Your network contains an Active Directory domain named contoso.com. The domain
contains a domain controller named DC1. DC1 hosts a standard primary zone for
contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the
contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?

A.
Configure a trust anchor.

B.
Run the Security Configuration Wizard (SCW).

C.
Change the contoso.com zone to an Active Directory-integrated zone.

D.
Modify the security settings of the %SystemRoot%\System32\Dns folder.

Explanation:
http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx
Active Directory-Integrated Zones
DNS servers running on domain controllers can store their zones in Active Directory. In this
way, it is not necessary to configure a separate DNS replication topology that uses ordinary
DNS zone transfers, because all zone data is replicated automatically by means of Active
Directory replication. This simplifies the process of deploying DNS and provides the following
advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to the
Active Directory–integrated zones for the domain name for which they are authoritative. A
separate DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to
control which computers update which names, and prevent unauthorized computers from
overwriting existing names in DNS