Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 27, 2018 2:10 PM
Hi!
I´m trying to delegate control of DNS service to Support personnel using DnsAdmins group. In a test lab a member user tries to create a Conditional Forwarder (AD integrated) and receives an "Access was denied" error. If the user tries to create a standard Conditional Forwarder (No AD Integrated) it is created without errors. So, I suppose that the user do not has permissions in AD to store the Conditional Forwarder, but Where is stored? or What is the right way to delegate the creation of Conditional Forwarders (AD Integrated)?
Thanks in advance
Cristian L Ruiz
All replies (14)
Tuesday, November 27, 2018 3:51 PM
Hello,
Where is it stored ?
It will depend on the scope you choose for the replication :
- If you choose All DC/DNS in the forest it will be stored in CN=MicrosoftDNS,DC=ForestDNSZones,DC=xxxx,DC=xxxx
- If you choose All DC/DNS in the domain it will be stored in CN=MicrosoftDNS,DC=DomainDNSZones,DC=xxx,DC=xxxx
- If you choose legacy it will be stored in CN=MicrosoftDNS,CN=System,DC=xxxx,DC=xxxx
What is the right way to delegate the creation of Conditional Forwarders (AD integrated) ?
Normally by default the group DNS Admins should have the right to do it. Below an example on MicrosoftDNS in DomainDNSZones :
Best Regards,
Wednesday, November 28, 2018 5:40 AM
Hi,
Totally agree with Dokoh's answer. Thanks for your effort, Dokoh.
If there is anything else we can do for you, Cristian, please feel free to post in the forum.
Regards,
Zoe
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, December 3, 2018 1:53 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Zoe
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 4, 2018 6:10 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Zoe
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 4, 2018 7:35 AM
Hey Cristian ,
Are you creating conditional forwarder for internal domain or external onces?
open command prompt in elevated mode.
Add domain as conditional forwarder.
DNS-CACHE /ZONEADD MICROSOFT.COM /FORWARDER 207.46.197.XX
incase of unsuccess please check dns log and event log history to find root case.
kinda check this link https://www.dell.com/support/article/pk/en/pkbiz1/sln164002/how-to-create-a-conditional-forwarder-on-a-windows-dns-server?lang=en
Please mark answer if you get find it helpful.
Regards,
Taha
Thursday, December 6, 2018 5:33 AM
Hi,
As this thread has been quiet for a while, we will propose the solution as answer. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we’d love to hear your feedback about the solution. By sharing your experience, you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards,
Zoe
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 11, 2018 1:28 PM
Sorry for my late, I was on vacation and now I'm back again.
I'm still have this issue.
What I have test was use a test user that is member of DnsAdmins group. Using this test user I can not créate a conditional forwarder that is AD integrated using the configuration to replicate to all DNS of the forest.
The message/error is "A problem occurred while trying to add the conditional forwarder. Access was denied".
Now, if I don't choose the option to store the conditional forwarder in AD, it can be created without errors.
So, is clear that the DnsAdmins group don't have permissions to write in AD.
Cristian L Ruiz
Tuesday, December 11, 2018 2:37 PM
Ok so you need to check with ADSI if the DnsAdmins have right on the container like said in the first post
Best Regards,
Tuesday, December 11, 2018 3:49 PM
Ok so you need to check with ADSI if the DnsAdmins have right on the container like said in the first post
Best Regards,
Ok, I'm going to do that.
But I tested it in 3 different 2008 R2 forest with the same behaviour, so it seems that is something that DnsAdmins group cannot do by default.
Cristian L Ruiz
Tuesday, December 11, 2018 5:35 PM
I cannot find those containers
Where can I find them?
CN=MicrosoftDNS,DC=ForestDNSZones,DC=xxxx,DC=xxxx
CN=MicrosoftDNS,DC=DomainDNSZones,DC=xxx,DC=xxxx
Cristian L Ruiz
Tuesday, December 11, 2018 6:58 PM
I'm having the following behaviour….
If I choose to store the conditional forwarder to replicate to all DNS in the forest, I have the error I described before. BUT! If I choose to store it in order to replicate to all DNS in the "domain", I can do it without errors.
So, it seems that the limitation is at forest level.
But! I have a wierd behaviour!
If I créate the conditional forwarder without choosing to store it in AD, I can créate it without errors as I already said. But then, if I edit the properties and change them to store in order to replicate it to all DNS in the forest, I can do it without errors. ¿?
Cristian L Ruiz
Wednesday, December 12, 2018 7:31 AM
Ok so you should check the right on CN=MicrosoftDNS,DC=ForestDNSZones,DC=xxx,DC=xxx
Best Regards,
Friday, March 22, 2019 6:50 PM
in the "ForestDNSZones" "DnsAdmins" is not part of the default ACL. Instead Enterprise Admins are allowed to do changes.
Monday, March 25, 2019 7:05 AM
It seems that your issue is definitly related to DNSAdmins group and default right on the ForestDNSZones.
By default this group does not have any rights on this partition
Best Regards,