PrepAway - Latest Free Exam Questions & Answers

What should you do?

You have a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the
perimeter network and has the DNS Server server role installed.
Server1 has a zone named contoso.com.
You App1y a security template to Server1.
After you App1y the template, users report that they can no longer resolve names from
contoso.com.
On Server1, you open DNS Manager as shown in the DNS exhibit. (Click the Exhibit button.)

On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall exhibit.
(Click the Exhibit button.)

Youneed to ensure that users can resolve contoso.com names.
What should you do?

PrepAway - Latest Free Exam Questions & Answers

A.
From Windows Firewall with Advanced Security, disable the DNS (TCP,Incoming) rule and the
DNS (UDP,Incoming) rule.

B.
From DNS Manager, modify the Zone Transferssettings of the contoso.com zone.

C.
From DNS Manager, unsign the contoso.com zone.

D.
From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone.

E.
From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP,Incoming)
rule and the DNS (UDP, Incoming) rule.

Explanation:
To configure Windows Firewall on a managed DNS server
1. On the Server Manager menu, click Tools and then click Windows Firewall with Advanced
Security.
2. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard will
launch.
3. In Rule Type, select Predefined, choose DNS Service from the list, and then click Next.
4. In Predefined Rules, under Rules, select the checkboxes next to the following rules:
o RPC (TCP, Incoming)
o DNS (UDP, Incoming)
o DNS (TCP, Incoming)
o RPC Endpoint Mapper (TCP, Incoming)
5. Click Next, choose Allow the connection, and then click Finish.
6. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard will
launch.
etc.
Manually Configure DNS Access Settings

7 Comments on “What should you do?

  1. kyo says:

    Thoughts on this one? The provided explanation teaches you how to create the Firewall rules that are already present in the wf.msc console displayed in the exhibit. (DNS TCP/UDP are already enabled)




    0



    0
    1. kyo says:

      Looking back on this I think the provided answer is correct, the firewall ports are open only for the private profile.. I assume they need to be opened for the Domain profile as well.




      4



      0
      1. den says:

        I was also considering this option…
        BUT: question states that the server is operating in a perimeter network. I would classify such network connection as “Public” to secure the system. So if they did it the same way then you would have to configure the rules for Public network, or even to all profiles to be on the safe side (in order to make things work, not secure of course 😉 ).
        On the other hand we don’t know how it’s really classified in the provided setup. :-/

        What I also find noticable is that there’s a small detail missing in the screenshot: namely the triangle (or arrow or however you call it) enabling you to expand the contoso.com zone view on the left! So I checked it in lab environment and in a proper working setup it should be there. This could therefore be a hint that something might wrong with this zone, which is also signed as the icon next to it reveals. So maybe a signing issue?

        Another point:
        As the system’s running in the perimeter network we can assume it’s a standalone server not joined to any domain. Further that the zone therefore is set up as secondary. Because of this there may also be a chance that something according to the zone transfer settings or even SOA has to be corrected to get things working…additionaly depending on how/where/from the DNS clients are querying…

        conclusion: not sure yet, have to review this one later :-/




        0



        0
  2. Aberdeen Angus says:

    The 2 possible causes are that the DNS clients are unable to do DNSSEC, or that the Windows firewall is blocking queries.

    What broke it was “You App1y a security template to Server1”. I don’t think a security template can convert a DNS zone to using DNSSEC, and the firewall rules shown are for the Private profile and in a DMZ you’d expect it to be using the Public profile.

    So “From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP,Incoming) rule and the DNS (UDP, Incoming) rule.”

    I don’t see what’s wrong with having a primary DNS server in a DMZ btw, depends what’s on it (not records for internal domains of course).




    0



    0
  3. Chris says:

    Answer: D
    The issue is that the screenshot provided does not display the DNS (TCP, Incoming) or DNS (UDP, Incoming) Firewall Rules, which presumably are also set to Private by the security template. At the very least they would need to be set to a domain scope, and are generally set to a Private + Domain + Public scope.




    0



    1

Leave a Reply