Yesterday, I covered the subobjective DNS Server settings of the Microsoft Exam 70-640. Today, I will discuss the corresponding sample practice question.
Latest posts by Timothy Warner (see all)

You are the administrator of an Active Directory domain named Your organization has established a strategic partnership with another company; this company consists of an Active Directory domain named fakedomain.local. Each organization’s IT security policy mandates that a minimum amount of information be exchanged between the two corporate networks.

You receive complaints from users who are unable to resolve host names from the fakedomain.local domain.

Which of the following actions should you perform in order to enable users to connect to fakedomain.local resources by using host names?

A. Ask the fakedomain.local administrator to create a stub zone for the domain

B. Create a stub zone for the fakedomain.local domain.

C. Create a secondary zone for fakedomain.local within the domain.

D. Configure conditional forwarding for the domain.

The Correct Answer, Explanation, and Analysis

The correct answer here is D; we must configure conditional forwarding to the fakedomain.local domain from the domain. In this case we have two requirements:

  1. We must strictly limit the amount of data transfer between organizations for security purposes
  2. We need to enable users to resolve fakedomain.local resources by using DNS host names.

Therefore, we must configure our top-level internal DNS server to conditionally forward host name resolution requests for the fakedomain.local domain.

One strong hint that we are dealing with the resolution of non-public DNS names is the reference to a .local domain name.

We also need to cleave to the test-taker’s truism of never “reading into” IT certification items. In other words, we must read each word in the item stem and assume nothing else about the environment.

Recall that in the item stem it is stated that OUR users complain of not being able to resolve fakedomain.local names. We neither know nor care (for the purposes of this practice exam item) how well or poorly fakedomain.local users can resolve host names.

The answer choices in this item use a potentially confusing format. In other words, you must be able to cleanly delineate the two DNS domains involved. This also means you must perform extra-careful analysis on each choice to make sure you understand exactly what is being offered as a solution.

This item also requires some detailed content knowledge of Windows Server 2008 DNS. If, for instance, you are fuzzy about what a stub zone is, then you immediately lost 50 percent of your available answer choices. (Take-home message: Know all about DNS stub zones before you sit for this test.)

You also have to compare each answer choice to the requirements set forth in the item stem. At first blush, the notion of installing a secondary DNS zone for fakedomain.local within the infrastructure looks pretty good. However, this choice can be dismissed immediately when we remember that data sharing must be minimized between the two Active Directory forests.


I often tell my students that passing a Microsoft certification exam involves possessing a healthy mix of the following three skills:

  • Subject matter proficiency
  • Test-taking proficiency
  • Familiarity with Microsoft marketing literature

The third bullet point is only intended partially tongue-in-cheek. As I mentioned in my previous post in this series, I have observed certification candidates fail their Microsoft exam because they applied too much of their real-world experience and not enough of the Microsoft-published approaches to their technology.

This isn’t necessarily good or bad—it just IS. Best of luck to you in your certification studies.

In the next post of this series I will cover DNS zone transfers and replication.

Subscribe to 4sysops newsletter!

Relevant resources

  1. daveyk 12 years ago

    This series of articles is well written and interesting, as I’m looking to cert up with 70-640 soon as well, thank you.

  2. dmaas 11 years ago


    I am currently studying for the 70-640 exam and your series of articles is incredibly helpful. Thanks for posting these and I will continue to read your future articles!

  3. Adam 11 years ago

    Why is D a better answer than B in this case?

Leave a reply to Adam Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account