Your company Datum Corporation, has a single Active Directory domain named
intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008
R2 operating system. The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone
with the Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be
updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy
requirement.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A.
Remove the Authenticated Users account from the Security tab of the
intranet.adatum.com DNS zone properties.

B.
Assign the SELF Account Deny on Write permission on the Security tab of the
intranet.adatum.com DNS zone properties.

C.
Assign the server computer accounts the Allow on Write All Properties permission on the
Security tab of the intranet.adatum.com DNS zone properties.

D.
Assign the server computer accounts the Allow on Create All Child Objects permission on
the Security tab of the intranet.adatum.com DNS zone properties.

Explanation:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/
Managing DNS Dynamic Updates in Windows Server 2008 R2
What Is DNS Dynamic Update?
When a DNS server is installed in a network, during the installation administrators can
configure it to accept dynamic updates of client records. Dynamic updates means that DNS
client computers can automatically register their names along with their IP addresses in the
DNS server. When this happens DNS server automatically creates a Host (A) record for that
client computer that contains hostname of the client and its associated IP address.
Also, during the installation of DNS server administrators can choose an option according to
which DNS server should not automatically update its records and in this condition
administrators must manually create Host (A) records in the DNS database.
http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNSSecurity-Part2.html
DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC
In this article, then, we’ll take a look at the details of the following preliminary steps you can
take to help secure your Windows DNS infrastructure:
Decide who can resolve Internet host names
Don’t co-locate internal and external zones
Lock down the DNS cache
Enable recursion only where needed
Restrict DNS servers to listen on specific addresses
Consider using a private root hints file
Randomize your DNS source ports
Be aware of the Global Query Block List
Limit zone transfers
Take advantage of Active Directory integrated zone security
..
Take advantage of Active Directory integrated zone security
Active Directory integrated zones enable you to secure the registration of resource records
when dynamic name registration is enabled. Members of the Active Directory domain can
register their resource records dynamically while non-domain members will be unable to
register their names. You can also use discretionary access control lists (DACLs) to control
which computers are able to register or change their addressing information.
The figure below shows how you configure secure dynamic updates.

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamicupdates/
Configuring DNS Server for Secure Only Dynamic Updates