Chapter 6 - Implement Domain Name System Flashcards

Question 1

Q

You are the administrator for your company network. You have a Windows Server 2016 Nano Server named Server1. You want to install the Domain Name System (DNS) Server role on Server1. What should you run?
A. The dns.exe command
B. The Enable-WindowsOptionalFeature cmdlet C. The Install-Package cmdlet
D. The optionalfeature.exe command

Answer

A

B. The Enable-WindowsOptionalFeature is used to add the DNS Server role to a Nano Server. The Enable-WindowsOptionalFeature cmdlet enables or restores an optional fea- ture in a Windows image.

Question 2

Q

You are the administrator for your company network. You have a Windows Server 2016 Hyper-V host. The host contains a virtual machine named VM1 that has resource metering enabled. What cmdlet should you run if you need to use resource metering to track the amount of network traffic that VM1 sends to the 10.0.0.0/8 network?
A. New-VMResourcePool
B. Set-VMNetworkAdapter
C. Set-VMNetworkAdapterRoutingDomainMapping D. Add-VMNetworkAdapterAcl

Answer

A

D. The Add-VMNetworkAdapterAcl cmdlet creates an access control list (ACL) to apply to the traffic through a virtual machine network adapter. When a virtual network adapter is created, there is no ACL on it. Given a list of IP-based ACL entries to be applied to traffic in the same direction, the longest match rule decides which one of the entries is most appropri- ate to apply to a specific packet.

Question 3

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that is configured as a domain controller. You install the DNS Server role on Server1. You plan to store a DNS zone in a custom Active Directory partition. What should you use if you need to create a new Active Directory partition for the zone?
A. dnscmd.exe
B. Set-DnsServer
C. dns.exe
D. Active Directory Sites and Services

Answer

A

A. dnscmd.exe is a command-line tool for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network

Question 4

Q

You are the administrator for your company network. You have an IP Address Management (IPAM) deployment that is used to manage all of the DNS servers on the network. IPAM
is configured to use Group Policy provisioning. You discover that a user has added a new mail exchanger (MX) record to one of the DNS zones and you want to figure out which user added the record. You open Event Catalog on an IPAM server and discover that
the most recent event occurred yesterday. What should you do if you need to ensure that the operational events in the event catalog are never older than one hour?
A. From Task Scheduler, create a scheduled task that runs the Update-IpamServer cmdlet.
B. From Task Scheduler, modify the Microsoft\Windows\IPAM\Audit task.
C. From the properties on the DNS zone, modify the refresh interval.
D. From an IPAM_DNS Group Policy Object (GPO), modify the Group Policy refresh interval.

Answer

A

C. The refresh interval is the time in seconds that a secondary name server should wait between zone file update checks. The interval should not be so short that the primary name server is overwhelmed by the update checks and not so long that propagation of changes to the secondary name servers is delayed.

Question 5

Q

You are the administrator for your company network. You are discussing Group Policy Objects (GPOs) with a colleague. If you choose the Group Policy–based provisioning method for IPAM, you must also provide a GPO name prefix in the provisioning wizard. After you provide a GPO name prefix, the wizard will display the GPO names that must be created in domains that will be managed by IPAM. In the following PowerShell command, how many GPOs would be created?
Invoke-IpamGpoProvisioning -Domain abc.com -GpoPrefixName IPAM1-DelegatedGpoUser user1 -IpamServerFqdn ipam1.abc.com
A. 1 B. 2 C. 3 D. 4

Answer

A

C. This example creates three GPOs (IPAM1_DHCP, IPAM1_DNS, and IPAM1DC NPS) and links them to the abc.com domain. These GPOs enable access to the ipam1.abc.com server using the domain administrator account user1.

Question 6

Q

You are the administrator for your company network. What should you do if you need to modify the GPO prefix by IPAM?
A. Run the Invoke-IpamGpoProvisioning cmdlet.
B. Run the Set-IpamConfiguration cmdlet.
C. Click Provision the IPAM Server in Server Manager. D. Click Configure Server Discovery in Server Manager.

Answer

A

B. The Set-IpamConfiguration cmdlet modifies the IP Address Management (IPAM) server configuration, including the TCP port over which the computer that runs the IPAM Remote Server Administration Tools (RSAT) client connects and communicates with the computer that runs the IPAM server. The -GpoPrefix parameter specifies the unique Group Policy Object (GPO) prefix name that IPAM uses to create the Group Policy Objects. Use this parameter only when the value of the ProvisioningMethod parameter is set to Automatic.

Question 7

Q

You are the administrator for your company network. You have a Windows Server 2016 IPAM server named IPAM1 that manages 10 DHCP servers. You need to provide a user with the ability to track which clients receive which IP addresses from DHCP. The solution must minimize administrative privileges. To which group should you add this user?
A. IPAM User
B. IPAM MSM Administrators
C. IPAM ASM Administrators
D. IPAM IP Audit Administrators

Answer

A

B. The IPAM MSM Administrators are users who are in the IPAM Users IPAM security group and who have the privileges to manage DHCP and DNS server instance–specific information. Such users are Multi Server Management (MSM) Administrators.

Question 8

Q

You are the administrator for your company network. Your network contains an Active Directory domain that has a Windows Server 2016 server named Server1, which is a member server and has the DNS Server role installed. Automatic scavenging of state records is enabled, and the scavenging period is set to 10 days. All client computers dynamically register their names in the DNS zone on Server1. You discover that the names of multiple client computers that were removed from the network several weeks ago can still be resolved. What should you do if you need to configure Server1 to automatically remove the records of the client computers that have been offline for more than 10 days?
A. Run the dnscmd.exe command and specify the /AgeAllRecords parameter for the zone.
B. Modify the Zone Aging/Scavenging properties of the zone.
C. Set the Time to Live (TTL) value of all the records in the zone.
D. Set the Expires After value of the zone.

Answer

A

B. You will need to modify the Zone Aging and Scavenging properties. When you set zone- level properties for a specified zone, these settings apply only to that zone and its resource records. Unless you otherwise configure these zone-level properties, they inherit their default settings from comparable settings that AD DS maintains in the Aging and Scavenging properties for the DNS server.

Question 9

Q

You are the administrator for your company network. You have 2,000 devices, and
100 of these are mobile devices that have physical addresses beginning with 98-5F. You have a Windows Server 2016 DHCP server named Server1. What should you do if you need to ensure that the mobile devices register their host names by using a DNS suffix of mobile.abc.com?
A. Create a new filter from IPv4.
B. Create a reservation.
C. Modify the Conflict Detection Attempts setting from the properties of Scope1.
D. Run the DHCP Policy Configuration Wizard from IPv4.
E. Configure Name Protection from the properties of Scope1.
F. Configure the bindings from the properties of IPv4.
G. Create an exclusion range from the properties of Scope1.
H. Modify the properties of Ethernet from the Control Panel.

Answer

A

D. DHCP server in Windows Server 2016 allows you to group clients based on their fully qualified domain names. Using wildcards, you can use this criterion to group clients based on their DNS suffixes or based on their host names. Setting up the DNS suffix is done using the DHCP Policy Configuration Wizard.

Question 10

Q

You are the administrator for your company network. You and a colleague are discussing client reservations. With client reservations, you can reserve an IP address for permanent use by a DHCP client. Typically, you will need to do this if the client uses an IP address that was assigned using another method for TCP/IP configuration. If you are reserving an IP address for a new client, or an address that is different from its current one, you should verify that the address has not already been leased by the DHCP server. Reserving an IP address in a scope does not automatically force a client currently using that address to stop using it. So, what ipconfig command would you use if the address is already in use?
A. ipconfig /release
B. ipconfig /renew
C. ipconfig /flushdns
D. ipconfig /registerdns

Answer

A

A. ipconfig /release sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration. This parameter dis- ables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without param- eters.

