Your network contains an Active Directory forest.
The forest contains two domainsnamed contoso.comand east.contoso.com.
The contoso.comdomain contains a domain controllernamed DC1.
The east.contoso.comdomain contains a domain controllernamed DC2.
DC1 and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2.
The solution must ensure that zone transfers are encrypted.
What should you do?

A.
Create a primary zone on DC1 and store the zone in DC=Contoso, DC=com naming context. Create a
secondary zone on DC2 and select DC1 as the master.

B.
Create a primary zone on DC1 and store the zone in a zone file. Configure Encrypting File System (EFS)
encryption. Create a secondary zone on DC2 and select DC1 as the master.

C.
Create a primary zone on DC1 and store the zone in a zone file. Configure IPSec on DC1 and DC2. Create
a secondary zone on DC2 and select DC1 as the master.

D.
Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a
secondary zone on DC2 and select DC1 as the master.

Explanation:
http://technet.microsoft.com/en-us/network/bb531150.aspx
IPsec
Internet Protocol security (IPsec) uses cryptographic security services to protect communications overInternet
Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data
integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based
on Internet Engineering Task Force (IETF) standards.
In Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, you can configure IPsec
behavior by using the Windows Firewall with Advanced Security snap-in. In earlier versions of Windows,IPsec
was a stand-alone technology separate from Windows Firewall.
http://technet.microsoft.com/en-us/library/ee649192%28v=ws.10%29.aspx
Secure Zone Transfers with IPsec
Use the following procedure to configure an IP Security (IPsec) rule to secure communications between
two DNS servers. When applied to the primary and secondary DNS servers for a zone, this policy will protect
updates occurring by zone transfer from the primaryto the secondary DNS server. By applying this policy, zone
transfers are not allowed unless both servers are domain members and have matching connection security
rules. The policy is configured to apply to zone transfers between IP addresses specified on the Zone Transfers
tab.