Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, July 13, 2011 4:18 PM
Hello,
I want to delegate one of my users to manage the DNS records. But I don't want him to have any privilege to change the DNS server settings. What action can I take?
Thanks
All replies (9)
Wednesday, July 13, 2011 7:08 PM ✅Answered | 1 vote
You can add them to the DNS Admins group. If the user is using XP, you can install the adminpak.msi tools (located on a Windows 2003 server c:\windows\system32 folder), then he can open the DNS console on his desktop. If the user is using Vista or 7, you can download and install the RSAT tools. Once the RSAT tools are downloaded and installed, then open Control Panel, Programs and features, Turn windows features on or off, check the tools you want available under "Remote Server Administration Tools."
The RSAT version depends on the client version and platform:
Microsoft Remote Server Administration Tools for Windows Vista 32bit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en
Microsoft Remote Server Administration Tools for Windows Vista 64bit:
http://www.microsoft.com/downloads/details.aspx?familyid=D647A60B-63FD-4AC5-9243-BD3C497D2BC5&displaylang=en
Description of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830
Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, July 14, 2011 6:30 AM ✅Answered | 1 vote
Hi Insaf,
Thanks for posting here.
Is this a domain environment ?
I’m afraid that only members of administrators group have rights to modify the records mean that they can also modify the DNS settings at same time .
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Sunday, July 17, 2011 5:57 PM ✅Answered | 2 votes
Hi,
Please elaborate "manage the DNS records"?
Do you want them to give create an delete records permission only?
Adding the user to Domain Admin group will give him to much power to do almost anything(I do not recommend that).
By default users can not view DNS console. How ever you can give a user appropriate permission "for Read Only DNS", could be done with a RODC also.
Create a zone delegation
http://technet.microsoft.com/en-us/library/cc785881(WS.10).aspx
DNS Delegation
Delegation - Similar to what the root servers do to the top level domains (com, org, net etc.). They "know" there's something down there, they "know" who's the DNS server that's holding that information (i.e authoritive for that domain), and that's about it.
In order to delegate a domain, the DNS tha'ts delegating needs to hold the parent domain. For example, DNS holding the petri.co.il zone CAN delegate to the sales sub-domain under petri.co.il. It CANNOT delegate to the cnn.com domain.
Oh, and they do not need the sub-domain's permissions to do that.
To only grant some specific users 'Read' permission, you can refer to the following steps:
1)Right-click the Dns Zone, choose properties, and in security tab, we add the user to whom we want to grant permission.
2)In permission tab, please choose 'Read' permission in Allow column and explicitly check all the rest permissions in Deny column, such as Write, Create all child objects etc.
Deny permission takes precedence over allow permission. In this way, we can prevent any inherited permission from its parents.
Please let me know what are the permissions you want to give to your user I will try my best to help you.
Hope this helps.
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, July 14, 2011 12:39 PM
Hello Thank you Ace and Li,
Yes, it's a Win 2008 domain environment. That's a possible solution from Ace to install RSAT and add the user to Domain Admin group. I was wondering, can I elevate the user with manageability DNS privileges using Active Directory delegation of authority?
IS there any options for that? And what's called DNS Delegation?
BR/
Monday, July 18, 2011 4:49 AM
Hello Thank you Ace and Li,
Yes, it's a Win 2008 domain environment. That's a possible solution from Ace to install RSAT and add the user to Domain Admin group. I was wondering, can I elevate the user with manageability DNS privileges using Active Directory delegation of authority?
IS there any options for that? And what's called DNS Delegation?
BR/
Delegating in AD won't work with what you're trying to do. Tanmoy provided another suggestion regarding setting Read permissions. From your original post, you wanted to allow them to manage DNS zone data, which I assume you want to do. Try the method I suggested. I was looking at a zone's properties on a customer machine and the DNS server properties showed the DnsAdmin group, but the zone properties doesn't. Idon't have access to a a test DC and a test memberserver to add DNS and test it at the moment, but if simply adding them to this group and accessing it from a workstation with the Adminpak or RSAT tools don't work, I suggest following Tanmoy's suggestions, but adding Write and Delete permissions to be able to change zone data.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, July 18, 2011 3:48 PM | 1 vote
Delegating in AD won't work with what you're trying to do. Tanmoy provided another suggestion regarding setting Read permissions. From your original post, you wanted to allow them to manage DNS zone data, which I assume you want to do. Try the method I suggested. I was looking at a zone's properties on a customer machine and the DNS server properties showed the DnsAdmin group, but the zone properties doesn't. Idon't have access to a a test DC and a test memberserver to add DNS and test it at the moment, but if simply adding them to this group and accessing it from a workstation with the Adminpak or RSAT tools don't work, I suggest following Tanmoy's suggestions, but adding Write and Delete permissions to be able to change zone data.
Ace
Ace, interesting enough, I came accross this same need years ago. I tested and have implemented this solution over the years. Yes, you can add the DNSAdmins group to the ACL on the zone properties. This will provide the group with the ability to manage the zone of interest, depending on the permissions provided.
Visit: anITKB.com, an IT Knowledge Base.
Monday, July 18, 2011 3:54 PM | 1 vote
Delegating in AD won't work with what you're trying to do. Tanmoy provided another suggestion regarding setting Read permissions. From your original post, you wanted to allow them to manage DNS zone data, which I assume you want to do. Try the method I suggested. I was looking at a zone's properties on a customer machine and the DNS server properties showed the DnsAdmin group, but the zone properties doesn't. Idon't have access to a a test DC and a test memberserver to add DNS and test it at the moment, but if simply adding them to this group and accessing it from a workstation with the Adminpak or RSAT tools don't work, I suggest following Tanmoy's suggestions, but adding Write and Delete permissions to be able to change zone data.
Ace
Ace, interesting enough, I came accross this same need years ago. I tested and have implemented this solution over the years. Yes, you can add the DNSAdmins group to the ACL on the zone properties. This will provide the group with the ability to manage the zone of interest, depending on the permissions provided.
Visit: anITKB.com, an IT Knowledge Base.
That's what I kind of thought, but I didn't remember. Then that's the solution! :-)
In addition, the users won't need logon locally and logon interactively on the DCs in order to do this from a console on their desktops. :-)
Cheers!
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, July 18, 2011 7:23 PM | 1 vote
Oh, but it seems that the original poster wants this user to manage the zone records, but not the DNS Server settings. Adding the user to this group would provide both DNS Server Settings permissions and zone content if the ACL is modified.
Visit: anITKB.com, an IT Knowledge Base.
Wednesday, August 17, 2011 2:25 AM
You can add them to the DNS Admins group. If the user is using XP, you can install the adminpak.msi tools (located on a Windows 2003 server c:\windows\system32 folder), then he can open the DNS console on his desktop. If the user is using Vista or 7, you can download and install the RSAT tools. Once the RSAT tools are downloaded and installed, then open Control Panel, Programs and features, Turn windows features on or off, check the tools you want available under "Remote Server Administration Tools."
The RSAT version depends on the client version and platform:
Microsoft Remote Server Administration Tools for Windows Vista 32bit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=enMicrosoft Remote Server Administration Tools for Windows Vista 64bit:
http://www.microsoft.com/downloads/details.aspx?familyid=D647A60B-63FD-4AC5-9243-BD3C497D2BC5&displaylang=enDescription of Remote Server Administration Tools for Windows 7:
http://support.microsoft.com/default.aspx/kb/958830Remote Server Administration Tools for Windows 7:
http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
Very good feed Mr. Ace :)) Thanks