Question 11

Q

You are the administrator for your company network. You and a colleague are discussing Domain Name System (DNS). The DNS Server service provides several types of zones. What zone type helps to keep delegated zone information current, improve name resolution, and simplify DNS administration, but is not an alternative for enhancing redundancy and load sharing?
A. Secondary zone B. Stub zone
C. Principal zone D. Primary zone

Answer

A

B. A stub zone is a copy of an authoritative DNS zone that only contains the records needed to reach the authoritative server. When a zone that is a DNS server hosts a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone.

Question 12

Q

You are the administrator for your company network. You and a colleague are discussing DNS queries. The following is an example of DNS query results that are performed from a DNS client computer using the Resolve-DnsName cmdlet:
resolve-dnsname -name finance.secure.abc.com -type A -server dns1.abc.com
What extra parameter should you use if you want to include the DO bit in a DNS query
to make sure the client is DNSSEC-aware and that it is okay for the DNS server to return DNSSEC data in a response?
A. -DnssecCd
B. -DnssecOk
C. -DnsOnly
D. -LlmnrOnly

Answer

A

B. The -DnssecOk parameter sets the DNSSEC OK bit for this query. When DO=1, the client indicates that it is able to receive DNSSEC data if available. Because the secure.abc.com zone is signed, an RRSIG resource record is included with the DNS response when DO=1.

Question 13

Q

You are the administrator for your company network. You and a colleague are discussing socket pools. The socket pool enables a DNS server to use source port randomization when issuing DNS queries. What command offers the greatest protection?
A. dnscmd /config /socketpoolsize 0
B. dnscmd /config /socketpoolsize 1
C. dnscmd /config /socketpoolsize 1000
D. dnscmd /config /socketpoolsize 1000 /socketpoolexcludedportranges 1-65535

Answer

A

C. The DNS socket pool enables a DNS server to use source port randomization when it issues DNS queries. When the DNS service starts, the server chooses a source port from a pool of sockets that are available for issuing queries. Instead of using a predicable source port, the DNS server uses a random port number that it selects from the DNS socket pool. The DNS socket pool makes cache-tampering attacks more difficult because a malicious user must correctly guess both the source port of a DNS query and a random transaction ID to successfully run the attack. When you configure the DNS socket pool, you can choose a size value from 0 to 10,000. The larger the value, the greater the protection you will have against DNS spoofing attacks

Question 14

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has the DHCP Server and the Windows Deployment Service (WDS) server roles installed. Server1 is located on the same subnet as client computers. You need to ensure that clients can perform a PXE boot from Server1. Which IPv4 options should you configure in DHCP? (Choose two.)
A. 003 Router
B. 006 DNS Servers
C. 015 DNS Domain Name
D. 060 Option 60
E. 066 Boot Server Host Name

Answer

A

D, E. When setting DHCP options for WDS PXE booting, you will want to use 060 Option 60, which is the client identifier. You should set this to the string PXEClient. This only applies if DHCP is on the same server as Windows Deployment Services. You will also want to use O66 Boot Server Host Name, which is the boot server’s host name.

Question 15

Q

You are the administrator for your company network. You have two Windows Server 2016 DNS servers named Server1 and Server2. All client computers run Windows 10 and are configured to use Server1 for DNS name resolution. Server2 hosts a primary zone named abc.com. Your network recently experienced several DNS spoofing attacks. What should you do to prevent further attacks from succeeding on Server2? (Choose two.)
A. Configure the abc.com zone to be Active Directory integrated.
B. Sign the abc.com zone.
C. Configure DNS Cache locking.
D. Configure Response Rate Limiting (RRL).

Answer

A

B, C. DNS attacks can be very serious in a company. Shutting down a DNS server or even changing the records can prevent your users from accessing proper information. By sign- ing the zone, you allow DNS to use certificates, and by locking the DNS cache, you prevent hackers from changing cache entries. These simple steps can help administrators secure their DNS servers.

Question 16

Q

You are the administrator for your company network. You have a Windows Server 2016 DHCP server named Server1 that has the following scopes configured:
Scope Name Address Pool Default Gateway DNS Server
Desktops 192.168.0.0/24 192.168.0.1 192.168.0.140
Visitors 192.168.0.1/24 192.168.1.1 192.168.0.140

All other scope settings are set to the default values. There are no available address spaces for another scope to be created. Your network has 150 desktop computers that have access to the corporate network. Your company also provides visitors with Wi-Fi access to the network. There can be up to 200 visitors each day. What should you do to ensure that you have enough address spaces for Visitors?
A. Configure a superscope that contains the Visitors scope.
B. For the Visitors scope, run the DHCP Split Scope Configuration Wizard.
C. Run Set-DhcpServer4Scope –Name Mobile –LeaseDuration 0.02:00:00.
D. Run Set-DhcpServer4Scope –ActivatePolicies $True –Name Mobile –MaxBootPClients 200.

Answer

A

A. A DHCP superscope is a collection of individual scopes that are grouped together for administrative purposes. This configuration allows client computers to receive an IP address from multiple logical subnets even when the clients are located on the same physical
subnet. You can create a superscope only if you have already created two or more IP scopes in DHCP. You can use the New Superscope Wizard to select the scopes that you wish
to combine to create a superscope. A DHCP superscope is useful if a scope runs out of addresses, and you cannot add more addresses from the subnet.

Question 17

Q

You are the administrator for your company network. You have a DHCP server named Server1. Server1 has an IPv4 scope that serves 75 client computers that run Windows 10. When you review the address leases in the DHCP console, you discover that there are several leases for devices that you do not recognize. What should you do if you need to ensure that only the 75 Windows 10 computers can obtain a lease from the scope?
A. Run the Add-DhcpServerv4ExclusionRange cmdlet.
B. Create a DHCP policy for the scope.
C. Create and enable a DHCP filter.
D. Run the Add-DhcpServerv4OptionDefinition cmdlet.

Answer

A

B. DHCP polices allow an administrator to determine scope for specific types of equipment coming in that correspond to different characteristics. An administrator needs to ensure that different types of devices are provisioned appropriately for network connectivity. You want different types of clients to get IP addresses from different IP address ranges within the subnet. By specifying a different IP address range for different device types, you can more easily identify and manage devices on the network.

Question 18

Q

You are the administrator for your company network.You have Windows Server 2016 servers named Server1 and DHCP1. DHCP1 contains an IPv4 scope named Scope1. You have 1,000 client computers. You need to configure Server1 to lease IP addresses for Scope1. The solution must ensure that Server1 is used to respond to up to 30 percent of the DHCP client requests only. On Server1, you install the DHCP Server role. What should you do next?
A. Run the Configure Failover Wizard from the DHCP console.
B. Create a superscope from the DHCP console.
C. Install the Network Load Balancing (NLB) feature from Server Manager.
D. Install the Failover Clustering feature from Server Manager.

