DRAG DROP
Your network contains an Active Directory forest named adatum.com. The forest contains a single
domain. All servers run Windows Server 2012 R2. All client computers run Windows 8.1.
The DNS zone of adatum.com is Active Directory-integrated.
You need to implement DNSSEC to meet the following requirements:
Ensure that the zone is signed.
Ensure that the zone signing key (ZSK) changes every 30 days.
Ensure that the key signing key (KSK) changes every 365 days.
What should you do? To answer, drag the appropriate cmdlets to the correct requirements. Each cmdlet
may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
Answer: 
Explanation:
Box 1: Invoke-DnsServerZoneSign
The Invoke-DnsServerZoneSign cmdlet signs a Domain Name System (DNS) server zone.
Box 2, Box 3: Add-DnsServerSigningKey
The Add-DnsServerSigningKey cmdlet adds a Key Signing Key (KSK) or Zone Signing Key (ZSK) key to a
Domain Name System (DNS) signed zone.
The Add-DnsServerSigningKey -ZoneSignatureValidityPeriod<TimeSpan>
Specifies the amount of time that signatures that cover all other record sets are valid.
Add-DnsServerSigningKey
https://technet.microsoft.com/en-us/library/jj649854.aspx