1 and server2 only
server1 and server3 only
server1,server2 and server3.
Answer: Pending
Explanation:
Based on reading I have done on this page https://technet.microsoft.com/en-au/library/dn593657.aspx
I believe the answer to the first part is:
only contoso.com and adatum.com
Mainly because of this quote from the link above “To host an Active Directory-integrated DNS zone, DNS servers must also be running the Active Directory Domain Services (AD DS) role.” This is stated as a requirement for signing DNS zone using DNSSEC. My conclusion is “litwareinc.com” can’t be signed because Server3 where this zone is primary and thus authoritative, is not a AD DS in itself, despite the zone being integrated.
The answer for the 2nd part not sure yet!!!
0
0
Hard one, think also contoso.com and adatum.com.
Can someone confirm the second one?
0
0
Is it possible that Server 3 has ADDS installed but is not yet promoted to a DC? Seems strange you would have a primary AD-integrated zone not a DC. ADDS may be required for AD integrated zones even without DNSSec
1
0
It’s not strange. it’s impossible. Even AD DS would not be enough.
The exhibit is wrong.
1
0
adatum is not ds integrated, so no dnssec. So contoso only then
server1, server2, server3, all hosts an DS integrated dns
0
0
It’s a confusing one
First i made a cleaner version of the servers information, based on what’s been stated in the question:
http://oi64.tinypic.com/2mnjepw.jpg
– In the first question the only option that looks right is: Only Contoso.com
*Adatum.com is not AD integrated.
*Litwareinc.com is AD integrated but Server3 is not a Domain Controller (This is the confusing part).
*There is no Contoso.com and Litwareinc.com so that’s why my only option is Only Contoso.com
– The second choice for me is: Server1, Server2 and Server3
*Based on the fact that Server3 host AD integrated zones (This means AD is installed on the server).
These answers are in my opinion (Not 100% sure about them). The question is confusing and if i miss any fact, all answers may change.
0
0
You can sign a zone that is not AD integrated.
1
0
Blazz is right. I just tried it on my lab. I used a member server on the domain, installed dns server role and created a new standard primary zone (not AD integrated) and i was able to sign the zone.
From Microsoft https://technet.microsoft.com/en-us/library/dn593657.aspx:
“Both forward and reverse lookup zones can be signed with DNSSEC. Zones can be Active Directory-integrated or file-backed.”
So based on this, and since server 3 hosts the primary zone for litwareinc.com, i believe the answer for the first part of the question ins in fact:
– contoso.com,adatum.com and litwareinc.com
For the second part of the question, since contoso.com is AD integrated i believe the answer is:
– server1,server2 and server3
Please correct me if i’m wrong.
0
0
I agree with MancaMulas
All 3 on both answers
All roles are fulfilled according to DNSSEC Requirements
The DNS Server role is required.
At least one primary, authoritative DNS server is required.
https://technet.microsoft.com/en-au/library/dn593657.aspx
0
0
IMHO the answer is:
only contoso.com and adatum.com
server1,server2 and server3
The reason for the first answer is that DNSSEC can only be set on the the Primary Server. From the very first link:
“A secondary DNS server depends on the primary DNS server to sign the zone and transfers a signed version of the zone from the primary server that supports DNSSEC validation.”
Server 1 is hosting a Secondary zone for litwareinc.com and therefore DNSSEC would need to be set on the Primary zone – which is not able to be done as server 3 does not support DNSSEC validation.
This ties into the second answer as any permissions set on Server 1 (hosting the contoso.com Primary zone) would propagate to all other servers/zones.
2
1
Server3 DOES support DNSSEC validation.
the fact that it’s not a Domain Controller has no impact whatsoever on DNSSEC settings. You can sign zones as in any other DNS Server.
0
0
For the first part of the question, am I wrong in thinking that we may be able to ignore the IsDSIntegrated attribute. The relevant DNSSEC requirements seem to be (https://technet.microsoft.com/en-au/library/dn593657.aspx)
– Win2012 or later (requirement met)
– DNS Server Role (requirement met)
– At least 1 primary authoritative DNS server is required (requirement met)
– At least 1 primary DNS zone is required (requirement met – although server 3 doesn’t run AD DS, it still holds the primary zone for Litware) Running AD DS is obviously a requirement to AD integrate a zone, but it’s not a DNSSEC requirement
– Domain membership (requirement met)
– Features/Network/EDNS0 (presumably met)
1
0
I think this questions is missing an exhibit (Server2) and is supplying wrong and incomplete information.
Since AD-integrated zones can only be hosted on DNS servers that are also writeable Domain Controllers, Server3 cannot possibly host an AD-integrated zone, even with the AD DS role installed.
Since preconditions are wrong no no answer can be given for certain, but bear in mind that:
– Non AD-Integrated zones CAN be signed
– DNS server that are not DCs CAN sign primary zones
0
0
You can have file backed zones or AD integrated zones signed for dnssec, so all 3 zones can be signed and protected with dnssec.
The contoso.com zone is AD integrated and Server3 is a member server in the domain as stated in the question. Therefore, permissions will be effective on all servers for contoso.com.
Link bellow demonstrated how to sign a file backed dns zone.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593642(v%3dws.11)
0
0