Answer

A

A. The next step is to run the Configure Failover Wizard from the DHCP console. The Load Balance Percentage feature specifies the percentage of the IP address range to reserve for each server in the failover relationship. Each server will use its assigned range of addresses prior to assuming control over the entire IP address range of a scope when the other server transitions into a “partner down” state and the Maximum Client Lead Time passes

Question 19

Q

You are the administrator for your company network. You have a DHCP server named Server1 that has three network cards. Each network card is configured to use a static IP address. Each network card connects to a different network segment. Server1 has an IPv4 scope named Scope1. What should you do if you need to ensure that Server1 only uses one network card when leasing IP addresses in Scope1?
A. Create a reservation.
B. Modify the Conflict Detection Attempts setting from the properties of Scope1.
C. Create a new filter from IPv4.
D. Configure Name Protection from the properties of Scope1.
E. Create an exclusion range from the properties of Scope1.
F. Run the DHCP Policy Configuration Wizard from IPv4.
G. Configure the bindings from the properties of IPv4.
H. Modify the properties of Ethernet from the Control Panel.

Answer

A

G. By default, the service bindings on the server depend on whether the first network con- nection is configured dynamically or statically for TCP/IP. Since the question uses a manu- ally specified IP address, the connection is enabled in the service bindings on the server. The DHCP server will bind to the first static IP address configured on each adapter.

Question 20

Q

You are the administrator for your company network. You have a DHCP server named Server1 that has an IPv4 scope named Scope1. Users report that when they turn on their computers it takes a long time to access the network. You validate that it takes a long time for the computers to receive an IP address from Server1. You monitor the network traffic and discover that Server1 issues five ping commands on the network before leasing an
IP address. What should you do if you need to reduce the amount of time it takes for the computers to receive an IP address?
A. Create a reservation.
B. Modify the Conflict Detection Attempts setting from the properties of Scope1.
C. Create a new filter from IPv4.
D. Configure Name Protection from the properties of Scope1.
E. Create an exclusion range from the properties of Scope1.
F. Run the DHCP Policy Configuration Wizard from IPv4.
G. Configure the bindings from the properties of IPv4.
H. Modify the properties of Ethernet from the Control Panel.

Answer

A

B. When conflict detection attempts are set, the DHCP server uses the ping process to test available scope IP addresses before including these addresses in DHCP lease offers to cli- ents. A successful ping means the IP address is in use on the network. Therefore, the DHCP server does not offer to lease the address to a client. If the ping request fails and times out, the IP address is not in use on the network. In this case, the DHCP server offers to lease the address to a client.

Question 21

Q

You are the administrator for your company network. Your network contains Windows and non-Windows devices. You have a DHCP server named Server1 that has an IPv4 scope named Scope1. What should you do if you need to prevent a client computer that uses the same name as an existing registration from updating the registration?
A. Create a reservation.
B. Modify the Conflict Detection Attempts setting from the properties of Scope1.
C. Create a new filter from IPv4.
D. Configure Name Protection from the properties of Scope1.
E. Create an exclusion range from the properties of Scope1.
F. Run the DHCP Policy Configuration Wizard from IPv4.
G. Configure the bindings from the properties of IPv4.
H. Modify the properties of Ethernet from the Control Panel

Answer

A

D. Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a Windows-based computer. The use of name protection in Windows Server prevents name squatting by non-Windows- based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory Domain Services (AD DS) can be used to reserve a name for a single user or computer. Name protection can be configured for IPv4 and IPv6 at the network adapter level or scope level. Name protection settings configured at the scope level take precedence over the setting at the IPv4 or IPv6 level.

Question 22

Q

You re the administrator for your company network. You have an Active Directory forest
that contains 30 servers and 6,000 client computers. You deploy a new DHCP server that runs Windows Server 2016. What command should you run if you need to retrieve the list of the authorized DHCP servers?
A. Get-DhcpServerDatabase
B. Netstat -p IP -s -a
C. Get-DhcpServerInDC
D. Show-ADAuthenticationPolicyExpression-AllowedToAuthenticateTo

Answer

A

C. The Get-DhcpServerInDC cmdlet retrieves the list of authorized computers that run the Dynamic Host Configuration Protocol (DHCP) server service from Active Directory. Only a computer that runs a DHCP server service that is authorized in Active Directory can lease IP addresses on the network.

Question 23

Q

You are the administrator for your company network. You have a DHCP server named Server1. Server1 has an IPv4 scope that contains 100 addresses for a subnet named
Subnet1. Subnet1 provides guest access to the Internet. There are never more than 20 client computers on Subnet1 simultaneously; however, the computers that connect to Subnet1 are rarely the same computers. You discover that some client computers are unable to access the network. The computers that are having connection issues have IP addresses in the range
of 169.254.0.0/16. What should you do if you need to ensure that all of the computers can connect successfully to the network and access the Internet?
A. Modify the lease duration.
B. Configure Network Access Protection (NAP) integration on the existing scope. C. Create a new scope that uses IP addresses in the range of 169.254.0.0/16.
D. Modify the scope options.

Answer

A

A. The correct answer is to modify the lease duration; 169.254.0.0/16 is an APIPA address. You cannot create a DHCP scope in that range. Every computer that is connected to a net- work needs an IP address so that it can send and receive data over the network. Each net- work has a limited number of addresses to assign to devices. The total number of addresses varies based on the network configuration. The network administrator determines the DHCP lease time. The optimum length depends on the number and kinds of devices on the network. A network with more dynamic clients than IP addresses might require a shorter lease period so that addresses are recycled more frequently.

Question 24

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has IPAM installed. IPAM is configured to use the Group Policy–based provisioning method. The prefix for the IPAM Group Policy Objects (GPOs) is IP. From Group Policy Management, you manually rename the IPAM GPOs to have a prefix of IPAM. What should you do if you need to modify the GPO prefix used by IPAM?
A. Run the Invoke-IpamGpoProvisioning cmdlet.
B. Click Configure Server Discovery in Server Manager. C. Click Provision the IPAM Server in Server Manager. D. Run the Set-IpamConfiguration cmdlet.

Answer

A

D. The Set-IpamConfiguration cmdlet modifies the IP Address Management (IPAM) server configuration, including the TCP port over which the computer that runs the IPAM Remote Server Administration Tools (RSAT) client connects and communicates with the computer that runs the IPAM server.

Question 25

Q

You are the administrator for your company network. Your network contains one Active Directory domain named abc.com that contains an IPAM server named Server1. Server1 manages several DHCP and DNS servers. From Server Manager on Server1, you create a custom role for IPAM. What should you do if you need to assign the role to a group named IP_Admins?
A. Run the Add-Member cmdlet using PowerShell.
B. Run the Set-IpamConfiguration cmdlet using PowerShell. C. Create an access policy using Server Manager.
D. Create an access scope using Server Manager.

Answer

A

C. A role is a collection of IPAM operations. You can associate a role with a user or group in Windows using an access policy. Several built-in roles are provided, but you can also create customized roles to meet your requirements. You can create an access policy for a specific user or for a user group in Active Directory. When you create an access policy, you must select either a built-in IPAM role or a custom role that you have created.

Question 26

Q

You are the administrator for your company network. Your network contains an Active Directory domain that contains a Windows Server 2016 DNS server named Server1. All domain computers use Server1 for DNS. You sign the domain by using DNSSEC. What should you configure in Group Policy if you need to configure the domain computers to validate DNS responses for records?
A. Name Resolution Policy Table (NRPT)
B. Network List Manager Policies
C. Network Access Protection (NAP)
D. Public Key Policy

Answer

A

A. The Name Resolution Policy Table (NRPT) provides a means for configuring both DNSSEC and DirectAccess policies. It is stored in Group Policy, so its settings can be applied at the domain, site, OU, or local level. Before a security-aware DNS client issues a query, it checks the NRPT to determine whether DNSSEC should be used.

