The Name Resolution Policy Table (NRPT) is a feature in Windows that allows administrators to define specific DNS resolution policies for different namespaces. To enforce DNSSEC validation for a particular namespace across multiple domain-joined computers, the most effective and scalable method is to configure an NRPT rule using a Group Policy Object (GPO). By creating a rule for the fabrikam.com namespace and enabling the "Require DNS clients to check that name and address data is validated by the DNS server" setting, this policy will be applied to all member servers within the scope of the GPO, forcing their DNS clients to perform DNSSEC validation for that specific zone.

A. On Server1, run the Add-DnsServerTrustAnchor cmdlet.

This cmdlet configures a trust anchor on a DNS server, not on DNS clients. It would not enforce validation on the member servers.

B. On each member server, run the Add-DnsServerTrustAnchor cmdlet.

This is incorrect and impractical. The Add-DnsServerTrustAnchor cmdlet is for the DNS Server role, which is not typically installed on member servers acting as clients.

D. From a Group Policy Object (GPO), modify the Network List Manager policies.

Network List Manager policies are used to configure network profiles (e.g., Private, Public, Domain) and have no function related to DNSSEC validation.

1. Microsoft Learn

The Name Resolution Policy Table. This document states

"You can use the NRPT to require that DNSSEC validation is performed for a specific namespace... The NRPT can be configured using the Group Policy Management Editor in the folder Computer Configuration\\Policies\\Windows Settings\\Name Resolution Policy." This directly supports using a GPO and the NRPT.

2. Microsoft Learn

Overview of DNSSEC. Under the "DNSSEC for the DNS Client" section

it explains

"The NRPT is a table that contains rules you can configure to specify DNS settings or special behavior for a given namespace... You can use Group Policy to apply NRPT rules to domain member computers."

3. Microsoft Learn

Add-DnsServerTrustAnchor. The official documentation for this PowerShell cmdlet specifies its purpose: "The Add-DnsServerTrustAnchor cmdlet adds a trust anchor to a Domain Name System (DNS) server." This confirms it is a server-side configuration

not a client-side policy enforcement tool.