Securing Windows Server 2016 — Question 157

Your network contains an Active Directory domain named contoso.com.
All DNS servers host an Active Directory-integrated zone for the domain that is DNSSEC-signed. All the DNS servers have a trust anchor installed for a DNS zone named fabrikam.com.
For all the computers in the domain, you configure a name resolution policy that enforces DNSSEC validation for the contoso.com and fabrikam.com DNS namespaces.
You need to verify whether the trust anchor is valid.
What should you do?

Answer options

• A. On a domain-joined computer, run Resolve-DnsName to query a DNS server that hosts the fabrikam.com zone for a DNS record in the fabrikam.com zone.
• B. On a domain-joined computer, run Resolve-DnsName to query a domain controller for a DNS record in the fabrikam.com zone.
• C. On a domain-joined computer, run Get-DnsServerZone.
• D. On a domain controller, run Get-DnsServerDnsZoneSetting.

Correct answer: A

Explanation

The correct answer is A because querying a DNS server that hosts the fabrikam.com zone directly checks the validity of the trust anchor by retrieving DNS records with DNSSEC validation. Option B is incorrect as querying a domain controller does not provide the necessary information about the DNS zone. Options C and D do not directly verify the trust anchor's validity in the context required.