Question 27

Q

You are the administrator for your company network. Your network contains an Active Directory forest. Users frequently access the website of an external partner company. The URL of the website is http://partners.abc.com. The partner company informs you that it will perform maintenance on its web server and that the IP address of the web server will change. After the change is complete, the users on your internal network report that they fail to access the website. However, some users who work from home report that
they are able to access the website. You need to ensure that your DNS servers can resolve partners.abc.com to the correct IP address immediately. What should you do?
A. Run dnscmd and specify the CacheLockingPercent parameter.
B. Run Set-DnsServerGlobalQueryLockList.
C. Run ipconfig and specify the Renew parameter.
D. Run Set-DnsServerCache.

Answer

A

D. The Set-DnsServerCache cmdlet modifies cache settings for a Domain Name System (DNS) server. When using the -LockingPercent parameter, it specifies a percentage of the original Time to Live (TTL) value that caching can consume. Cache locking is configured as a percent value. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entire duration of the TTL.

Question 28

Q

You are the administrator for your company network. What should you run if you need to verify whether a DNS response from a DNS server is signed by DNSSEC?
A. dnscmd.exe
B. nslookup.exe
C. Get-NetIPAddress 
D. Resolve-DnsName

Answer

A

D. The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmd- let is functionally similar to the Nslookup tool, which allows users to query for names. The Resolve-DnsName cmdlet will return a maximum of 25 A and AAAA records from NS servers.

Question 29

Q

You are the administrator for your company network. You have a Windows Server 2016 DNS server named Server1. You need to disable recursion on Server1. What are three possible ways to achieve this goal? (Choose three.)
A. Create a reverse lookup zone named 0.in-addr.arpa.
B. Create a forward lookup zone named GlobalNames.
C. From DNS Manager, modify the advanced properties of Server1.
D. From DNS Manager, modify the forwarders properties of Server1.
E. Create a forward lookup zone named “”.
F. Run dnscmd.exe and specify the /config parameter

Answer

A

C, E, F. To disable recursion on the DNS server:
1. Open DNS Manager.
2. In the console tree, right-click the applicable DNS server; then click Properties.
3. Click the Advanced tab.
4. In Server Options, select the Disable Recursion check box, and then click OK.
Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders. A DNS server requires recursion only if it responds to recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use iterative queries to communicate with each other. The DNS server has root DNS servers in its configuration, so it returns the root DNS server details each time it is queried for a non- existent domain name. To prevent this, we need to create a forward lookup zone with the name “”.
Another option is to run dnscmd.exe with the /config parameter. dnscmd.exe is a command-line interface for managing the DNS servers. Using dnscmd.exe and specifying the /config parameter will reset the DNS server or zone configuration and allow you to dis- able recursion.

Question 30

Q

You are the administrator for your company network. You have a Windows Server 2016 DHCP server named Server1. You have a single IP subnet. Server1 has an IPv4 scope named Scope1. Scope1 has an IP address range of 10.0.1.10 to 10.0.1.200 and a length of 24 bits. What should you do if you need to create a second logical IP network on the subnet? The subnet will use an IP address range of 10.0.2.10 to 10.0.2.200 and a length of 24 bits.
A. Create a second scope and then run the DHCP Split-Scope Configuration Wizard.
B. Create a superscope and then configure an exclusion range in Scope1.
C. Create a new scope and then modify the IPv4 bindings.
D. Create a second scope and then create a superscope.

Answer

A

D. Before a DHCP server can provide clients with IP addresses, the server must be config- ured with a scope. A scope is a range of IP addresses that can be leased to DHCP clients on a given subnet. You can also create a second type of scope known as a superscope. In an environment that has multiple logical IP subnets defined on a single physical network, superscopes allow a DHCP server to assign leases to clients on multiple subnets.

Question 31

Q

You are the administrator for your company network. You are implementing a new network. The network contains a Windows Server 2016 DHCP server named DHCP1 that contains a scope named Scope1 for the 192.168.0/24 subnet. Your company has the following policies:
■✓ All server addresses must be excluded from DHCP scopes.
■✓ All client computers must receive IP addresses from Scope1.
■✓ All Windows servers must have IP addresses in the range of 192.168.0.200 to 192.168.0.240.
■✓ All other network devices must have IP addresses in the range of 192.168.0.180 to 192.168.0.199.
You deploy a print device named Print1. What command should you run if you need to ensure that Print1 adheres to the policies for allocating IP addresses?
A. Add-DhcpServerv4Reservation
B. Add-DhcpServerv4Lease
C. Add-DhcpServerv4ExclusionRange D. Add-DhcpServerv4Filter

Answer

A

C. The Add-DhcpServerv4ExclusionRange cmdlet adds a range of excluded IP addresses for an IPv4 scope. The excluded IP addresses are not leased out by the Dynamic Host Con- figuration Protocol (DHCP) server service to any DHCP clients. The only exception to this is reservation. If an IP address is reserved, the same IP address is leased to the designated client even if it falls in the exclusion range.

Question 32

Q

You are the administrator for your company network. Your network contains an Active Directory domain named abc.com. The domain contains two Windows Server 2016 serv- ers named Server1 and Server2. Server1 has IPAM installed. Server2 has Microsoft System Center 2016 Virtual Machine Manager (VMM) installed. You need to integrate IPAM and VMM. What type of object should you create on Server1?
A. Access Policy
B. Network Service 
C. User Role
D. Service Template

Answer

A

A. Virtual Machine Manager (VMM) must be granted permission to view and modify IP address space in IPAM and to perform remote management of the IPAM server. VMM uses a Run As account to provide these permissions to the IPAM network service plug-in. The Run As account must be configured with appropriate permissions on the IPAM server. To assign permissions to the VMM user account, in the upper navigation pane of the IPAM server console, click Access Control. Then right-click Access Policies in the lower naviga- tion pane and click Add Access Policy.

Question 33

Q

You are the administrator for your company network. You and a colleague are discussing the use of network IDs. Because the network ID bits must always be chosen in a contiguous fashion from the high-order bits, a shorthand way of expressing a subnet mask is to denote the number of bits that define the network ID as a network prefix using the network prefix notation: /. What is the network prefix for Class B?
A. /8 
B. /16 
C. /24 
D. /64

Answer

A

B. Network prefixes are determined directly from the subnet mask of the network. A Class B subnet mask would be 255.255.0.0. To determine the network prefix on a Class B subnet, you would need to convert each octet of the subnet mask to a binary value. So for Class B it would be 11111111.11111111.00000000.00000000. Count the consecutive 1s to determine the prefix. So, the answer would be /16.

Question 34

Q

You are the administrator for your company network. You and a colleague are discussing private IP address ranges as specified by the Internet Request for Comments (RFC) 1918. Which of the following is not a recognized private IP address range as specified by RFC 1918?
A. 10.0.0.0–10.255.255.255
B. 128.24.0.0–128.24.255.255 
C. 172.16.0.0–172.31.255.255 
D. 192.168.0.0–192.168.255.255

Answer

A

B. RFC 1918 was used to create the standards by which networking equipment assigns IP addresses in a private network. A private network can use a single public IP address. The RFC reserves the following ranges of IP addresses that cannot be routed on the Internet:
■■ 10.0.0.0 - 10.255.255.255 (10/8 prefix)
■■ 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
■■ 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Question 35

Q

You are the administrator for your company network. You and a colleague are discussing network IDs. What is the network ID of the IP node 129.56.189.41 with a subnet mask of 255.255.240.0?
A. 129.56.176.0 
B. 129.56.176.1 
C. 129.56.189.0 
D. 129.56.189.1

Answer

A

A. First turn both numbers into their binary equivalents and line them up. Then perform the AND operation on each bit and write down the result.
10000001 00111000 10111101 00101001 IP Address 11111111 11111111 11110000 00000000 Subnet Mask 10000001 00111000 10110000 00000000 Network ID
The result of the bit-wise logical AND of the 32 bits of the IP address and the subnet mask is the network ID 129.56.176.0.

