Apparently there is a permissions issue regarding hosting DNS zones in the ForestDNSZones, or DomainDNSZones partitions in Server 2003. I haven’t looked to see if this has been resolved in 2008. The issue and solution is detailed in Microsoft KB939090.
This issue occurs because of the permissions that are set in the Active Directory directory service….
The members of the DnsAdmins group do not have permissions on the following application partitions:
CN=MicrosoftDNS,DC=ForestDNSZones,DC=Domain…
CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain…
The documented solution is to edit your Active Directory with ADSIEdit and go in to fix the problem:
To resolve this issue, set permissions for the DnsAdmins group on the DomainDNSZones application partition and on the ForestDNSZones application partition.
We have taken a pretty close look at manipulating permissions in AD with PowerShell before, covering:
Standard Rights
Removing Rights in AD
Inheritance and Propagation
Extended Rights
and Controlling Access Rights in AD
We’re going to build a function similar to Add-DsAce.ps1 we used in the Standard Rights post, but this time we’re going to use a slightly different constructor, so that we can apply the correct inheritance. We want this to affect “This object and all Child Objects”, which means we need to use:
[System.DirectoryServices.ActiveDirectorySecurityInheritance]“SelfAndChildren”
So, our modified function looks like this:
#———————————————————————————————————-
function Add-DsAce
#———————————————————————————————————-
{
Param (
$DSobject,
$Identifier,
$DSrights,
$AccessType = “Allow”,
$Inheritance
)
# GetAccessRules: Explicit ACE’s, Inherited ACE’s, TargetType
$account = New-Object system.security.principal.ntaccount($Identifier)
# Retrieve the SID – as a manual step you can check it’s not empty :)
$sid = $account.translate([system.security.principal.securityidentifier])
$Inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]“SelfAndChildren”
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $DSrights, $AccessType, $Inheritance)
$DSobject.psbase.get_objectsecurity().AddAccessRule($ace)
$DSobject.psbase.CommitChanges()
}
#———————————————————————————————————-
Now that we have the ability to modify the AD, and presuming we dot source the newly created function we could do the following:
$root = [adsi]“”
$ForestDNSZones = [adsi](“LDAP://DC=ForestDNSZones,”+$root.distinguishedName)
$DomainDNSZones = [adsi](“LDAP://CN=MicrosoftDNS, DC=DomainDNSZones,”+$root.distinguishedName)
Add-DSace $ForestDNSZones “DNSAdmins” “GenericAll”
Add-DSAce $DomainDNSZones “DNSAdmins” “GenericAll”
Basically, we’ve bound to AD via ADSI so that we can dynamically provide the domain DN, and the two locations in AD we want to apply the ACE to. Then it’s just a matter of passing the created function the parameters needed.
Default DNS rights at a W2008 DC :
PS I:\Users\Administrator> $DomainDNSZones.PSBase.ObjectSecurity.GetAccessRules($true,$true, [System.Security.Principal.
NTAccount]) |? {$_.IdentityReference -eq ‘POSHWORKS\DnsAdmins’}
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete, Generi
cWrite, WriteDacl, WriteOwner
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : POSHWORKS\DnsAdmins
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
Enoy,
Greetings /\/\o\/\/
MoW,
Cool, thanks for the clarification. I suspected they would have resolved this for 2008, but hadn’t had chance to look.
Cheers
Adam :)