Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 16, 2011 3:13 PM
If we apply them to the MicrosoftDNS object in ADSIEdit will adminsdholder reset the permissions? We want permissions to be consistent across the domain and our zones are not inheritting DNSAdmins when we create them.
All replies (1)
Wednesday, March 16, 2011 3:50 PM âś…Answered | 1 vote
It's really not suggested to set permissions this way. Tha AdminSdHolder object will reset any changes to the default administrative groups in AD to protect the groups.
I believe your best bet is to use the default DNS Admin group. Then create a DNS MMC console on their machines and instruct them to connect to DNS using the console from their desktops to administer DNS. Here's more info. The ability to create the DNS console on their desktops depends on the DNS server operating system versions and desktop versions. For example, if DNS is running on a Windows 2003 DC, and the desktop is XP or Vista, they can use the AdminPak tools from Windows 2003. If DNS is on a 2008 or newer DC, and the desktop is Windows 7, they would need the RSAT or ADAC tools.
I hope you find this helpful.
All about Windows DNS
http://technet.microsoft.com/en-us/library/cc779380.aspx
Implementing the DNS Admins Role
http://technet.microsoft.com/en-us/library/cc756152(WS.10).aspx
DNSAdmins Group Permissions (An informative post by James Raines of Microsoft Corporation)
http://help.lockergnome.com/windows2/Admins-Group-Permissions--ftopict207210.html
Default groups (look at the DNSAdmins Group)
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Delegate Control to DNS Zone in Active Directory
http://help.wugnet.com/windows2/Delegate-Control-Zone-Active-Directory-ftopict489902.h
Members of the DnsAdmins group on a Windows Server 2003-based DNS server cannot create new DNS zones that will be replicated to DNS servers in a domain or in a forest
http://support.microsoft.com/kb/939090
HOW TO: Add a User to the DNS Administrators Group in Windows 2000
http://support.microsoft.com/kb/303669
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.