Question 36

Q

You are the administrator for your company network. You are deploying a network that has 30 client computers. The network uses the 192.168.1.0/24 address space. All of the computers obtain their IP configurations from a DHCP server named Server1. You install
a server named Server2 that runs Windows Server 2016. Server2 has two network adapters named Internal and Internet. Internet connects to an Internet Service Provider (ISP) and obtains the 131.107.0.10 IP address. Internal connects to the internal network and is configured to use the 192.168.1.250 IP address. What should you do if you need to provide Internet connectivity for the client computers?
A. Select the Internet and Internal network adapters and bridge the connections on Server2. On Server1, using the DHCP console, authorize Server2.
B. Stop the DHCP server on Server1. On Server2, on the Internal network adapter, enable Internet Connection Sharing (ICS).
C. Run the New-NetNat Name NAT1 -InternalIPInterfaceAddressPrefix 192.168.1.0/24 cmdlet on Server2. Configure Server1 to provide the 003 Router option of 131.107.0.10.
D. Install the Routing role service on Server2 and configure the NAT routing protocol. Configure Server1 to provide the 003 Router option of 192.168.1.250.

Answer

A

D. Internet connection sharing is not supported in Windows Server 2016. To do Internet connection sharing, you must set up a NAT server. The correct answer is to install the Routing role service, configure NAT, and then set it to use Server2’s internal address.

Question 37

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has two network cards. One network card connects to your internal network and the other network card connects to the Internet. You plan to use Server1 to provide Internet connectivity for client computers on the internal network. What server role or role service should you install on Server1 first if you need to configure Server1 as a network address translation (NAT) server?
A. DirectAccess and VPN
B. Network Controller
C. Routing and Remote Access
D. Web Application Proxy

Answer

A

C. You set up a NAT server using the Routing and Remote Access role. To do this, you can install the role using either Server Manager or PowerShell.

Question 38

Q

You are the administrator for your company network. Your network contains three
subnets:
■✓ Production Servers: A production network
■✓ Development Servers: A development network
■✓ Client Computers: A client network
The development network is used to test applications and reproduces servers that are located on the production network. The development network and the production net- work use the same IP address range. A user, User1, has a client computer on the client network. User1 reports that when he attempts to connect to the IP address 10.10.1.6 from his computer, he connects to a server on the production network. What should you run if you need to ensure that when User1 connects to 10.10.1.6, he connects to a server on the development network?
A. New-NetNeighbor B. New-NetRoute
C. Set-NetNeighbor D. Set-NetTcpSetting

Answer

A

B. The New-NetRoute cmdlet creates an IP route in the IP routing table. Specify the desti- nation prefix and specify an interface by using the interface alias or the interface index. IP routing is the process of forwarding a packet based on the destination IP address. Routing occurs at TCP/IP hosts and at IP routers. The sending host or router determines where to forward the packet. To determine where to forward a packet, the host or router consults a routing table that is stored in memory. When TCP/IP starts, it creates entries in the routing table. You can add entries either manually or automatically.

Question 39

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has a Server Core installation. Server1 is configured to obtain an IP address automatically. What should you run if you need to configure the IPv4 address, subnet mask, and default gateway manually for a network interface named Ethernet on Server1?
A. Set-NetIPv4Protocol 
B. New-NetIPAddress
C. Set-NetAdapter
D. Set-NetNat

Answer

A

B. The New-NetIPAddress cmdlet creates and configures an IP address. To create a specific IP address object, specify either an IPv4 address or an IPv6 address, and an interface index or interface alias. We recommend that you define the prefix length, also known as a subnet mask, and a default gateway. If you run this cmdlet to add an IP address to an interface on which DHCP is already enabled, then DHCP is automatically disabled. If Duplicate Address Detection (DAD) is enabled on the interface, the new IP address is not usable until DAD successfully finishes, which confirms the uniqueness of the IP address on the link.

Question 40

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 DNS server named Server1 that you want to have Response Rate Limiting (RRL). What cmdlet should you run to enable RRL?
A. Add-DnsServerClientSubnet
B. Enable-DnsServerPolicy
C. Set-DnsServerResponseRateLimiting
D. Set-DnsServerResponeRateLimitingExceptionlist

Answer

A

C. The Set-DnsServerResponseRateLimiting cmdlet enables Response Rate Limiting (RRL) on a Windows DNS server.

Question 41

Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1. You promote Server1 to a domain controller. What should you do on Server1 if you need to view the service location (SRV) records that Server1 registers in DNS?
A. Open the netlogon.dns file.
B. Open the srv.sys file.
C. Run Get-DnsServerDiagnostics.
D. Run ipconfig /displaydns

Answer

A

A. The Netlogon service creates a log file that contains all the locator resource records stored in Netlogon. When you promote a server to a domain controller using DCPROMO, a text file containing all of the appropriate records the domain controller will register in DNS is created. This text file is stored in the %systemroot%\system32\config folder and is called netlogon.dns. Whenever a domain controller starts, the Netlogon service regis- ters these records or refreshes these records in the primary zone held by DNS.

Question 42

Q

You are the administrator for your company network. Your network contains a Windows Server 2016 DNS server named Server1. The network also contains a Windows Server 2012 R2 server named Server2. You change the IP address of Server2. A few hours later several users report that they cannot connect to Server2. On the users’ client computers, you flush the DNS client resolver cache and the users can successfully connect to Server2. What value should you modify in the Start of Authority (SOA) record if you need to reduce the amount of time that the client computers cache DNS records?
A. Expires After
B. Minimum (Default) TTL 
C. Refresh Interval
D. Retry Interval

Answer

A

B. Time to Live (TTL) is used for computer data, including DNS servers. It is the amount of time or number of transmissions that a packet can experience before it is discarded. The Minimum (Default) Time to Live (TTL) is the default or minimum amount of time for a newly created record.

Question 43

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a domain controller named Server1 that has
the DNS Server role installed. Server1 hosts a primary zone for the domain. The domain contains a member server named Server2 that is configured to use Server1 as its primary DNS server. From Server2, you run nslookup.exe. The DNS request times out, showing the default server as unknown. What should you do if you need to ensure that when you run Nslookup that the correct name of the default server is displayed?
A. Create a reverse lookup zone on Server1.
B. Modify the security settings of the primary zone on Server1.
C. Add the primary zone to the DNS suffix list from Advanced TCP/IP Settings on Server1.
D. Add the primary zone to the DNS suffix list from Advanced TCP/IP Settings on Server2.

Answer

A

A. Make sure that a reverse lookup zone that is authoritative for the pointer (PTR) resource record exists. PTR records contain the information that is required for the server to perform reverse name lookups. A reverse lookup is when a DNS client queries a DNS server for the name of a host when it has the IPv4 or IPv6 address of the host.

Question 44

Q

You are the administrator for your company network. The network consists of a single Active Directory domain named abc.com. You have a server named Server1 that runs a custom network application. Server1 has the following IP addresses:
■✓ 192.168.15.10
■✓ 192.168.15.11
What should you do if you need to ensure that a client computer resolves Server1.abc.com to only the 192.168.15.11 IP address?
A. Edit the LMHOSTS file.
B. Run ipconfig.exe /flushdns.
C. Edit the HOSTS file.
D. Run netsh interface ipv4 reset.

