We have 3 AD-Integrated Primary Forest DNS Zones:
company.net (forest root domain)
corporate.company.net (child domain)
retailstores.company.net (child domain)
Our DNS Servers are only on our domain controllers (all 20 DCs in the forest
host the zones).
We have security group called "DNS Record Administrators" and we have just delegated them Full Control on these 3 zones. They appear as full control on the zones after being added so that works correctly. When they create a record, all is well. However all of the existing records don't list this new group in their Security (ACL). It appears I cannot change security on more than 1 record at a time in the DNS Administration snap-in nor ADSI Edit to give them permission to modify the existing records... how do I get them access to all the existing records?