Your network contains an Active Directory domain. The domain contains two domain
controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain.
Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for
the domain.
You need to configure DNS to allow only secure dynamic updates.
What should you do first?
A.
On DC1 and DC2, configure a trust anchor.
B.
On DC1 and DC2, configure a connection security rule.
C.
On DC1, configure the zone transfer settings.
D.
On DC1, configure the zone to be stored in Active Directory.
Explanation:
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamicupdates/
Configuring DNS Server for Secure Only Dynamic Updates
About Dynamic Updates
During the installation of Active Directory Domain Services on Windows Server 2008 R2, the
installation process automatically installs the DNS server on the computer, in case it does
not already exist in the network.
After the successful installation of Active Directory Domain Services, the DNS server is by
default configured to automatically update the records of only the domain client computers
as soon as it receives the registration request from them. This automatic update of DNS
records in the DNS database is technically known as ‘Dynamic Updates’.
Types of DNS Updates
Dynamic updates that DNS server in Windows Server 2008 R2 supports include:
Nonsecure and Secure – When this type of dynamic update is selected, any computer can
send registration request to the DNS server. The DNS server in return automatically adds
the record of the requesting computer in the DNS database, even if the computer does not
belong to the same DNS domain.
Although this configuration remarkably reduces administrative overhead, this setting is not
recommended for the organizations that have highly sensitive information available in the
computers.
Secure only – When this type of dynamic update is selected, only the computers that are
members of the DNS domain can register themselves with the DNS server. The DNS server
automatically rejects the requests from the computers that do not belong to the domain. This
protects the DNS server from getting automatically populated with records of unwanted,
suspicious and/or fake computers.
None – When this option is selected, the DNS server does not accept any registration
request from any computers whatsoever. In such cases, DNS administrators must manually
add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client
computers to the DNS database.
In most production environments, systems administrators configure Secure Only dynamic
updates for DNS.
This remarkably reduces the security risks by allowing only the authentic domain client
computers to register themselves with the DNS server automatically, and decreases the
administrative overhead at the same time.
However in some scenarios, administrators choose to have non-Active Directory integrated
zone to stay compliant with the policies of the organization. This configuration is not at all
recommended because it does not allow administrators to configure DNS server for Secure
only updates, and it does not allow the DNS database to get replicated automatically to the
other DNS servers along with the Active Directory replication process. When DNS zone is
not Active Directory integrated, DNS database replication process must be performed
manually by the administrators.
Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server
To configure Secure Only dynamic DNS updates in Windows Server 2008 R2,
administrators must follow the steps given as below:
1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or
enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools > DNS.4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the
DNS server name.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic
updates are to be configured.
7. From the displayed context menu, click Properties.
8. On the zone’s properties box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.
Note: Secure only option is available only if the DNS zone is Active Directory integrated.
Secure Only Dynamic Update
10. Click OK to apply the modified changes.
11. Close DNS Manager snap-in when done.
