Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system.
The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the
Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.
Correct Answer: AD
Explanation/Reference:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/
Managing DNS Dynamic Updates in Windows Server 2008 R2
What Is DNS Dynamic Update?
When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address.
Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database.
http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC
In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure:
Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache
Enable recursion only where needed
Restrict DNS servers to listen on specific addresses Consider using a private root hints file
Randomize your DNS source ports
Be aware of the Global Query Block List Limit zone transfers
Take advantage of Active Directory integrated zone security
..
Take advantage of Active Directory integrated zone security
Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enabled. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information.
The figure below shows how you configure secure dynamic updates.
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/
Configuring DNS Server for Secure Only Dynamic Updates
..