Answer

A

C. The HOSTS file is a common way to resolve a host name to an IP address through a locally stored text file that contains IP-address-to-host-name mappings. The HOSTS file is used to map host names to IP addresses

Question 45

Q

You are the administrator for your company network. Your network contains an Active Directory domain named abc.com. You currently have an intranet website that is
hosted by two Windows Server 2016 web servers named Web1 and Web2. Users use the name intranet.abc.com to request the website and use DNS round robin. You plan to implement the NLB feature on Web1 and Web2. What should you do if you need to make changes to the DNS records for the planned implementation?
A. Create two resource records for intranet.abc.com. Point one record to Web1 and point one record to Web2.
B. Create a new host (A) record named Intranet. Remove both host (A) records for Web1 and Web2.
C. Delete both host (A) records named Intranet. Create a pointer (PTR) record for each web server.
D. Delete one of the host (A) records named Intranet. Modify the remaining host (A) record named Intranet.

Answer

A

A. Round robin is used by DNS servers as a local balancing mechanism to share and dis- tribute network resource loads. You can use it to rotate all resource record (RR) types con- tained in a query if multiple RRs are found. By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried DNS domain name. So, in this case, you would want to create two resource records for intranet.abc.com. Point one record to Web1 and point one record to Web2.

Question 46

Q

You are the administrator for your company network. Your company has a single Active Directory domain. All servers run Windows Server 2016. You install an additional DNS server. What should you do if you need to delete the pointer record for the IP address 10.3.2.127?
A. From the command prompt, run the dnscmd /ZoneDelete 127.in-addr.arpa command.
B. Use DNS Manager to delete the 127.in-addr.arpa zone.
C. From the command prompt, run the dnscmd /RecordDelete 10.in-addr.arpa.
127.2.3 PTR command.
D. From the command prompt, run the dnscmd /RecordDelete 10.3.2.127 command.

Answer

A

C. If you choose to delete all PTR records at the node, use dnscmd.exe to delete them. So, to delete all PTR records at the 10.3.2.1 address you would type the following command at the command prompt: dnscmd /RecordDelete 10.in-addr.arpa. 127.2.3 PTR.

Question 47

Q

You are the administrator for your company network. Your network contains two Windows Server 2016 servers named Server1 and Server2. Both servers have the DNS Server role installed. You create a standard primary zone named abc.com on Server1. What should you do from Server1 if you need to ensure that Server2 can host a secondary zone?
A. Convert the primary zone to an Active Directory integrated zone.
B. Create a zone delegation that points to Server2.
C. Create a trust anchor named Server2.
D. Create a new secondary zone for Server2.

Answer

A

D. Adding a secondary DNS server to a zone involves three steps:
1. Add the prospective secondary DNS server to the list of name servers that are authorita-
tive for the zone on the primary DNS server.
2. Verify that the transfer settings for the zone permit the zone to be transferred to the prospective secondary DNS server on the primary DNS server.
3. Add the zone as a secondary zone on the prospective secondary DNS server.

Question 48

Q

You are the administrator for your company network. You have a Windows Server 2016 DHCP server that fails. You restore the server from backup. What should you do if you need to prevent the DHCP server from issuing any IP addresses that are already being used on the network?
A. Set the Conflict Detection value to 0.
B. Set the Conflict Detection value to 2.
C. Set the Duplicate Address option on the DHCP scope.
D. Set the Duplicate Address option on the DHCP server.

Answer

A

B. The Conflict Detection value specifies how many ICMP echo requests (pings) the server sends for an address it is about to offer. The default is 0. Conflict Detection is a way to verify that the DHCP server is not issuing IP addresses that are already being used on the network. So, an administrator should set the Conflict Detection Attempts to a value other than 0. The value you enter determines the number of times the DHCP server checks an IP address before leasing it to a client. The DHCP server checks IP addresses by sending a ping request over the network.

Question 49

Q

You are the administrator for your company network. The Windows Server 2016 network uses DHCP. You notice that your DHCP database is getting too large and you want to reduce the size of the database. What should you do to the folder that contains the DHCP database?
A. Run jetpack.exe dhcp.mdb temp.
B. Run shrinkpack.exe dhcp.mdb temp. 
C. Run jetshrink.exe dhcp.mdb temp. 
D. Run shrinkjet.exe dhcp.mdb temp.

Answer

A

A. Microsoft’s jetpack.exe utility allows you to compact a JET database. Microsoft JET databases are used for WINS and DHCP databases.

Question 50

Q

You are the administrator for your company network. You administer a server that assigns IP addresses via DHCP. You want to make sure that a particular client always receives the same IP address from the DHCP server. You create an exclusion for that address, but you find that the computer isn’t being properly configured at bootup. What could be causing the problem?
A. You excluded the wrong IP address.
B. You need to create a superscope for the address.
C. You need to make a reservation for the client that ties the IP address to the computer’s MAC address and then delete the exclusion.
D. You must configure the client manually. You cannot assign the address via the DHCP server.

Answer

A

C. An exclusion just marks addresses as excluded; the DHCP server doesn’t maintain any information about them. A reservation marks an address as reserved for a particular client. So, create a client reservation on a DHCP server if you want the server to always assign the same IP address to a specific machine on the network.

Question 51

Q

You are the administrator for your company network. In the middle of the day, your DHCP server crashes. You reboot the server and get it back up and running within 5 minutes. However, nobody but yourself seems to notice that it had gone down. What additional steps must you take?
A. None. If there were no lease-renewal requests during the 5-minute period in which the DHCP server was down, none of the clients will ever know that it went down.
B. You need to renew all the leases manually.
C. None. The DHCP server automatically assigned new addresses to all the clients on the
network transparently.
D. You must reboot all of the client machines.

Answer

A

A. When the DHCP server crashed, the scope was effectively deactivated. Deactivating a scope has no effect on the client until it needs to renew the lease.

Question 52

Q

You are the administrator for your company network. You are going to modify the IP configuration on your network to take advantage of DHCP. You are explaining how DHCP works to a colleague. You want your colleague to understand how a client obtains an address from the DHCP server. What are the steps that occur in the initial DHCP lease process? (Choose all that apply.)
A. Search
B. Offer
C. Acknowledgment D. Announce
E. Request
F. Discovery
G. Selection

Answer

A

B, C, E, F. The acronym to remember is DORA. The DHCP operation stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment. IP lease discovery is used when a DHCP-enabled IP stack is initialized to locate a DHCP server with this special- ized broadcast. When a DHCP server receives the discover packet, it sends out an IP lease offer containing an available address. The client responds to the DHCP offer with an IP lease acceptance message showing that this address is acceptable. Finally, when the DHCP request is received, the server sends out an IP lease acknowledgment, which contains configuration options for the IP stack and adds the information to the DHCP database.

Question 53

Q

You are the administrator for your company network. You assign two DNS server addresses as part of the options for a scope. Later you find that a client workstation isn’t using those addresses that you set up for DNS. What is most likely the cause of the problem?
A. The client didn’t receive the option information as part of its lease.
B. The client has been manually configured with a different set of DNS servers.
C. The client has a reserved IP address in the address pool.
D. There’s a glitch in the DHCP server service.

Answer

A

B. The client has been manually configured with a different set of DNS servers. Manual settings will override the DHCP options.

Question 54

Q

You are the administrator for your company network. You are working on a client machine that obtains its IP configuration from a DHCP server. You notice that the client received different configuration information the last few times its lease was renewed. What is most likely causing this to occur?
A. The DHCP server is not working properly.
B. Another computer on the network has taken over your machine’s configuration
information since the last renewal.
C. When clients renew their leases, they receive all of their configuration information. An administrator is changing the configuration information between lease renewals.
D. The client is receiving only the information that has changed since the last renewal. An administrator is changing the configuration information between lease renewals.

