You need to ensure that the client computers locate the…

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012
R2. Client computers run either Windows 7 or Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A
Group Policy object (GPO) named GPO1 is linked to the Clients OU. All of the client computers use a DNS
server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the
contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012
R2. Client computers run either Windows 7 or Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A
Group Policy object (GPO) named GPO1 is linked to the Clients OU. All of the client computers use a DNS
server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the
contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?

A.
Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.

B.
Configure the Network Options Group Policy preference of GPO1.

C.
Run the Add-DnsServerResourceRecord cmdlet on Server1.

D.
Configure the DNS Client Group Policy setting of GPO1.

Explanation:
The Set-DnsServerGlobalQueryBlockList command will change the settings of a global query block list which
you can use to ensure that client computers locate the ISATAP router.
Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents some arbitrary
machine from registering the DNS name of WPAD. This is a good security feature, as it prevents someone
from just joining your network, and setting himself up as a proxy. The dynamic update feature of Domain Name
System (DNS) makes it possible for DNS client computers to register and dynamically update their resource
records with a DNS server whenever a client changes its network address or host name. This reduces the need
for manual administration of zone records. This convenience comes at a cost, however, because any
authorized client can register any unused host name, even a host name that might have special significance for
certain Applications. This can allow a malicious user to take over a special name and divert certain types of
network traffic to that user’s computer. Two commonly deployed protocols are particularly vulnerable to this
type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel
Addressing Protocol (ISATAP). Even if a network does not deploy these protocols, clients that are configured to
use them are vulnerable to the takeover that DNS dynamic update enables. Most commonly, ISATAP hosts
construct their PRLs by using DNS to locate a host named isatap on the local domain. For example, if the local
domain is corp.contoso.com, an ISATAP-enabled host queries DNS to obtain the IPv4 address of a host named
isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 DNS Server service maintains a
list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the
server is authoritative. Consequently, a malicious user can spoof an ISATAP router in much the same way as a
malicious user can spoof a WPAD server: A malicious user can use dynamic update to register the user’s own
computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the
network. The initial contents of the block list depend on whether WPAD or ISATAP is already deployed when
you add the DNS server role to an existing Windows Server 2008 deployment or when you upgrade an earlier
version of Windows Server running the DNS Server service. Add- DnsServerResourceRecord – The AddDnsServerResourceRecordcmdlet adds a resource record for a Domain Name System (DNS) zone on a DNSserver. You can add different types of resource records. Use different switches for different record types. By
using this cmdlet, you can change a value for a record, configure whether a record has a time stamp, whether
any authenticated user can update a record with the same owner name, and change lookup timeout values,
Windows Internet Name Service (WINS) cache settings, and replication settings. SetDnsServerGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockListcmdlet changes settings of a global
query block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names
that the DNS server does not resolve with the names that you specify. If you need the DNS server to resolve
names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery
Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are two commonly deployed
protocols that are particularly vulnerable to hijacking.

Training Guide: Installing and Configuring Windows Server 2012 R2, Chapter 4: Deploying domain controllers,
Lesson 4: Configuring IPv6/IPv4 Interoperability, p. 254-256
http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649874.aspx
http://technet.microsoft.com/en-us/library/jj649909.aspx



Leave a Reply 0

Your email address will not be published. Required fields are marked *