Installing and Configuring Windows Server 2012 Training Guide: Network Administration
- 11/15/2012
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
Correct answer: B
Incorrect: The server-cluster approach involves using the Failover Clustering feature of Windows Server 2008 or Windows Server 2008 R2 to cluster DHCP servers so that if the primary DHCP server in a cluster fails, the secondary server can take up the slack and continue leasing addresses to clients.
Correct: The split-scope approach involves splitting the IP address pool of a scope between two DHCP servers, typically by assigning the primary server 80 percent of the addresses in the scope and the secondary server the remaining 20 percent of the addresses. That way, if the primary server goes offline for any reason, DHCP clients on the subnet can still respond to lease renewal requests from the secondary server.
Incorrect: The standby-server approach uses a hot-standby DHCP server with scopes and options configured identically to your production DHCP server.
Incorrect: The DHCP-failover approachinvolves configuring two DHCP servers to provide leases from the same pool of addresses. The two servers then replicate lease information between them, which enables one server to assume responsibility for providing leases to all clients on the subnet when the other server is unavailable.
Correct answers: A and C
Correct: DHCP failover only supports using a maximum of two DHCP servers.
Incorrect: DHCP failover relationships are limited to IPv4 scopes and subnets.
Correct: DHCP failover can be implemented in two ways: using load-sharing mode or hot-standby mode. In load-sharing mode, leases are issued from both servers equally, which ensures availability and provides load balancing for your DHCP services. In hot-standby mode, leases are issued from the primary server until it fails, whereupon the lease data is automatically replicated to the secondary server, which assumes the load.
Incorrect: If the DHCP servers you want to implement DHCP failover for are domain members, they must be authorized in Active Directory. However, you can also implement DHCP failover on standalone DHCP servers in a workgroup.
Correct answers: A, B, and C
Correct: One scenario where hot-standby mode might be implemented is for organizations that have a central hub site (typically, the data center at the head office) connected via WAN links to multiple remote branch-office sites.
Correct: A common implementation of hot-standby mode is when each branch-office DHCP server has a failover relationship with the central-office DHCP server, with the branch office assuming the role as primary and the central server as secondary. That way, if a DHCP server fails at a branch office, the central server can take up the slack for the remote site.
Correct: Budget should not be a consideration when implementing hot-standby mode because you can use the existing DHCP server in your data center as the standby for DHCP servers in your branch offices. In other words, no new servers need to be deployed if you want to implement DHCP failover in hot-standby mode.
Incorrect: DHCP failover in load-sharing mode is a more appropriate solution for organizations that have only one physical site.
Lesson 2
Correct answer: D
Incorrect: DNSKEY resource records contain the public keys for a particular zone. Other types of DNSSEC resource records include RRSIG, DS, and NSEC (or NSEC3).
Incorrect: Only zones that are authoritative can be signed. Zones that are not authoritative cannot be signed.
Incorrect: The KSK is an authentication key with a length of 2048 bits that is generated using the RSA/SHA-256 cryptographic algorithm. The KSK is used to sign all of the DNSKEY records at the root of the zone, and it is part of the chain of trust. By default, the KSK has a rollover frequency of 755 days, and any DNSKEY records signed using the key have a signature validity of 168 hours.
Correct: When zone data is updated by a client sending a DNS dynamic update to an authoritative DNS server, that DNS server updates its own copy of the zone and generates the required signatures. The unsigned update is then securely replicated to all other authoritative servers, and each DNS server adds the update to its copy of the zone and generates the required signatures.
Correct answer: C
Incorrect: When an authoritative server receives the recursive query, it returns an authoritative response to the client’s local server.
Incorrect: When an authoritative server receives the recursive query, it returns an authoritative response to the client’s local server.
Correct: The local server uses the public key of the signed zone on the authoritative server to validate the response it received from the authoritative server.
Incorrect: The DNS client on all supported versions of Microsoft Windows is DNSSEC-aware but nonvalidating.
Correct answer: C
Incorrect: You should begin by introducing Windows Server 2012 domain controllers into your environment. These domain controllers should also have the DNS Server role and be configured to use Active Directory–integrated zones.
Incorrect: After deciding which DNS zone to implement DNSSEC on, sign the zone by opening the DNS Manager console, selecting the DNS server, right-clicking on the zone, and selecting DNSSEC, followed by Sign The Zone.
