You need to ensure that the client computers locate the…

Your network contains an Active Directory domain named contoso.com. All servers run windows Server 2016 R2. Client computers run either Windows 7 or
Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A Group Policy object (GPO) named GPO1 is linked to the
Clients OU. All of the client computers use a DNS server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?

Your network contains an Active Directory domain named contoso.com. All servers run windows Server 2016 R2. Client computers run either Windows 7 or
Windows 8.
All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. A Group Policy object (GPO) named GPO1 is linked to the
Clients OU. All of the client computers use a DNS server named Server1.
You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to the contoso.com DNS zone.
You need to ensure that the client computers locate the ISATAP router.
What should you do?

A.
Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.

B.
Configure the Network Options Group Policy preference of GPO1.

C.
Run the Add-DnsServerResourceRecord cmdlet on Server1.

D.
Configure the DNS Client Group Policy setting of GPO1.

Explanation:
The Set-DnsServerGlobalQueryBlockList command will change the settings of a global query block list which you can use to ensure that client computers locate the
ISATAP router.
Windows Server 2008 introduced a new feature, called “Global Query Block list”, which prevents some arbitrary machine from registering the DNS name of WPAD.
This is a good security feature, as it prevents someone from just joining your network, and setting himself up as a proxy. The dynamic update feature of Domain
Name System (DNS) makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client
changes its network address or host name. This reduces the need for manual administration of zone records. This convenience comes at a cost, however, because
any authorized client can register any unused host name, even a host name that might have special significance for certain Applications. This can allow a malicious
user to take over a special name and divert certain types of network traffic to that user’s computer. Two commonly deployed protocols are particularly vulnerable to
this type of takeover: the Web Proxy Automatic Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a network
does not deploy these protocols, clients that are configured to use them are vulnerable to the takeover that DNS dynamic update enables. Most commonly, ISATAP
hosts construct their PRLs by using DNS to locate a host named isatap on the local domain. For example, if the local domain is corp.contoso.com, an ISATAPenabled host queries DNS to obtain the IPv4 address of a host named isatap.corp.contoso.com. In its default configuration, the Windows Server 2008 DNS Server
service maintains a list of names that, in effect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative.
Consequently, a malicious user can spoof an ISATAP router in much the same way as a malicious user can spoof a WPAD server: A malicious user can use
dynamic update to register the user’s own computer as a counterfeit ISATAP router and then divert traffic between ISATAP-enabled computers on the network. The
initial contents of the block list depend on whether WPAD or ISATAP is already deployed when you add the DNS server role to an existing Windows Server 2008
deployment or when you upgrade an earlier version of Windows Server running the DNS Server service. Add- DnsServerResourceRecord – The AddDnsServerResourceRecordcmdlet adds a resource record for a Domain Name System (DNS) zone on a DNS server. You can add different types of resource
records. Use different switches for different record types. By using this cmdlet, you can change a value for a record, configure whether a record has a time stamp,
whether any authenticated user can update a record with the same owner name, and change lookup timeout values, Windows Internet Name Service (WINS)
cache settings, and replication settings. Set-DnsServerGlobalQueryBlockList – The Set-DnsServerGlobalQueryBlockListcmdlet changes settings of a global query
block list on a Domain Name System (DNS) server. This cmdlet replaces all names in the list of names that the DNS server does not resolve with the names that
you specify. If you need the DNS server to resolve names such as ISATAP and WPAD, remove these names from the list. Web Proxy Automatic Discovery
Protocol (WPAD) and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) are two commonly deployed protocols that are particularly vulnerable to hijacking.

Training Guide: Installing and Configuring windows Server 2016 R2, Chapter 4: Deploying domain controllers, Lesson 4: Configuring IPv6/IPv4 Interoperability, p.
254-256
http://technet.microsoft.com/en-us/library/jj649942(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649876(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/jj649874.aspx

http://technet.microsoft.com/en-us/library/jj649909.aspx



Leave a Reply 2

Your email address will not be published. Required fields are marked *


Josué Robert

Josué Robert

New MCSA (Server 2016) 70-743 Exam Questions and Answers Updated Recently (1/Dec/2017):

NEW QUESTION 149
You are implementing a new network. The network contains a DHCP server named DHCP1 that runs Windows Server 2016. DHCP1 contains a scope named Scope1 for the 192.168.0/24 subnet. Your company has the following policy for allocating IP addresses:
– All server addresses must be excluded from DHCP scopes.
– All client computer must receive IP addresses from Scope1.
– All Windows servers must have IP addresses in the range of 192.168.0.200 to 192.168.0.240.
– All other network devices must have IP addresses in the range of 192.168.0.180 to 192.168.0.199.
You deploy a print device named Print1. You need to ensure that Print1 adheres to the policy for allocating IP addresses. Which command should you use?

