Exam 300-710 topic 1 question 227 discussion

D- https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.html see: 3. SSL or TLS does not work as expected If you don't enable DNS on the FTDs, you can see errors in the pigtail log that suggest that LDAP is unreachable:

A DNS record for the AD server is required because LDAPS clients typically use DNS to locate the domain controller hosting the AD server. The DNS record for the AD server helps clients resolve the server's hostname to its IP address.

The correct answer is A. The LDAPS protocol is used for secure communication with an LDAP directory using SSL/TLS encryption. When the network administrator has converted a Cisco FTD from using LDAP to LDAPS for VPN authentication, the LDAPS protocol must be allowed through the access control policy. This means that the firewall rule on the Cisco FTD must allow traffic on the LDAPS port (usually 636/tcp) from the VPN clients to the LDAPS server. Option D (DNS servers must be defined for name resolution) is not correct because although DNS is important for name resolution, it is not directly related to LDAPS authentication.

It's possible that DNS servers must be defined for name resolution if the LDAPS server's hostname or IP address cannot be resolved by the Cisco FTD.

LDAPS means certificates has to be checked, for that we need the DNS

I would vote D according to this thread: https://community.cisco.com/t5/network-access-control/cisco-ftd-ldaps/td-p/4541263