Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
Server 2012.
The domain contains an Edge Server named Server1. Server1 is configured as a DirectAccess server. Server1
has the following settings:
Internal DNS name: Server1.contoso.com External DNSname:dal.contoso.com
Internal IPv6 address: 2002:c1a8:6a:3333::1 External IPv4 address: 65.55.37.62
Your company uses split-brain DNS for the contoso.com zone.
You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit button.)
You need to ensure that client computers on the Internet can establish DirectAccess connections to Server1.
Which additional name suffix entry should you add from the Remote Access Setup wizard?
A.
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
B.
A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
C.
A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 65.55.37.62
D.
A Name Suffix value of dal.contoso.com and a DNS Server Address value of 65.55.37.62
Explanation:
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and
decide which resources the DirectAccess client should reach, the intranet version or the public (Internet)
version. For each name that corresponds to a resource for which you want DirectAccess clients to reachthe
public version, you must add the corresponding FQDNas an exemption rule to the NRPT for your DirectAccess
clients. Name suffixes that do not have corresponding DNS servers are treated as exemptions.
http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx
B
B it is, it says “on the internet” & the external DNS name is Dal
http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx
Server1.contoso.com is a local name of the server, and it must use the local DNS for the resolution name, not the ISP dns server, because the public DNS server not recognize the private name of the server!!!!
Only the public name of the server (dal.contoso.com) can be used in resolution of the public dns.
Than the right answer is B, il clint DA use the public DNS for resolution the public name!
In a non-split-brain DNS environment, the Internet namespace is different from the intranet namespace. For example, the Contoso Corporation uses contoso.com on the Internet and corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers.
Split-brain DNS is a configuration method that enables proper resolution of names (e.g.,example.com) from both inside and outside of your local network.
Note: For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have corresponding DNS servers are treated as exemptions.
So answer is B.
Ok, I understood that the dal.contoso.com are right, but why blank DNS Server Address value?
Correct answer is A:
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
Explanation:
when you put a server1.contoso.com and blank dns value, you are telling your internal clients to use the internal dns for resolution. so a user will try to connect to direct access using server1.contoso.com and that will resolve to the internal ip, in this case the ipv6 address.
On the flip side of the coin, for the external users, they would try to connect using the external name da1.contoso.com, since that name would not be located in the NRPT, you would be telling them, use whatever configuration of dns you have in your local network card, that would resolve to the external ip 65.55.37.62
A.
20411D-ENU-TrainerHandbook, 8-15 (p. 303)
How DirectAccess Works for External Clients:
When a DirectAccess client cannot reach the URL specified for the network location server, the DirectAccess client assumes that it is not connected to the intranet and that it is located on the Internet. When the client computer cannot communicate with the network location server, it starts to use NRPT and connection security rules.
The NRPT has DirectAccess-based rules for name resolution, and connection security rules define DirectAccess IPsec tunnels for communication with intranet resources. Internet-connected DirectAccess clients use the following process to
connect to intranet resources.
1. The DirectAccess client attempts to access the network location server.
2. The client attempts to locate a domain controller.
3. The client attempts to access intranet resources first, and then Internet resources