WINDOWS 2003 DNS AD integrated "DNS Admins" is not inherited on Zones

  • Thread starter Thread starter WonderBoy
  • Start date Start date
W

WonderBoy

Hi Everyone

I have a Windows 2003 forrest with root domain and child domain.
When I create a new zone the DNSAdmins group is not automatically
assigned rights on it. I have looked all over the net and I cant find
out where to set permissions, inheritance so that new zones will have
"DNSAdmins" with full control on the newly create Zone.

any thoughts.

We are running all zones as AD integrated, sucure dynamic updates
only.

thanks

Jason Hammond
 
WonderBoy said:
Hi Everyone

I have a Windows 2003 forrest with root domain and child domain.
When I create a new zone the DNSAdmins group is not automatically
assigned rights on it. I have looked all over the net and I cant find
out where to set permissions, inheritance so that new zones will have
"DNSAdmins" with full control on the newly create Zone.

any thoughts.

We are running all zones as AD integrated, sucure dynamic updates
only.
Click to expand...

Right-click (zone) Properties, Security tab.

Same idea, for the server itself too.

This can also be done from a GPO for the Service at least, and by
SubInAcl.exe
or the (free) SetAcl from SourceForge.net.
 
Right-click (zone) Properties, Security tab.

Same idea, for the server itself too.

This can also be done from a GPO for the Service at least, and by
SubInAcl.exe
or the (free) SetAcl from SourceForge.net.
Click to expand...

Thanks for the reply but I know how to apply permissions to the zone
after its created. Thats not what my question is. I want the zone to
inherit the DNSAdmins group when I create it automatically like it
should. Otherwise I have to grant staff Domain Admin rights just so
they can create new Zones.

I know others have seen this issue where DNSAdmins group is not being
inherited on newly created zones.
 
WonderBoy said:
Thanks for the reply but I know how to apply permissions to the zone
after its created. Thats not what my question is. I want the zone to
inherit the DNSAdmins group when I create it automatically like it
should. Otherwise I have to grant staff Domain Admin rights just so
they can create new Zones.

I know others have seen this issue where DNSAdmins group is not being
inherited on newly created zones.
Click to expand...


Where would it inherit from? You can make someone a DNS-Server admin,
but I am not even sure that will cause them to have permission on every
zone,
i.e., on zones they don't create.
 
I'm also curious why "dnsadmins" group doesn't have permission at the zone
level. The group has "Full Control" permisson at the server level but not
propagated -- "This object only". I found two article which appears (to me)
to give different description of what permissions the "dnsadmins" group have.

1. Default Groups
http://technet2.microsoft.com/Windo...ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true
Which stats ...
DnsAdmins (installed with DNS) : Members of this group have administrative
access to the DNS Server service. This group has no default members.

2. How DNS Works
http://technet2.microsoft.com/Windo...cc53-4ded-a7a3-abaf82e7fb7c1033.mspx?mfr=true
Which stats ...
By default, the DNSAdmins group has full control of all zones and records in
the Windows Server 2003 domain in which it is specified.


Thanks.
 
Back
Top