Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012.
The domain contains an Edge Server named Server1. Server1 is configured as a DirectAccess server.
Server1 has the following settings:
Internal DNS name: Server1.contoso.com External DNS name:
dal.contoso.com Internal IPv6 address: 2002:cla8:6a:3333::l
External IPv4 address: 65.55.37.62
Your company uses split-brain DNS for the contoso.com zone.
You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit button.)
You need to ensure that client computers on the Internet can establish DirectAccess connections to
Server1.
Which additional name suffix entry should you add from the Remote Access Setup wizard?
A.
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
B.
A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
C.
A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 65.55.37.62
D.
A Name Suffix value of dal.contoso.com and a DNS Server Address value of 65.55.37.62
Explanation:
* In a non-split-brain DNS environment, the Internet namespace is different from the intranet
namespace. For example, the Contoso Corporation uses contoso.com on the Internet and
corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS
suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to
intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the
corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers.
* Split-brain DNS is a configuration method that enables proper resolution of names (e.g.,
example.com) from both inside and outside of your local network.
Note: For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet
and intranet and decide which resources the DirectAccess client should reach, the intranet version
or the public (Internet) version. For each name that corresponds to a resource for which you want
DirectAccess clients to reach the public version, you must add the corresponding FQDN as an
exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have
corresponding DNS servers are treated as exemptions.
Reference: Design Your DNS Infrastructure for DirectAccess
B. A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
0
0
That’s ” A “
1
0
A is correct, check the bellow page :
https://social.technet.microsoft.com/Forums/windowsserver/en-US/335b4e35-b1ad-4fcc-bb45-0b75ce606b72/direct-access-question?forum=winserver8gen
0
0
A is correct
0
0
I think B is correct, it states that clients from the internet can reach server1. There is a external DNS entry dal.contoso.com, therefore clients should use a configured name suffix value of dal.contoso.com and not the internal server1.contoso.com
1
0
Its B. dal.contoso.com must be looked up externally, by using the client dns settings when they are on the internet. When they are on local network, the local dns servers will be used and they dont need to reach dal.contoso.com because theyre already on the local network and can successfully look up server1.contoso.com.
0
0
No doubt, Its B only
because it’s very clear that they are in one local network
0
0
It’s A.
It’s a split-brain DNS and has DirectAccess server.
Here’s a better explanation from https://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx
The design of your Domain Name System (DNS) infrastructure can impact how you configure DirectAccess. The biggest design aspect of your DNS infrastructure is whether you use split-brain DNS.
Split-brain DNS
Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For example, the Contoso Corporation is using split brain DNS; contoso.com is the domain name for intranet resources and Internet resources. Internet users use http://www.contoso.com to access Contoso’s public Web site and Contoso employees on the Contoso intranet use http://www.contoso.com to access Contoso’s intranet Web site. A Contoso employee with their laptop that is not a DirectAccess client on the intranet that accesses http://www.contoso.com sees the intranet Contoso Web site. When they take their laptop to the local coffee shop and access that same URL, they will see the public Contoso Web site.
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the uniform resource locator (URL) for their Web site (such as http://www.contoso.com), they will see the intranet version. Because of this rule, they will never see the public version of this URL when they are on the Internet.
If you want users on DirectAccess clients to see the public version of this URL when they are on the Internet, you must add the fully qualified domain name (FQDN) of the URL as an exemption rule to the NRPT of DirectAccess clients. However, if you add this exemption rule, users on DirectAccess clients will never see the intranet version of this URL when they are on the Internet.
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients.
In a split-brain DNS environment, if you want both versions of the resource to be available, configure your intranet resources with alternate names that are not duplicates of the names that are being used on the Internet and instruct your users to use the alternate name when on the Intranet. For example, configure and use the alternate name http://www.internal.contoso.com for the intranet name http://www.contoso.com.
In a non-split-brain DNS environment, the Internet namespace is different from the intranet namespace. For example, the Contoso Corporation uses contoso.com on the Internet and corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers.
With a non-split-brain DNS deployment, because there is no duplication of FQDNs for intranet and Internet resources, there is no additional configuration needed for the NRPT. DirectAccess clients can access both Internet and intranet resources for their organization.
0
0
+1
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients.
0
0
Correct answer is A:
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
Explanation:
when you put a server1.contoso.com and blank dns value, you are telling your internal clients to use the internal dns for resolution. so a user will try to connect to direct access using server1.contoso.com and that will resolve to the internal ip, in this case the ipv6 address.
On the flip side of the coin, for the external users, they would try to connect using the external name da1.contoso.com, since that name would not be located in the NRPT, you would be telling them, use whatever configuration of dns you have in your local network card, that would resolve to the external ip 65.55.37.62
0
0
The answer is B.
When do clients need to know “server1.contoso.com”? It is either they connect within internal network, or they connect through Direct Access tunnel. Either way, the clients will use *internal* DNS to resolve server1.contoso.com, as long as server1.contoso.com is not in the table of this screenshot above.
When do clients need to know “dal.contoso.com”? Only when they try to establish Direct Access tunnel. That’s BEFORE the clients are connected into “internal network”. Once Direct Access is connected, they are *within* internal network. If “dal.contoso.com” is not in the table of this screenshot above, they will try to use *internal* DNS to resolve it, rather than the clients’ local DNS (external ISP DNS). At that moment, Direct Access connections will be disconnected because clients cannot resolve the Direct Access server IPs at all (assuming dal.contoso.com DNS record is not in the internal DNS zone)
So this is not a typical brain-split DNS configuration, for this very DNS record. Ideally the DNS records should be the same one, such as use dal.contoso.com for both internal server names and external FQDN.
A typical example is the OWA address of Exchange servers. Usually it is recommended to use the same FQDN internally and externally.
2
0
None of the answers are correct. I am not sure that the question is really correct either, since the situation just does not make sense.
the name resolution policy table is used to modify how DNS resolution is handled. by default, the dns settings on the client before the direct access connection is made, are used to locate the external hostname for the direct access server. That would be da1.contoso.com. the name resolution policy table could not affect name resolution before the DA connection is made. I suppose that you could specify the private address of the server (I don’t know for what reason) but I think as soon as the direct access connection was made and it got new name resolution, the direct access connection would break.
by default, internal dns servers are authoritative for name resolution for hosts which are within the relevant namespace. You would not need to do anything to make sure you could resolve server1.contoso.com since internal dns servers would already resolve it. If you entered nothing for the dns server next to server1.contoso.com, that would ENSURE that you would not be able to “connect” to server1 since it would use local client dns settings, would perform a lookup, which could only resolve a public IP address even if there were a hostname for it. Assuming that Microsoft would not advocate for creating a completely wide open nat to this server, we can safely dismiss this as a possibility also.
c and d don’t make sense either because those IP addresses aren’t dns servers.
0
0