Your network consists of an Active Directory forest that contains one domain named contoso.com.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone.
You must prevent the user from modifying the SOA record in the nwtraders.com zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Correct Answer: C
Explanation/Reference:
Answer: From the DNS Manager console, modify the permissions of the contoso.com zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone. Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.
Further information: http://support.microsoft.com/kb/163971 The Structure of a DNS SOA Record
The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain.
The SOA resource record contains the following information: Source host – The host where the file was created.
Contact e-mail – The e-mail address of the person responsible for administering the domain’s zone file. Note that a "." is used instead of an "@" in the e-mail name.
Serial number – The revision number of this zone file. Increment this number each time the zone file is changed. It is important to increment this value each time a change is made, so that the changes will be distributed to any secondary DNS servers.
Refresh Time – The time, in seconds, a secondary DNS server waits before querying the primary DNS server’s SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server’s current SOA record and the serial number in it’s own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.
Retry time – The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600.
Expire time – The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
Minimum TTL – The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.
http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx
Modify the start of authority (SOA) record for a zone
..
Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
..