Your network contains an Active Directory domain.
The domain contains two domain controllers named DC1and DC2.
DC1 hostsa standard primary DNS zonefor the domain.
Dynamic updates are enabled on the zone.
DC2 hostsa standard secondary DNS zonefor the domain.
You need to configure DNS to allow only secure dynamic updates.
What should you do first?
A.
On DC1 and DC2, configure a trust anchor.
B.
On DC1 and DC2, configure a connection security rule.
C.
On DC1, configure the zone transfer settings.
D.
On DC1, configure the zone to be stored in ActiveDirectory.
Explanation:
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/
Configuring DNS Server for Secure Only Dynamic Updates
About Dynamic Updates
During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation
process automatically installs the DNS server on the computer, in case it does not already exist in the network.
After the successful installation of Active Directory Domain Services, the DNS server is by default configured to
automatically update the records of only the domainclient computers as soon as it receives the registration
request from them. This automatic update of DNS records in the DNS database is technically known as
‘Dynamic Updates’.
Types of DNS Updates
Dynamic updates that DNS server in Windows Server 2008 R2 supports include:
Nonsecure and Secure – When this type of dynamic update is selected, any computer can send
registration request to the DNS server. The DNS server in return automatically adds the record of the
requesting computer in the DNS database, even if the computer does not belong to the same DNS domain.
Although this configuration remarkably reduces administrative overhead, this setting is not recommended
for the organizations that have highly sensitive information available in the computers.
Secure only – When this type of dynamic update is selected, only the computers that are members ofthe
DNS domain can register themselves with the DNS server. The DNS server automatically rejects the
requests from the computers that do not belong to the domain. This protects the DNS server from getting
automatically populated with records of unwanted, suspicious and/or fake computers.
None – When this option is selected, the DNS server does not accept any registration request from any
computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the
Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database.
In most production environments, systems administrators configure Secure Only dynamic updates for DNS.
This remarkably reduces the security risks by allowing only the authentic domain client computers to register
themselves with the DNS server automatically, and decreases the administrative overhead at the same time.
However in some scenarios, administrators choose tohave non-Active Directory integrated zone to stay
compliant with the policies of the organization. This configuration is not at all recommended because it does not
allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database
to get replicated automatically to the other DNS servers along with the Active Directory replication process.
When DNS zone is not Active Directory integrated, DNS database replication process must be performed
manually by the administrators.
Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server
To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the
steps given as below:
1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin
account on which ‘Secure only’ dynamic updates are to be configured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools > DNS.
4. On DNS Manager snap-in, from the console treein the left, double-click to expand the DNS servername.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates areto be
configured.
7. From the displayed context menu, click Properties.
8. On the zone’s properties box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.
Note: Secure only option is available only if the DNS zone is Active Directory integrated.
Secure Only Dynamic Update
10. Click OK to apply the modified changes.
11. Close DNS Manager snap-in when done.