Answer

A

C. During lease renewal, the client gets all configuration information offered by the server. Since the client machine has received different configurations during the last few times the lease was renewed, this is an indication that an administrator is changing the configuration information between the lease durations.

Question 55

Q

You are the administrator for your company network. You have a single Active Directory forest and your DNS servers are configured as Active Directory Integrated zones. When you look at the DNS records in Active Directory, you notice that there are many records for computers that do not exist on your domain. You want to make sure only domain computers register with your DNS servers. What should you do to resolve this issue?
A. Set dynamic updates to Nonsecure and Secure. B. Set dynamic updates to Domain Users Only.
C. Set dynamic updates to None.
D. Set dynamic updates to Secure Only.

Answer

A

D. The Secure Only option is for DNS servers that have an Active Directory Integrated zone. When a computer tries to register with DNS dynamically, the DNS server checks Active Directory to verify that the computer has an Active Directory account. If the com- puter that is trying to register has an account, DNS adds the host record. If the computer trying to register does not have an account, the record gets tossed away and the database is not updated.

Question 56

Q

You are the administrator for your company network. Your company consists of a single Active Directory forest. You have a Windows Server 2016 domain controller named Server1 that also has the DNS role installed. You also have a Unix-based DNS server at the same location. What should you do if you need to configure your Windows DNS server to allow zone transfers to the Unix-based DNS server?
A. Enable BIND secondaries.
B. Convert the DNS server to Active Directory Integrated.
C. Configure the Unix server as a stub zone.
D. Configure the Microsoft DNS server to forward all requests to the Unix DNS server.

Answer

A

A. If you need to complete a zone transfer from Microsoft DNS to a BIND (Unix) DNS server, you need to enable BIND secondaries on the Microsoft DNS server. BIND secondar- ies determine whether to use fast transfer format for transfer of a zone to DNS servers run- ning legacy BIND implementations. By default, all Windows-based DNS servers use a fast zone transfer format.

Question 57

Q

You are the administrator for your company network. The network has one main site and one branch office. Your company has a single Active Directory forest named abc.com. You have a single domain controller named Server1 that is located in the main office and has the DNS role installed. Server1 is configured as a primary DNS zone. You have decided to place a domain controller named Server2 in the branch office and implement the DNS role on that server. How should you configure the DNS servers so that if the WAN link fails, users in both sites can still update records and resolve any DNS queries?
A. Configure Server2 as a stub zone.
B. Configure Server2 as a secondary DNS server. Set replication to occur every
5 minutes.
C. Convert Server1 to an Active Directory Integrated zone and configure Server2 as a secondary zone.
D. Configure Server2 as an Active Directory Integrated zone and convert Server1 to an Active Directory Integrated zone

Answer

A

D. Active Directory Integrated zones store their records in Active Directory. Because this company has only one Active Directory forest, it’s the same Active Directory that both DNS servers are using. This allows Server1 to see all of the records of Server2 and Server2 to see all the records of Server1.

Question 58

Q

You are the administrator for your company network. A new company policy states that all inbound DNS queries need to be recorded. What can you do to verify that the IT department is compliant with this new policy?
A. Enable Server Auditing—Object Access.
B. Enable DNS debug logging.
C. Enable DNS Auditing—Object Access.
D. Enable server database query logging.

Answer

A

B. On a Windows Server 2016 DNS machine, debug logging is disabled by default. When it is enabled, you have the ability to log DNS server activity, including inbound and outbound queries, packet type, packet content, and transport protocols.

Question 59

Q

You are the administrator for your company network. You are responsible for the DNS server. When you look at the DNS database, you see a large number of older records on the server. These records are no longer valid. What should you do?
A. Manually delete all the old records.
B. Set Dynamic Updates to None.
C. Enable Zone Aging and Scavenging in the zone properties.
D. Enable Zone Aging and Scavenging in the server properties.

Answer

A

C. Windows Server 2016 DNS supports two features called DNS Aging and DNS Scaveng- ing. These features are used to clean up and remove stale resource records. DNS zone or DNS server aging and scavenging flags old resource records that have not been updated in a certain amount of time (determined by the scavenging interval). These stale records will be scavenged at the next cleanup interval.

Question 60

Q

You are the administrator for your company network. Your IT team has been informed by the Compliance team that they need copies of the DNS Active Directory Integrated zones for security reasons. What should you run if you need to give the Compliance team a copy of the DNS zone?
A. Run dnscmd /zonecopy.
B. Run dnscmd /zoneexport.
C. Run dnscmd /zonefile.
D. Run dnscmd /zoneinfo.

Answer

A

B. The dnscmd /zoneexport command creates a file using the zone resource records. This file can then be given to the Compliance team as a copy.

Question 61

Q

You are the administrator for your company network. Your network is running Windows Server 2016. You have multiple remote locations connected to your main office by
slow satellite links. You want to install DNS into these offices so that clients can locate authoritative DNS servers in the main location. What type of DNS servers should be installed in the remote locations?
A. Primary DNS zones
B. Secondary DNS zones
C. Active Directory Integrated zones
D. Stub zones

Answer

A

D. Stub zones are very useful for slow WAN connections. These zones store only three types of resource records: NS records, glue host (A) records, and SOA records. These three records are used to locate authoritative DNS servers.

Question 62

Q

You are the administrator for your company network. You have an IPv6 prefix of 2001:DB8:BBCC:0000::/53 and you need to set up your network so that your IPv6 addressing scheme can handle 1,000 more subnets. Which network mask would you use?
A. /60 
B. /61 
C. /62 
D. /63 
E. /64

Answer

A

D. To calculate the network mask, you need to figure out which power number (2x) is greater than or equal to the number you need. Since we are looking for 1,000, 210 = 1,024. You then add the power (10) to the current network mask (53 + 10 = 63).

Question 63

Q

You are the administrator for your company network. You have a Windows Server 2016 machine that needs to be able to communicate with all computers on the internal network. The company decides to add 15 new segments to its IPv6 network. How should you configure the IPv6 address so that the server can communicate with all of the segments?
A. Configure the address as fd00::2b0:e0ff:dee9:4143/8.
B. Configure the address as fe80::2b0:e0ff:dee9:4143/32.
C. Configure the address as ff80::2b0:e0ff:dee9:4143/64.
D. Configure the address as fe80::2b0:e0ff:dee9:4143/64.

Answer

A

A. When you look at an IPv6 address, the first sections tell you the IPv6 address space pre- fix. Fd00:: /8 is the unique local unicast prefix, and this allows the server to communicate with all local machines within your intranet.

Question 64

Q

You are the administrator for your company network.The network is using the address 137.25.0.0; it is composed of 20 subnets, with a maximum of 300 hosts on each subnet. The company continues on a merger-and-acquisitions spree, and your manager has told you to prepare for an increase to 50 subnets with some containing more than 600 hosts. Using the existing network address, which of the following subnet masks would work for this requirement?
A. 255.255.240.0 
B. 255.255.248.0 
C. 255.255.252.0 
D. 255.255.254.0

Answer

A

C. A Class B address with a default subnet mask of 255.255.0.0 will support up to 65,534 hosts. To increase the number of networks that this network will support, you need to sub- net the network by borrowing bits from the host portion of the address. The subnet mask 255.255.252.0 uses 6 bits from the host’s area, and it will support 64 subnets while leav- ing enough bits to support 1,022 hosts per subnet. The subnet mask 255.255.248.0 uses 5 bits from the hosts and will support 32 subnetworks while leaving enough bits to support 2,046 hosts per subnet. Option C, 255.255.252.0, is the best answer because it leaves quite a bit of room for further growth in the number of networks while still leaving room for more than 1,000 hosts per subnet, which is a fairly large number of devices on one sub- net. The subnet mask 255.255.254.0 uses 7 bits from the host’s area and will support 126 networks, but it will leave only enough bits to support 500 hosts per subnet. The subnet mask 255.255.240.0 uses 4 bits from the hosts and will support only 16 subnetworks, even though it will leave enough bits to support more than 4,000 hosts per subnet.

