Your network consists of an Active Directory forestthat contains one domainnamed contoso.com.
All domain controllersrun Windows Server 2008 R2and are configured as DNS servers.
You have two Active Directory-integrated zones: contoso.comand nwtraders.com.
Youneed to ensure a user is able to modify records inthe contoso.com zone.
You must prevent the user from modifying the SOA recordin the nwtraders.com zone.
What should you do?
A.
From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B.
From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers
organizational unit (OU).
C.
From the DNS Manager console, modify the permissions of the contoso.com zone.
D.
From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Explanation:
Answer.From the DNS Manager console, modify the permissions of the contoso.com zone.
http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active
Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory
users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to
complete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member usersor groups that are allowed to securely update the
applicable zone and reset their permissions as needed.
Further information:
http://support.microsoft.com/kb/163971
The Structure of a DNS SOA Record
The first resource record in any Domain Name System(DNS) Zone file should be a Start of Authority (SOA)
resource record. The SOA resource record indicates that this DNS name server is the best source of
information for the data within this DNS domain.
The SOA resource record contains the following information:
Source host – The host where the file was created.
Contact e-mail – The e-mail address of the person responsible for administering the domain’s zone file. Note
that a “.” is used instead of an “@” in the e-mail name.
Serial number – The revision number of this zone file. Increment this number each time the zone file is
changed. It is important to increment this value each time a change is made, so that the changes will be
distributed to any secondary DNS servers.
Refresh Time – The time, in seconds, a secondary DNS server waits before querying the primary DNS server’s
SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy
of the current SOA record from the primary. The primary DNS server complies with this request. The secondary
DNS server compares the serial number of the primary DNS server’s current SOA record and the serial number
in it’s own SOA record. If they are different, the secondary DNS server will request a zone transfer from the
primary DNS server. The default value is 3,600.
Retry time – The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the
retry time is less than the refresh time. The default value is 600.
Expire time – The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this
time expires prior to a successful zone transfer, the secondary server will expire its zone file. Thismeans the
secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
Minimum TTL – The minimum time-to-live value applies to all resource records in the zone file. This value is
supplied in query responses to inform other servershow long they should keep the data in cache. The default
value is 3,600.
http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx
Modify the start of authority (SOA) record for a zone
..
Notes: To perform this procedure, you must be a member of the Administrators group on the local computer,
or you must have been delegated the appropriate authority. If the computer is joined to a domain, members
of the Domain Admins group might be able to performthis procedure. As a security best practice, consider
using Run asto perform this procedure.
..