Your company Datum Corporation, has a single Active Directory domainnamed intranet.adatum.com.
The domain has two domain controllersthat run Windows Server 2008 R2operating system.
The domain controllersalso run DNS servers.
The intranet.adatum.com DNS zoneis configured as an Active Directory-integrated zonewith the
Dynamic updates setting configured to Secure only.
A new corporate security policy requiresthat the intranet.adatum.com DNS zone must be updated only
by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actionsshould you perform?
(Each correct answer presents part of the solution. Choose two.)

A.
Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone
properties.

B.
Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS
zone properties.

C.
Assign the server computer accounts the Allow on Write All Properties permission on the Security tabof the
intranet.adatum.com DNS zone properties.

D.
Assign the server computer accounts the Allow on Create All Child Objects permission on the Securitytab
of the intranet.adatum.com DNS zone properties.

Explanation:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/
Managing DNS Dynamic Updates in Windows Server 2008R2
What Is DNS Dynamic Update?
When a DNS server is installed in a network, duringthe installation administrators can configure it to accept
dynamic updates of client records. Dynamic updates means that DNS client computers can automatically
register their names along with their IP addresses in the DNS server. When this happens DNS server
automatically creates a Host (A) record for that client computer that contains hostname of the client and its
associated IP address.
Also, during the installation of DNS server administrators can choose an option according to which DNSserver
should not automatically update its records and in this condition administrators must manually create Host (A)
records in the DNS database.
http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC
In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure
your Windows DNS infrastructure:
Decide who can resolve Internet host names
Don’t co-locate internal and external zones
Lock down the DNS cache
Enable recursion only where needed
Restrict DNS servers to listen on specific addresses
Consider using a private root hints file
Randomize your DNS source ports
Be aware of the Global Query Block List
Limit zone transfers
Take advantage of Active Directory integrated zone security
..
Take advantage of Active Directory integrated zone security
Active Directory integrated zones enable you to secure the registration of resource records when dynamic
name registration is enabled. Members of the ActiveDirectory domain can register their resource records
dynamically while non-domain members will be unableto register their names. You can also use discretionary
access control lists (DACLs) to control which computers are able to register or change their addressing
information.
The figure below shows how you configure secure dynamic updates.

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/
Configuring DNS Server for Secure Only Dynamic Updates
..