DRAG DROP
Your network contains an Active Directory forest named adatum.com. The forest contains a
single domain. All servers run Windows Server 2012 R2. All client computers run Windows
8.1.
The DNS zone of adatum.com is Active Directory-integrated.
You need to implement DNSSEC to meet the following requirements:
Ensure that the zone is signed.
Ensure that the zone signing key (ZSK) changes every 30 days.
Ensure that the key signing key (KSK) changes every 365 days.
What should you do? To answer, drag the appropriate cmdlets to the correct requirements.
Each cmdlet may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
Answer: 
ZSK and KSK should be set to Enable-DnsServerSigningKeyRollover to enable the automated rollover at the specified interval.
0
0
I totally agree with testdude!
0
0
would it not be Invoke-DnsServerSigningKeyRollover for both ZSK and KSK?
The Invoke-DnsServerSigningKeyRollover cmdlet initiates rollover of input keys for the specified Domain Name System (DNS) zone
This links https://technet.microsoft.com/en-us/library/jj649908.aspx suggests you enable rollover when you add the key but you need to invoke the rollover to make the change happen.
Thoughts?
0
0
Here is what I think
Add-DNSSereverSigningKey to Ensure the zone is signed
Invoke-DnsServerSigningKeyRollover to Ensure that the zone signing key (ZSK) changes every 30 days.
Invoke-DnsServerSigningKeyRollover to Ensure that the key signing key (KSK) changes every 365 days.
0
0
Sorry disregard last comment…meant to suggest the following as correct;
Invoke-DNSServerZoneSign to Ensure the zone is signed
Invoke-DnsServerSigningKeyRollover to Ensure that the zone signing key (ZSK) changes every 30 days.
Invoke-DnsServerSigningKeyRollover to Ensure that the key signing key (KSK) changes every 365 days.
0
0
Invoke-DnsServerSigningKey
Invoke-DnsServerSigningKeyRollover
Invoke-DnsServerSigningKeyRollover
0
0
Well here is my opinion based on following two links:
http://strotmann.de/roller/dnsworkshop/entry/dnssec_with_powershell_und_dnscmd
https://technet.microsoft.com/en-us/library/jj649908.aspx
to Sign the zone and to sign the zone we use the command
Invoke-DnsServerZoneSign
But to sign the zone and run the above command we need the Zone Signing Key (ZSK) and Key Signing Key (KSK) and we need to create those keys before running the above command and that is done by using this command.
Add-DnsServerSigningKey
Now here comes the choice, if it ask what should you do first? then we have to create the key first, but if the question is what should you? do then we sign the zone using the invoke cmd.
The Enable-DNSServerSigningKeyRollover cmdlet enables rollover on the input key
it also has a parameter to specify the key rollover time.
-RolloverPeriod
Specifies the amount of time between scheduled key rollovers.
Invoke-DnsServerSigningKeyRollover cmdlet initiates rollover of input keys for the specified Domain Name System (DNS) zone but it has no schedule to repeat, it is just like a one time invoke operation.
so IMO and based on this question this should be
Invoke-DnsServerZoneSign
Enable-DNSServerSigningKeyRollover
Enable-DNSServerSigningKeyRollover
but if the question changes to what should you do first then
Add-DnsServerSigningKey
Enable-DNSServerSigningKeyRollover
Enable-DNSServerSigningKeyRollover
0
0
The Invoke-DnsServerSigningKeyRollover initiates rollover of input keys for the specified Domain Name System (DNS) zone.
This command gets keys for the DNSServer06.Contoso.com zone and invokes rollover for each key.
Windows PowerShell
PS C:\> Get-DnsServerSigningKey -ZoneName “DNSServer06.Contoso.com” | Invoke-DnsServerSigningKeyRollover -PassThru -Verbose -Force
0
0
The Invoke-DnsServerZoneSign cmdlet signs a Domain Name System (DNS) server zone.
If the zone is not already signed, use the SignWithDefault parameter, which results in the zone being signed with one Zone Signing Keys (ZSK) and one Key Signing Key (KSK) using default DNS Security (DNSSEC) settings. If the zone is already signed, use the DoResign parameter. If you use both the SignWithDefault parameter and the DoResign parameter on a signed zone, the cmdlet removes the existing zone signing keys, and re-signs the zone using default settings.
0
0
Invoke-DnsServerZoneSign
Enable-DNSServerSigningKeyRollover
Enable-DNSServerSigningKeyRollover
If you look at the syntax for Enable-DNSServerSigningKeyRollover, you can specify the Rollover Period ( -RolloverPeriod ).
This option is not available in the Invoke-DNSServerSigningKeyRollover syntax. This command is affectively a “change now” command…
0
0
Bill Gates is correct
0
0
Provided answer is correct. You are setting up DNSSEC, so nothing exists yet. You have to add the keys. In the cmdlet to add the keys, you can specify the Rollover periods.
https://technet.microsoft.com/en-us/library/jj649854.aspx
0
0