Your network consists of a single Active Directory domain. You have a domain controller and
a member server that run Windows Server 2008 R2. Both servers are configured as DNS
servers. Client computers run either Windows XP Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller. The member server hosts a
secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in
the DNS zone.
What should you do first?
A.
On the member server, add a conditional forwarder.
B.
On the member server, install Active Directory Domain Services.
C.
Add all computer accounts to the DNS UpdateProxy group.
D.
Convert the standard primary zone to an Active Directory-integrated zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration
The DNS Server service is integrated into the design and implementation of Active Directory
Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing,
managing, and locating resources in a network.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain
controller for a specified domain. As part of this process, you are prompted to specify a DNS
domain name for the AD DS domain which you are joining and for which you are promoting
the server, and you are offered the option to install the DNS Server role. This option is
provided because a DNS server is required to locate this server or other domain controllers
for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are
strongly recommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities
of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master
update model. In this model, a single authoritative DNS server for a zone is designated as
the primary source for the zone. This server maintains the master copy of the zone in a local
file. With this model, the primary server for the zone represents a single fixed point of failure.
If this server is not available, update requests from DNS clients are not processed for the
zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DSintegrated DNS server and are replicated to all other AD DS-integrated DNS servers by
means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept
dynamic updates for the zone. Because the master copy of the zone is maintained in the AD
DS database, which is fully replicated to all domain controllers, the zone can be updated by
the DNS servers operating at any domain controller for the domain. With the multimaster
update model of AD DS, any of the primary servers for the directoryintegrated zone can
process requests from DNS clients to update the zone as long as a domain controller is
available and reachable on the network.
Also, when you use directory-integrated zones, you can use access control list (ACL) editing
to secure a dnsZone object container in the directory tree. This feature provides detailed
access to either the zone or a specified resource record in the zone. For example, an ACL
for a zone resource record can be restricted so that dynamic updates are allowed only for a
specified client computer or a secure group, such as a domain administrators group. This
security feature is not available with standard primary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a
new one is added to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database
replication planning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.