Permissions to create a new zone

  • Thread starter Thread starter Chris Henderson
  • Start date Start date
C

Chris Henderson

Hi All,

I am having issues giving my "DNS Administrators" access to the DNS as far
as creating new zones. The can edit and add records to any of the zones but
if they need to create a new zone at the root of our domain, they cannot.
Do they need Domain Admin privilages or is there a way around this.

Thanks in advance,

Chris
 
To add to my question, they already are in the DNS Admin group and since the
AD was upgraded I had to give the DNSAdmin group full access to the top
level domain and all the child objects as per the MS article that mentioned
that. They can create and delete any records in the domains but they can't
create new zones
 
In
Chris Henderson said:
To add to my question, they already are in the DNS Admin
group and since the AD was upgraded I had to give the
DNSAdmin group full access to the top level domain and
all the child objects as per the MS article that
mentioned that. They can create and delete any records in
the domains but they can't create new zones
Click to expand...

I'm assuming they are creating standard zone types, not AD integrated?
What permissions does the DNS admins group have on the
%systemroot%\system32\dns directory?
 
Hi Kevin,

Thanks for responding.

No these are AD Integrated zones. That's what I dont understand. The domain
was upgraded from an NT 4.0 domain a year or so ago.When I initially added
my DNS Administrators to the DNSAdmins group they couldn't even delete
records from any of the zones. Then I an read article from MS that said to
give the DNS Admins group full access to the DNS server name and allow it to
propagate down to all child objects. This allowed them to delete records in
all the zones (we have tons of zones) but not create the zones.

Any ideas?

Chris
 
In
Chris Henderson said:
Hi Kevin,

Thanks for responding.

No these are AD Integrated zones. That's what I dont understand. The
domain was upgraded from an NT 4.0 domain a year or so ago.When I
initially added my DNS Administrators to the DNSAdmins group they
couldn't even delete records from any of the zones. Then I an read
article from MS that said to give the DNS Admins group full access to
the DNS server name and allow it to propagate down to all child
objects. This allowed them to delete records in all the zones (we
have tons of zones) but not create the zones.
Any ideas?

Chris
Click to expand...


Chris, you mentioned an article in both of your posts, but did not provide
it. Can you provide the article # or link?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
=================================
 
Back
Top