Answer 65

A

A. The CIDR /27 tells you that 27 1s are turned on in the subnet mask. Twenty-seven 1s equals 11111111.11111111.11111111.11100000. This would then equal 255.255.255.224.

Answer 66

A

B. You need to configure a subnet mask that can accommodate 1,600 clients. The way
to figure this out is to use the formula 2x – 2 = Mask Number. So, a total of 1,600 clients means that it is 211 – 2 = 2048, and 2,048 is the first power number that is greater than 1,600. So since it is 211, that means that our subnet mask has 11 zeros. So it looks like the following: 11111111.11111111.11111000.00000000. This translates to 255.255.248.0.

Answer 67

A

B, D. If the first word of an IPv6 address is FE80 (actually the first 10 bits of the first word yields 1111 1110 10 or FE80:: /10), then the address is a link-local IPv6 address. If it’s in EUI-64 format, then the MAC address is also available (unless it’s randomly generated). The middle FF:FE is the filler and indicator of the EUI-64 space, with the MAC address being 00:03:FF:11:02:CD. Remember that the 00 of the MAC becomes 02 in the link-local IPv6 address, flipping a bit to call it local.

Answer 68

A

A. You need to configure a subnet mask that can accommodate 600 clients. The way to figure this out is to use the formula 2x – 2 = Mask Number. So a total of 600 clients means that it is 210 – 2 = 1,022, and 1,022 (power of 10) is the first power number that is greater than 600. So since it is 210, that means that our subnet mask has 10 zeros. So it looks like the following: 11111111.11111111.11111100.00000000. This translates to 255.255.252.0.

Answer 69

A

A. You need to configure a subnet mask that can accommodate 3,500 clients. The way to figure this out is to use the formula 2x – 2 = Mask Number. So, a total of 3,500 clients means that it
is 212 – 2 = 4094, and 4,094 (power of 12) is the first power number that is greater than 3,500. So since it is 212, that means that our subnet mask has 12 zeros. So it looks like the following: 11111111.11111111.11110000.00000000. This translates to 255.255.240.0.

Answer 70

A

A, C, F. There is no such IP address type as simulcast or staticast. Broadcast is an IPv4 address type. Unicast is the one-to-one address type. Anycast is the one-to-“one of many” address type. Multicast is the one-to-many address type.

Answer 71

A

D. The ipconfig /all command shows you all of the network configuration data, includ- ing TCP/IP settings.

Answer 72

A

C, D. Teredo is designed to give IPv4/IPv6 users access to the IPv6 Internet and network resources when the client machines are behind a NAT. There are some caveats and extra implementation steps, but the Teredo implementation in conjunction with a dual-stack node (which supports Teredo, like Windows Server 2016) are the required components.

Answer 73

A

A. Remember the rules: Use :: only once to replace a word or complete words (four 0s between colons). Use :0: as a compressed format for one complete word of 0s. You can leave out preceding 0s, but not trailing 0s; options B and C violate this rule.

Answer 74

A

D. Out of the possible answers provided, the only DHCP configuration option that would be both fault-tolerant and redundant is DHCP failover.

Answer 75

A

C. Administrators can use the Set-DhcpServerv4Scope cmdlet to configure the settings of an existing IPv4 scope. This cmdlet sets the properties of an existing IPv4 scope on the Dynamic Host Configuration Protocol (DHCP) server service.

Answer 76

A

D. Microsoft recommends the 80/20 rule for redundancy of DHCP services in a network. Implementing the 80/20 rule calls for one DHCP server to make approximately 80 percent of the addresses for a given subnet available through DHCP, while another server makes the remaining 20 percent of the addresses available.

Answer 77

A

A. DHCP can become a single point of failure within a network if there is only one DHCP server. If that server becomes unavailable, clients will not be able to obtain new leases or renew existing leases. For this reason, it is recommended that you have more than one DHCP server
in the network. However, more than one DHCP server can create problems if they both are configured to use the same scope or set of addresses. Microsoft recommends the 80/20 rule for redundancy of DHCP services in a network. To do this, you run the Configure Failover Wizard.

Answer 78

A

A. 003 Router is used to provide a list of available routers or default gateways on the same subnet.

Answer 79

A

B. 006 DNS is used to provide a list of available DNS servers to your scope settings or to your server settings.

Answer 80

A

C. You would want to set up a scope level policy to apply to just that IP range. If you set up a server level policy, it would apply to all scopes. Administrators can configure policies to provide an IP address from a specified range of the scope.

Answer 81

A

B. DHCP Name Protection ensures that DNS host A records are never overwritten during DNS dynamic updates. The other three options would not fulfill this question’s requirements.

Answer 82

A

D. Active Directory Integrated zones give you many benefits over using primary and sec- ondary zones, including less network traffic, secure dynamic updates, encryption, and reliability in the event of a DNS server going down. The Secure Only option is for dynamic updates to a DNS database.

Answer 83

A

B. The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies speci- fied in the -Domain parameter for provisioning required access settings on the server roles managed by the computer running the IP Address Management (IPAM) server. The -GpoPrefixName parameter specified should be the same as the prefix configured in the IPAM Provisioning Wizard. The three Group Policy Objects (GPOs) are created with the suffixes _DHCP, _DNS, and _DC_NPS appended to the GpoPrefixName parameter value. These suffixes signify the three different types of access settings that are propagated by them, depending on the type of server role managed by the computer running the IPAM server.

Answer 84

A

D. The Set-DnsServerForwarder cmdlet changes forwarder settings on a Domain Name System (DNS) server. This cmdlet sets or resets IP addresses to which the DNS server forwards DNS queries when it cannot solve them locally. This cmdlet overwrites existing server level forwarders. The -UseRootHint parameter specifies whether to prevent the DNS server from performing iterative queries. If you set UseRootHint to $false, the DNS server forwards unresolved queries only to the DNS servers in the forwarders list and does not try iterative queries if the forwarders do not resolve the queries.

Answer 85

A

B, E, F. To manually start discovery of the servers that IPAM can manage, run the follow- ing cmdlets:
Step 1: Invoke-IpamServerProvisioning. Choose a provisioning method. The Invoke- IpamGpoProvisioning cmdlet creates and links three group policies specified in the Domain parameter for provisioning required access settings on the server roles managed by the computer running the IP Address Management (IPAM) server.
Step 2: Add-IpamDiscoveryDomain. Configure the scope of discovery. The Add-IpamDiscoveryDomain cmdlet adds an Active Directory discovery domain for an IP Address Management (IPAM) server. A discovery domain is a domain that IPAM searches to find infrastructure servers. An IPAM server uses the list of discovery domains to determine what type of servers to add. By default, IPAM discovers all domain controllers, Dynamic Host Configuration Protocol (DHCP) servers, and Domain Name System (DNS) servers.
Step 3: Start-ScheduledTask. Start server discovery. To begin discovering servers on the network, click Start Server Discovery to launch the IPAM ServerDiscovery task or use the Start-ScheduledTask cmdlet.

Brainscape's Knowledge GenomeTM

Chapter 6 - Implement Domain Name System Flashcards

Brainscape's Knowledge Genome^TM