Your network contains an Active Directory domain named contoso.com. The DNS zone for
contoso.com is Active-Directory integrated.
The domain contains 500 client computers. There are an additional 20 computers in a workgroup.
You discover that every client computer on the network can add its record to the contoso.com zone.
You need to ensure that only the client computers in the Active Directory domain can register
records in the contoso.com zone.
What should you do?
A.
Sign the contoso.com zone by using DNSSEC.
B.
Configure the Dynamic updates settings of the contoso.com zone.
C.
Configure the Security settings of the contoso.com zone.
D.
Move the contoso.com zone to a domain controller that is configured as a DNS server.
Should be D
Only DNS servers that run on domain controllers can load Active Directory–integrated zones.
As I understand from the text Active Directory domain named contoso.com. the DNS zone for contoso.com (AD domain) is already Active-Directory integrated.
As DNS is running on A DC and is Active-Directory integrated, I think the answer is B.
https://technet.microsoft.com/en-us/library/cc978010.aspx
B is the correct answer.
The contoso.com zone is AD integrated, so you would need to change Dynamic Updates to “Secure Only”. This will ensure that only computers with AD accounts can register with/update DNS.