Your network consists of a single Active Directory domain.
You have a domain controllerand a member serverthat run Windows Server 2008 R2.
Both serversare configured as DNS servers.
Client computersrun either Windows XP Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller.
The member server hosts a secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in the DNS
zone.
What should you do first?
A.
On the member server, add a conditional forwarder.
B.
On the member server, install Active Directory Domain Services.
C.
Add all computer accounts to the DNS UpdateProxy group.
D.
Convert the standard primary zone to an Active Directory-integrated zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration
The DNS Server service is integrated into the design and implementation of Active Directory Domain Services
(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a
network.
How DNS integrates with AD DS
When you install AD DS on a server, you promote theserver to the role of a domain controller for a specified
domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which
you are joining and for which you are promoting theserver, and you are offered the option to install the DNS
Server role. This option is provided because a DNS server is required to locate this server or other domain
controllers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly
recommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update
model. In this model, a single authoritative DNS server for a zone is designated as the primary
source for the zone. This server maintains the master copy of the zone in a local file. With this model,
the primary server for the zone represents a singlefixed point of failure. If this server is not available,
update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS
server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication.
In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because
the master copy of the zone is maintained in the ADDS database, which is fully replicated to all
domain controllers, the zone can be updated by the DNS servers operating at any domain controller
for the domain. With the multimaster update model of AD DS, any of the primary servers for the
directory-integrated zone can process requests fromDNS clients to update the zone as long as a
domain controller is available and reachable on thenetwork.
Also, when you use directory-integrated zones, you can use access control list (ACL) editing to
secure a dnsZone object container in the directory tree. This feature provides detailed access to
either the zone or a specified resource record in the zone. For example, an ACL for a zone resource
record can be restricted so that dynamic updates are allowed only for a specified client computer or a
secure group, such as a domain administrators group. This security feature is not available with
standard primary zones.
Zones are replicated and synchronized to new domaincontrollers automatically whenever a new one is
added to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replication
planning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.