A. Add-DhcpServerv4Lease
B. Add-DhcpServerv4ExclusionRange
C. Add-DhcpServerv4Filter
D. Add-DhcpServerv4Reservation

Answer: B

NEW QUESTION 150
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After your answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. You need to identify which server is the schema master.
Solution: From Windows PowerShell, you run Get-ADDomainController -Discover -Service 2 cmdlet.
Does this meet the goal?

A. Yes
B. No

Answer: B

NEW QUESTION 151
You have a Scale-Out File Server that has a share named Share1. Share1 contains a virtual disk file named Disk1.vhd. You plan to create a guest failover cluster. You need to ensure that you can use the virtual disk as a shared virtual disk for the gust failover cluster. Which cmdlet should you use?

A. Optimize VHD
B. Optimize VHDSet
C. Convert-VHD
D. Set-VHD

Answer: A

NEW QUESTION 152
You plan to deploy several Hyper-V hosts that run Windows Server 2016. The deployment will use Software Defined Networking (SDN) and VXLAN. Which server role should you install on the network to support the planned deployment?

A. Network Controller
B. Network Policy and Access Services
C. Remote Access
D. Host Guardian Service

Answer: D

NEW QUESTION 153
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solutions, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2016. Server1 is configured as a VPN server. Server1 is configured to allow domain users to establish VPN connections from 06:00 to 18:00 everyday of the week. You need to ensure that domain users can establish VPN connections only between Monday and Friday.
Solution: From Network Policy Server, you modify the Network Policies on Server1.
Does this meet the goal?

A. Yes
B. No

Answer: A

NEW QUESTION 154
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this sections, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. You need to create a Nano Server image named Nano1 that will be used as a virtualization host. The Windows Server 2016 source files are located in Drive D.
Solution: You run the following cmdlet:
New-NanoServerImage -Edition Datacenter -DeploymentType Host -Package Microsoft-NanoServer-SCVMM-Package -MediaPath D:\ -TargetPath C:\Nano1\Nano1.wim -ComputerName Nano1 -Domainname contoso.com
Does this meet the goal?

A. Yes
B. No

Answer: A

NEW QUESTION 155
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solutions, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2016. Server1 is configured as a VPN server. Server1 is configured to allow domain users to establish VPN connections from 06:00 to 18:00 everyday of the week. You need to ensure that domain users can establish VPN connections only between Monday and Friday.
Solution: From Routing and Remote Access, you configure the Properties of Server1.
Does this meet the goal?

A. Yes
B. No

Answer: B

NEW QUESTION 156
Your network contains three subnets, a production subnet that contains production servers, a development network that contains development servers, and a client network that contains client computers. The development network is used to test applications and reproduces servers that are located on the production network. The development network and the production network use the same IP address range. A developer has a client computer on the client network. The developer reports that when he attempts to connect to the IP address 10.10.1.6 from his computer, he connects to a server on the production network. You need to ensure that when the developer connects to 10.10.1.6, he connects to a sever on the development network. Which cmdlet should you use?

A. New-NetNeighbor
B. New-NetRoute
C. Set-NetTcpSetting
D. Set-NetNeighbir

Answer: B

NEW QUESTION 157
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solutions, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest has three sites located in London, Paris and Berlin. The London site contains a web server named Web1 that runs Windows Server 2016. You need to configure Web1 as an HTTP content server for the hosted cache servers located in the Paris and Berlin sites.
Solution: You install the DFS Replication role service, and then you start the Network Connections service.
Does this meet the goal?

A. Yes
B. No

Answer: A

NEW QUESTION 158
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solutions, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest has three sites located in London, Paris and Berlin. The London site contains a web server named Web1 that runs Windows Server 2016. You need to configure Web1 as an HTTP content server for the hosted cache servers located in the Paris and Berlin sites.
Solution: You install the BranchCache feature, and then you start the BranchCache service.
Does this meet the goal?

A. Yes
B. No

Answer: B

NEW QUESTION 159
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some questions sets might have more than one correct solutions, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest has three sites located in London, Paris and Berlin. The London site contains a web server named Web1 that runs Windows Server 2016. You need to configure Web1 as an HTTP content server for the hosted cache servers located in the Paris and Berlin sites.
Solution: You install the Deployment Server role service, and then you restart the World Wide Web Publishing Service.
Does this meet the goal?

A. Yes
B. No

Answer: A

NEW QUESTION 160
……

P.S. These New 70-743 Exam Questions Were Just Updated From The Real 70-743 Exam, You Can Get The Newest 70-743 Dumps In PDF And VCE From — https://www.passleader.com/70-743.html (187q VCE and PDF)

Good Luck!