Restrict Administrators from DNS

Randy Barger \(ConsultIT\) · Sep 25, 2003

I have a client who wants to separate the DNS Admin role from the Active
Directory admins. Essentially, only members of the DnsAdmins group should
have rights to administer DNS. Administrators should still be able to view
the zone, just not change records and settings. I want to use the Security
tabs to lock this down. Yes, I'm aware that Administrators would still have
the ability to "reset" the Security tab and get in, but we can audit that,
so that's ok.

What I'm looking for is a document or set of recommendations on specifically
what rights I should remove, and whether I should do this on the server
properties or the zone properties.

Thanks!

Randy Barger
MCT, MCSE, MCSA, CCNA, CCA, CNA
__________________________________________________

ConsultIT - http://ConsultIT.bizhosting.com/
Improving business through technology.

Michael Snyder [MSFT] · Sep 26, 2003

Randy,
Could you provide a little more information? Are the zones used on these
DNS servers stored in AD or file backed? Are they running DNS on the domain
controllers or on member servers?

And out of curiosity, what organizational issues are driving this
requirement?

Randy Barger \(ConsultIT\) · Sep 27, 2003

All DNS zones are AD-integrated, and are hosted on forest root DCs.

The LAN group consists of the normal server administrators, and are all
members of Domain Admins and Enterprise Admins. The WAN group "owns" DNS,
and doesn't want the LAN group to have access to change settings/records in
DNS. WAN team members are in the DnsAdmins group. All departments are in
agreement with this management policy. If I can't make the security work
properly, they will investigate moving DNS to a non-W2K system, where only
the WAN group has access. I don't want to see that happen.

Randy Barger
MCT, MCSE, MCSA, CCNA, CCA, CNA
__________________________________________________
ConsultIT - http://ConsultIT.bizhosting.com/
Improving business through technology.

Michael Snyder [MSFT] · Sep 29, 2003

Randy,
I'll run a couple tests and try this scenario out today and let you know if
I can make it work.
I think we can remove Domain Admins and Enterprise admins from the
write/full-control ACLs on the DNS server and on the DNS Zones and make this
work the way you want it to.

--
Michael Snyder
Active Directory Admin Tool Test

This posting is provided "AS IS" with no warranties, and confers no rights.

Randy Barger (ConsultIT) said:
All DNS zones are AD-integrated, and are hosted on forest root DCs.

The LAN group consists of the normal server administrators, and are all
members of Domain Admins and Enterprise Admins. The WAN group "owns" DNS,
and doesn't want the LAN group to have access to change settings/records in
DNS. WAN team members are in the DnsAdmins group. All departments are in
agreement with this management policy. If I can't make the security work
properly, they will investigate moving DNS to a non-W2K system, where only
the WAN group has access. I don't want to see that happen.

Randy Barger
MCT, MCSE, MCSA, CCNA, CCA, CNA
__________________________________________________
ConsultIT - http://ConsultIT.bizhosting.com/
Improving business through technology.

<snip>

Randy Barger \(ConsultIT\) · Sep 30, 2003

I got the response below from the private newsgroups, and thought I'd post
here. I haven't tested it yet, but it looks right.

Randy Barger
MCT, MCSE, MCSA, CCNA, CCA, CNA
__________________________________________________
ConsultIT - http://ConsultIT.bizhosting.com/
Improving business through technology.

-------------------------------------------------------------------

Hi Randy,

Thanks for posting here!

According to your description, I understand that you would like to prevent
some admins from modifying your DNS settings.

If you would like to prevent users other than DNSAdmins from creating or
deleting DNS Zones, you may need to change the Security settings on the
server's properties. To do so, please refer to the following steps:

1. Open DNS snap-in.
2. Right-click your server name and then click Properties.
3. Click Security.
4. Modify the settings as below:
DNSAdmins: Full Control
SYSTEM: Full Control
Other groups or users: Only Read permission.
5. Click OK.

After that, only the users in DNSAdmins can create or delete Zones.

If you would like to prevent users other than DNSAdmins from modifying
records under zones, you may need to change the Security settings on the
properties of all the present Zones. To do so, please refer to the
following steps:
1. Open DNS snap-in. Expand to the zone that you need to modify security
settings.
2. Right-click the zone and then click Properties.
3. On the General tab, click choose "No" in "Allow dynamic update" and then
click Apply.
4. Click Security.
5. Verify the settings with below:
Enterprise Domain Controllers: Full Control
DNSAdmins: Full Control
SYSTEM: Full Control
Other groups or users: Only Read permission.
6. Click OK.

After that, only users in DNSAdmins can create, delete or modify the
records under this Zone. You may need to repeat the steps on each zone as
desired.

However, as you know already, other administrators may still have
permissions to get this around.

Hope this can help!

Have a great day!

Thanks & Regards,

Kyle Cui
Microsoft Online Partner Support
MCSE2000, MCDBA2000

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

Restrict Administrators from DNS

Randy Barger \(ConsultIT\)

Michael Snyder [MSFT]

Randy Barger \(ConsultIT\)

Michael Snyder [MSFT]

Randy Barger \(ConsultIT\)