HPE Community
Windows Server 2003
1827287 Members
1824 Online
109717 Solutions
New Discussion

Re: Not able to edit DNS-entries because of Security problem

 
Jonas Back_2
Super Advisor

‎10-27-2003 11:45 PM

‎10-27-2003 11:45 PM

Not able to edit DNS-entries because of Security problem

We have about 10 DNSAdmins and the only Domain/Enterprise Admins are not used generally because of security. We have AD-integrated zones and therefore, by default, all records have permission set.

The problem we have that these 10 DNSAdmins create records and since they are the owner, only themselves and Domain/Ent. Admins can change/delete the record. And since we don't have any users members of these groups by default, we have a problem that we have to get an account that is a member of Domain/Ent. Admins or the user himself when we want to change/delete it. This is not very practical.

Does anyone have a suggestions have to handle this situation. For example is there a way to, bu default. Always add a group called "DNS Superadmins" automatically with Full Control permission on the records that are created?
0 Kudos
6 REPLIES 6
Jerome Henry
Honored Contributor

‎10-28-2003 12:56 AM

‎10-28-2003 12:56 AM

Re: Not able to edit DNS-entries because of Security problem

Nope,

The workable solution would be to add an user to the DNSAdmin group....

J
You can lean only on what resists you...
0 Kudos
Jon Finley
Honored Contributor

‎10-28-2003 03:31 AM

‎10-28-2003 03:31 AM

Re: Not able to edit DNS-entries because of Security problem

You "should" be able to "delegate" authority to whichever User or Group you want, that would then have access to all of the zones.

Jon
"Do or do not. There is no try!" - Yoda
0 Kudos
Jonas Back_2
Super Advisor

‎10-28-2003 06:28 AM

‎10-28-2003 06:28 AM

Re: Not able to edit DNS-entries because of Security problem

Jerome: Sorry to argue but I think you're wrong. I just tried - for the third time - to add a A RECORD with user1 who is a member of DNSAdmin. I logged in as user2, also member of DNSAdmins (I'm sure they are - otherwise they wouldn't even be able to start the DNS MMC) and tried to delete the record - Access denied. None of the members are member of Domain/Enterprise Admins.

I look at the Security and Owner Tab of the record. On Security you see that the only who have more permission than READ are:
DOMAIN\Administrators
DOMAIN\Domain Admins
DOMAIN\Enterpriser Admins
ENTERPRISE DOMAIN CONTROLLERS
user1
SYSTEM

Of course - I could add the DNSAdmins group to have Full Control of the whole zone and inherit it to all records but I was thinking of there was another way.
0 Kudos
lee forrest_1
Advisor

‎10-28-2003 07:40 PM

‎10-28-2003 07:40 PM

Re: Not able to edit DNS-entries because of Security problem

hello search through this , to understand dns better
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/r_gly.asp
Solutions are allways there
0 Kudos
Alexandre Lavoie
New Member

‎10-21-2004 06:46 AM

‎10-21-2004 06:46 AM

Re: Not able to edit DNS-entries because of Security problem

Hi Jonas,

It seems that we have the similar problem here since we upgrade 2000 to 2003. Did you find any clue about this problems? I made a lot of searches and didnt find anything that could help me.

Thanks,

Alex
0 Kudos
Jonas Back_2
Super Advisor

‎10-21-2004 08:43 AM

‎10-21-2004 08:43 AM

Re: Not able to edit DNS-entries because of Security problem

Hi Alexandre,

To be honest, I can't really remember since it was some time ago. Please let me try this and get back to you. I won't be able to try it our until sometime next week. Let me know if you find a solution.

/ Jonas
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.