Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012 R2.
The domain contains an Edge Server named Server1. Server1 is configured as a DirectAccess server.
Server1 has the following settings:
You run the Remote Access Setup wizard as shown in the following exhibit. (Click the Exhibit button.)
You need to ensure that client computers on the Internet can establish DirectAccess connections to
Server1.
Which additional name suffix entry should you add from the Remote Access Setup wizard?
A.
A Name Suffix value of dal.contoso.com and a blank DNS Server Address value
B.
A Name Suffix value of Server1.contoso.com and a DNS Server Address value of 65.55.37.62
C.
A Name Suffix value of dal.contoso.com and a DNS Server Address value of 65.55.37.62
D.
A Name Suffix value of Server1.contoso.com and a blank DNS Server Address value
Explanation:
Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For
example, the Contoso Corporation is using split brain DNS; contoso.com is the domain name for
intranet resources and Internet resources. Internet users use http: //www.contoso.com to access
Contoso’s public Web site and Contoso employees on the Contoso intranet use http:
//www.contoso.com to access Contoso’s intranet Web site. A Contoso employee with their laptop
that is not a DirectAccess client on the intranet that accesses http: //www.contoso.com sees the
intranet Contoso Web site. When they take their laptop to the local coffee shop and access that
same URL, they will see the public Contoso Web site.
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS
name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will
have a rule for the namespace of the organization, such as contoso.com for the ContosoCorporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just
this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the
uniform resource locator (URL) for their Web site (such as http: //www.contoso.com), they will see
the intranet version. Because of this rule, they will never see the public version of this URL when
they are on the Internet.
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and
intranet and decide which resources the DirectAccess client should reach, the intranet version or the
public (Internet) version. For each name that corresponds to a resource for which you want
DirectAccess clients to reach the public version, you must add the corresponding FQDN as an
exemption rule to the NRPT for your DirectAccess clients. Name suffixes that do not have
corresponding DNS servers are treated as exemptions.
References:
httpHYPERLINK “http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/ee382323(v=ws.10).aspx#_blank”.
com/en-us/library/ee382323(v=wsHYPERLINK “http://technet.microsoft.com/enus/library/ee382323(v=ws.10).aspx#_blank”. 10)HYPERLINK “http://technet.microsoft.com/enus/library/ee382323(v=ws.10).aspx#_blank”. aspx
I’m not sure on this – but the answer might be D.
See comments here for the explanation.
http://www.aiotestking.com/microsoft/which-additional-name-suffix-entry-should-you-add-from-the-remote-access-setup-wizard/
^what Luis says – it makes sense. Therefore I’d be leaning towards D as the correct answer to this question.
A appears to be correct.
da1.contoso.com is the public DNS name associated with the Internet facing IP 65.55.37.62.
Adding da1.contoso.com with blank DNS server creates an exception for the contoso.com suffix so that Internet connected DA clients will use public DNS to resolve the server IP.
I agree with provided answer
the NRPT contains an entry fro contoso.com which makes any query for somthing.contoso.com go through 2002:etc…
hence if the question requires a search for server1.contoso.com to go to 2002 it already will. without any additional entry.
If, on the other hand we want da1.contoso.com NOT to go to 2002 a specific entry for da1.contoso.com with a blank DNS entry will have to be specified. which will force the DNS resolution to be done using the external DNS server.
I think the answer provided is correct, please read the following TechNet article.
https://technet.microsoft.com/en-us/library/ee382323(v=ws.10)
The scenario is talking about split-brain DNS. To point out a few lines…
“When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet attempts to access the uniform resource locator (URL) for their Web site (such as http://www.contoso.com), they will see the intranet version. Because of this rule, they will never see the public version of this URL when they are on the Internet.”
So based on the exhibit a direct access client will be redirected to the intranet website regardless. But Microsoft is basically asking you to specify what you need to do to show the public (Internet) website. So in further reading…
“For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet and decide which resources the DirectAccess client should reach, the intranet version or the public (Internet) version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the public version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients.”
That is, list the FQDN of the URL, da1.contoso.com as this will provide you with the public (Internet) version of the website.