Home » Microsoft » 70-640 » What should you do?
Your network contains an Active Directory forest.
The forest contains two domains named contoso.com and east.contoso.com.
The contoso.com domain contains a domain controller named DC1.
The east.contoso.com domain contains a domain controller named DC2.
DC1 and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2.
The solution must ensure that zone transfers are encrypted.
What should you do?
A. Create a primary zone on DC1 and store the zone in DC=Contoso, DC=com naming context. Create a secondary zone on DC2 and select DC1 as the master.
B. Create a primary zone on DC1 and store the zone in a zone file. Configure Encrypting File System (EFS) encryption. Create a secondary zone on DC2 and select DC1 as the master.
C. Create a primary zone on DC1 and store the zone in a zone file. Configure IPSec on DC1 and DC2. Create a secondary zone on DC2 and select DC1 as the master.
D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a secondary zone on DC2 and select DC1 as the master.
Correct Answer: C
Explanation/Reference:
Similar to A/Q15 and K/Q13.
http://technet.microsoft.com/en-us/network/bb531150.aspx
IPsec
Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on Internet Engineering Task Force (IETF) standards.
In Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, you can configure IPsec behavior by using the Windows Firewall with Advanced Security snap-in. In earlier versions of Windows, IPsec was a stand-alone technology separate from Windows Firewall.
http://technet.microsoft.com/en-us/library/ee649192%28v=ws.10%29.aspx
Secure Zone Transfers with IPsec
Use the following procedure to configure an IP Security (IPsec) rule to secure communications between two DNS servers. When applied to the primary and secondary DNS servers for a zone, this policy will protect updates occurring by zone transfer from the primary to the secondary DNS server. By applying this policy, zone transfers are not allowed unless both servers are domain members and have matching connection security rules. The policy is configured to apply to zone transfers between IP addresses specified on the Zone Transfers tab.