You need to ensure that the replication of the contoso.com zone is encrypted

Your network consists of a single Active Directory domain.
All domain controllersrun Windows Server 2008 R2and are configured as DNS servers.
A domain controller named DC1has a standard primary zonefor contoso.com.
A domain controller named DC2has a standard secondary zonefor contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?

Your network consists of a single Active Directory domain.
All domain controllersrun Windows Server 2008 R2and are configured as DNS servers.
A domain controller named DC1has a standard primary zonefor contoso.com.
A domain controller named DC2has a standard secondary zonefor contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?

A.
Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.

B.
Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

C.
Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the
secondary zone.

D.
On both servers, modify the interface that the DNS server listens on.

Explanation:
Answer.Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
http://technet.microsoft.com/en-us/library/cc771150.aspx
Change the Zone Type
You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to
integrate a zone with Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration
The DNS Server service is integrated into the design and implementation of Active Directory Domain Services
(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a
network.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly
recommended. They provide the following benefits:
DNS features multimaster data replication andenhanced security based on the capabilities of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update
model. In this model, a single authoritative DNS server for a zone is designated as the primary source
for the zone. This server maintains the master copyof the zone in a local file. With this model, the
primary server for the zone represents a single fixed point of failure. If this server is not available,
update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS
server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In
this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the
master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain
controllers, the zone can be updated by the DNS servers operating at any domain controller for the
domain. With the multimaster update model of AD DS,any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain
controller is available and reachable on the network.
..
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is
added to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replication
planning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.
http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx
Deploy IPsec Policy to DNS Servers
You can deploy IPsec rules through one of the following mechanisms:
Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is
recommended to make configuration and deployment easier.
DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider
creating a separate OU or a security group with thecomputer accounts of your DNS servers.
Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you
have a small number of DNS servers that you want toconfigure locally.
http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx
Deploying Secure DNS
Protecting DNS Servers
When the integrity of the responses of a DNS serverare compromised or corrupted, or when the DNS datais
tampered with, clients can be misdirected to unauthorized locations without their knowledge. After theclients
start communicating with these unauthorized locations, attempts can be made to gain access to information
that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack.
Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS
infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks:
Use IPsec between DNS clients and servers.
Monitor network activity.
Close all unused firewall ports.
Implementing IPsec Between DNS Clients and Servers
IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent
between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by
anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends
of a connection are validated before communication begins. A client can be certain that the DNS serverwith
which it is communicating is a valid server. Also, all communication over the connection is encrypted,thereby
eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which
are false responses to DNS client queries by unauthorized sources that act like a DNS server.
Further information:
http://technet.microsoft.com/en-us/library/cc771898.aspx
Understanding Zone Types
The DNS Server service provides for three types of zones:
Primary zone
Secondary zone
Stub zone
Note:If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones
and stub zones can be stored in AD DS.
The following sections describe each of these zone types:
Primary zone
When a zone that this DNS server hosts is a primaryzone, the DNS server is the primary source for information
about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zoneis stored
in a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%\System32
\Dns folder on the server.
Secondary zone
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for
information about this zone. The zone at this server must be obtained from another remote DNS server
computer that also hosts the zone. This DNS server must have network access to the remote DNS server that
supplies this server with updated information aboutthe zone. Because a secondary zone is merely a copy of a
primary zone that is hosted on another server, it cannot be stored in AD DS.
Stub zone
When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about
the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server
that hosts the zone. This DNS server must have network access to the remote DNS server to copy the
authoritative name server information about the zone.
You can use stub zones to:
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly,the
DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative
DNS servers for the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone’s list of
name servers, without having to query the Internet or an internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a
list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones donot
serve the same purpose as secondary zones, and theyare not an alternative for enhancing redundancy and
load sharing.
There are two lists of DNS servers involved in the loading and maintenance of a stub zone:
The list of master servers from which the DNS server loads and updates a stub zone. A master server may
be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS
servers for the zone.
The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server
(NS) resource records.
When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which
can be in different locations, for the necessary resource records of the authoritative servers for thezone
widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can
be changed anytime.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/
Answered what is non-standard dns secondary zone?
Q: While passing through 70-291 exam prep questions,I encountered the term “standard secondary zone”.
From the context of other questions I understood that “standard”, in context of primary zone, mean “non-ADintegrated”.
A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database
and not in a text file.
Q: What does “standard” mean in context of DNS secondary zone?
A: It means the same thing in context of a StandardPrimary Zone. Simply stated, “Standard” means the
zone data is stored in a text file, which can be found in system32\dns.



Leave a Reply 0

Your email address will not be published. Required fields are marked *