Your network containsan Active Directory domainnamed contoso.com.
The domain contains a domain controllernamed DC1.
DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the contoso.com
zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?

A.
Configure a trust anchor.

B.
Run the Security Configuration Wizard (SCW).

C.
Change the contoso.com zone to an Active Directory-integrated zone.

D.
Modify the security settings of the %SystemRoot%\System32\Dns folder.

Explanation:
http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx
Active Directory-Integrated Zones
DNS servers running on domain controllers can storetheir zones in Active Directory. In this way, it is not
necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all
zone data is replicated automatically by means of Active Directory replication. This simplifies the process of
deploying DNS and provides the following advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to theActive
Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer
topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which
computers update which names, and prevent unauthorized computers from overwriting existing names in
DNS