Correct: If the zone you signed is an Active Directory–integrated zone, private zone-signing keys now replicate automatically to all domain controllers hosting the zone through Active Directory replication. Each zone owner signs its own copy of the zone when it receives the key, as long as the zone owner is a domain controller running Windows Server 2012.
Incorrect: The final step in deploying DNSSEC is to ensure security between the nonvalidating DNS client and its local DNS servers. The recommended way to do this is to use IPsec to protect the last mile between the client and its local DNS server. The DNS clients must also be configured to check that responses have been validated by their local DNS server, and this is done by configuring the Name Resolution Policy Table (NRPT) on the clients. The NRPT can be configured by using either Group Policy or Windows PowerShell
Lesson 3
Correct answer: B
Incorrect: Parameters that are marked with an asterisk (*) are mandatory; those not marked this way are optional.
Correct: Parameters that are marked with an asterisk (*) are mandatory; those not marked this way are optional.
Incorrect: All parameters that Show-Command displays in the properties page for a cmdlet apply to that cmdlet.
Incorrect: All parameters that Show-Command displays in the properties page for a cmdlet can have values specified for them on that properties page.
Correct answer: C
Incorrect: The Get-NetAdapterBinding cmdlet is used to display the bindings for the specified interface.
Incorrect: There is no cmdlet called Remove-NetAdapterBinding.
Correct: The Disable-NetAdapterBinding cmdlet can be used to disable the specified binding.
Incorrect: The Disable-NetAdapter cmdlet can be used to disable the specified network adapter.
Correct answer: B
Incorrect: If the –ScopeId parameter is used with this cmdlet, the result is to configure a scope option, not a server option.
Correct: This command configures a DHCP-scope option that assigns the address 10.10.0.1 as the default gateway on any DHCP client whose IPv4 address is on the 10.10.20.0 subnet.
Incorrect: DHCP is not used to assign TCP/IP settings to routers.
Incorrect: DHCP is not used to assign TCP/IP settings to routers.
Lesson 4
Correct answer: B
Incorrect: A dual-layer TCP/IP stack has been a standard feature on Windows platforms since Windows Vista and Windows Server 2008.
Correct: You can disable IPv6 on most interfaces by editing the registry, but you cannot disable the loopback interface (::1) on a Windows computer.
Incorrect: The DHCP role can be configured for both stateless and stateful DHCPv6 address autoconfiguration.
Incorrect: Windows Server 2012 computers can function as ISATAP routers by configuring their LAN interfaces with appropriate IPv6 addresses, routes, and other settings
Correct answer: C
Incorrect: The first three bits of a global address are always 001 in binary format. This means that the first byte of the address can be 0x2 (binary 0010) or 0x3 (binary 0011) in hexadecimal format.
Incorrect: The first 8 bits of a unique local address are always 11111101 in binary format. This means that a unique local address always begins with FD and has a prefix identifier of FD00::/8.
Correct: The first 64 bits of a link-local address are always 11111110 10000000 00000000 00000000 in binary format. This means that a link-local address always begins with FE80 and has a prefix identifier of FE80::/64.
Incorrect: A multicast address always begins with 11111111 or FF.
Correct answer: C
Incorrect: Ipconfig can be used to display the address information for an interface, but it is not a Windows PowerShell cmdlet.
Incorrect: Get-NetAdapter can be used to get the basic network adapter properties.
Correct: Get-NetIPAddress can be used to get information about IP address configuration.
Incorrect: Get-NetIPInterface can be used to get information about the IP interface properties.
Correct answer: B
Incorrect: Windows computers automatically assign IPv6 addresses to their LAN interfaces using stateless address autoconfiguration, but these addresses are link-local addresses that can be used only for communications between computers on the same link.
Correct: An ISATAP router is used to enable communication between ISATAP hosts on an ISATAP subnet and IPv6 hosts on an IPv6-capable network. Computers running Windows Server 2012 can function as ISATAP routers by configuring their LAN interfaces with appropriate IPv6 addresses, routes, and other settings
Incorrect: Teredo is an IPv6 transition technology that provides automatic tunneling that allows IPv6/IPv4 hosts to establish IPv6 connectivity with each other across the IPv4 Internet even when IPv4 network address translation (NAT) devices need to be traversed.
Incorrect: Using a DHCPv6 server to assign IPv6 addresses to computers on an IPv4-only network will not help them communicate with computers on a different network that is IPv6-capable.