You have a DNS server named Server1 that runs Windows Server 2012 R2.
Server1 has the zones shown in the following output.
You need to delegate permissions to modify the records in the adatum.com zone to a group
named Group1.
What should you do first?
A.
Enable the distribution of the trust anchors for adatum.com.
B.
Unsign adatum.com.
C.
Store adatum.com in Active Directory.
D.
Update the server data file for adatum.com.
Explanation:
From the exhibit we see that the adatum.com zone is signed. A trust anchor (or trust “point”) is a
public cryptographic key for a signed zone. Trust anchors must be configured on every nonauthoritative DNS server that will attempt to validate DNS data.
You cannot distribute trust anchors until after a zone is signed.
https://technet.microsoft.com/en-us/library/dn593672.aspx
Surely it needs to be AD integrated first to delegate to an AD-Group?
No. Answer is B.
When a zone is signed with DNSSEC, the DNS server will explicitly block attempts to change the zone replication scope or zone type. This is primarily to avoid complexities related to key storage when DNSSEC signing keys are stored in Active Directory. To change the zone replication scope, you must first unsign the zone.
https://technet.microsoft.com/en-us/library/dn593637.aspx#poc
But that’s about replication/zone type? This is about managing DNS records. It doesn’t mention replication
To enable the delegation of rights you have to change the zone to integrated but you can’t make changes to the zone until it’s unsigned – hence B.
question asks “what should you do FIRST?”
can’t integrate before unsingning.
Watcher is correct. Create a primary zone that’s non-ad integrated; there’s no security tab to delegate rights.
To change to AD integrated, you must unsign the zone.
Can confirm, I literally just went ahead and set up a Virtual Environment to test this. JohnnyDivin’Duck, Watcher, and MountSwoleMore are correct.
Screenshot from my lab test when I tried to AD Integrate a signed Primary Zone:
https://gyazo.com/0c96a231b65b2651c8d30ab2361fbeda
answer is B
b
My VCE said Correct answer A:
Explanation:
From the exhibit we see that the adatum.com zone is signed. A trust anchor (or trust “point”) is a public cryptographic key for a signed zone.
Trust anchors must be configured on every non- authoritative DNS server that will attempt to validate DNS data. You cannot distribute trust anchors until after a zone is signed.
https://technet.microsoft.com/en-us/library/dn593672.aspx
Definitely B. You must unsign the zone.
Correct Answer: B
The ZONE IS PRIMARY and NOT active directory integrated.
When a zone is signed with DNSSEC, the DNS server will explicitly block attempts to change the zone replication scope or zone type.
This is primarily to avoid complexities related to key storage when DNSSEC signing keys are stored in Active Directory.
To change the zone replication scope, you must first unsign the zone.
To enable the delegation of rights you have to change the zone to integrated but you can’t make changes to the zone until it’s unsigned – hence B.
https://technet.microsoft.com/en-us/library/dn593672.aspx
QUESTION 276
Hello Guys
The A is correct.
Why? We can modify the permission of dns zone file under system32
I know … It’s dirty but possibile!