Your network consists of an Active Directory forest that contains one domain named
contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as
DNS servers. You have two Active Directory-integrated zones: contoso.com and
nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must
prevent the user from modifying the SOA record in the nwtraders.com zone.
What should you do?
A.
From the Active Directory Users and Computers console, run the Delegation of Control
Wizard.
B.
From the Active Directory Users and Computers console, modify the permissions of the
Domain Controllers organizational unit (OU).
C.
From the DNS Manager console, modify the permissions of the contoso.com zone.
D.
From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Explanation:
Answer) From the DNS Manager console, modify the permissions of the contoso.com zone.http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are
stored in Active Directory Domain Services (AD DS). You can use the DACL to control the
permissions for the Active Directory users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum
required to complete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable
zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to
securely update the applicable zone and reset their permissions as needed.
Further information:
http://support.microsoft.com/kb/163971
The Structure of a DNS SOA Record
The first resource record in any Domain Name System (DNS) Zone file should be a Start of
Authority (SOA) resource record. The SOA resource record indicates that this DNS name
server is the best source of information for the data within this DNS domain.
The SOA resource record contains the following information:
Source host – The host where the file was created.
Contact e-mail – The e-mail address of the person responsible for administering the domain’s
zone file. Note that a “.” is used instead of an “@” in the e-mail name.Serial number – The revision number of this zone file. Increment this number each time the
zone file is changed. It is important to increment this value each time a change is made, so
that the changes will be distributed to any secondary DNS servers.
Refresh Time – The time, in seconds, a secondary DNS server waits before querying the
primary DNS server’s SOA record to check for changes. When the refresh time expires, the
secondary DNS server requests a copy of the current SOA record from the primary. The
primary DNS server complies with this request. The secondary DNS server compares the
serial number of the primary DNS server’s current SOA record and the serial number in it’s
own SOA record. If they are different, the secondary DNS server will request a zone transfer
from the primary DNS server. The default value is 3,600.
Retry time – The time, in seconds, a secondary server waits before retrying a failed zone
transfer. Normally, the retry time is less than the refresh time. The default value is 600.
Expire time – The time, in seconds, that a secondary server will keep trying to complete a
zone transfer. If this time expires prior to a successful zone transfer, the secondary server
will expire its zone file. This means the secondary will stop answering queries, as it
considers its data too old to be reliable. The default value is 86,400.
Minimum TTL – The minimum time-to-live value applies to all resource records in the zone
file. This value is supplied in query responses to inform other servers how long they should
keep the data in cache. The default value is 3,600.
http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx
Modify the start of authority (SOA) record for a zone
..
Notes: To perform this procedure, you must be a member of the Administrators group on the
local computer, or you must have been delegated the appropriate authority. If the computer
is joined to a domain, members of the Domain Admins group might be able to perform this
procedure. As a security best practice, consider using Run as to perform this procedure.