Solved

Advanced DNS Security - Modify A Record ACL via a Script

Posted on 2008-10-06
11
3,101 Views
Last Modified: 2012-05-22
I performed a restore of an AD integrated Primary Zone in DNS, but it didn't restore the security properties for the records (this isn't possible with the type of backup we have).  All A records now have the default permissions for the Zone.  I want to add the HOSTNAME$ to the ACL for each A record in the Zone by writing a script.  I need to make sure computers and servers are able to modify their own A records.  My scripting skills are advanced; however, I can't find any WMI property or API that modifies the ACL for individual DNS records.  Does anyone know of a command line tool or other method to modify the security for a DNS record other than doing it manually through the DNS MMC?  I don't want to modify the permissions on the Zone, only individual records in the Zone.
0
Comment
Question by:PKundtz
11 Comments
 
LVL 8

Expert Comment

by:deadite
Comment Utility
I skimmed the MSDN site, but didn't see anything on ACE's or ACL's....  Here is the link:

http://msdn.microsoft.com/en-us/library/ms682100%28VS.85%29.aspx

Maybe you can find something useful.  Otherwise, I would suggest looking for a script that modifies permissions in AD or DHCP because the code is probably similar.
0
 
LVL 2

Author Comment

by:PKundtz
Comment Utility
I've heard the suggestion to increase the refresh interval for dynamic updates on clients via GPO and then turn off secure updates in DNS.  This will allow clients to update their records, but I'm not sure if their computer object gets added to the ACL on the record.  I want to avoid unsecured updates if possible.  I could always delete the client records and let them refresh.  I'll need to be cautious with the servers and update the ACLs individually.  This may be my only alternative if I can't find a way to script the ACL changes on individual records.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

Hey :)

> Does anyone know of a command line tool or other method to modify the security for a DNS record
> other than doing it manually through the DNS MMC?  

Yes, but you're looking in the wrong direction. There's no difference between this and assigning permissions to objects in AD. DNS Records are stored in AD after all (for AD Integrated zones).

What's your preferred scripting language?

Chris
0
 
LVL 2

Author Comment

by:PKundtz
Comment Utility
VBSCRIPT.  Where in AD are the records stored?  I was browsing through ADSIEdit and couldn't find them, but I honestly didn't spend more than 5 minutes on it.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
Comment Utility

It depends on your replication scope.

These are the locations:

"To all Domain Controllers in the Active Directory Domain ..":

ADSIEdit / Domain / CN=System / CN=MicrosoftDNS

Or:

AD Users and Computers / View + Advanced Features / System / MicrosoftDNS

Beneath that you should see each zone for that scope.

"To all DNS Servers in the Active Directory Domain ..":

ADSIEdit / Connect To ... / Select or type... / DC=DomainDNSZones,DC=yourdomain,DC=com

Then MicrosoftDNS as above.

"To all DNS Servers in the Active Directory Forest ..":

ADSIEdit / Connect To ... / Select or type... / DC=ForestDNSZones,DC=yourdomain,DC=com

Again, MicrosoftDNS under that.

Chris
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

For the replication scope, I'm referring to the "Replication" option visible when you open the properties for the zone in the DNS console.

Chris
0
 
LVL 2

Author Comment

by:PKundtz
Comment Utility
Replication for my domain zone is set to all DNS Servers in the Domain.  The MicrosoftDNS container does not have a container for my domain zone in ADUC (Advanced Settings), but I could connect to DC=DomainDNSZones,DC=yourdomain,DC=com in ADSIEdit and see what I need.  I believe I have a way to modify the permissions from here.  I'll test and post some code to let you know if it works.  Thanks!
0
 
LVL 2

Author Comment

by:PKundtz
Comment Utility
A lot of time went into this problem.  I think I have it.  Here's the basic script to modify an A record's DACL and give the computer full control over the record.  I didn't include any error handling or the loop to modify all computers at once.  Thanks for pointing me in the right direction!
Const ADS_RIGHT_WRITE_OWNER = &H80000

strComputer = "COMPUTER" 'Netbios name

strDomain = "DOMAIN" 'NT Domain Name, not the FQDN
 

Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")

Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")

Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
 

'List existing ACEs in the DACL (you can omit if you don't care to see them)

Wscript.Echo "Trustee, Access Mask, ACE Flags, ACE Type"

For Each Obj In DACL

   wscript.echo Obj.Trustee & "," & Obj.AccessMask & "," & Obj.ACEFlags & "," & Obj.ACEType

Next
 

Wscript.Echo ""
 

'Modify the DACL with a new ACE

Set ACE = CreateObject("AccessControlEntry") 

ACE.accessmask = -1

ACE.ACEtype = 0

ACE.ACEflags = ADS_RIGHT_WRITE_OWNER

ACE.trustee = strDomain & "\" & strComputer & "$"

DACL.addACE ACE

objNtSecurityDescriptor.DiscretionaryAcl = DACL

objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor

objDNSRecord.setinfo 

wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Good stuff, glad you found it :-D

Chris
0
 

Expert Comment

by:Mark_Mckie
Comment Utility
Hey Guys

We are having big issues with this, we have changed all the variables but keep getting the below ERROR code

Error: A referral was returned from the server
Code 8007202B

How would this work with AD 2003 and how could we loop the script?

Pleeeeeaaaseeee help.
0
 
LVL 2

Author Comment

by:PKundtz
Comment Utility
Here's the example above put into a loop.  You can put your list of computer names into a text file that the script will read - 1 line per computer name.

Error Code 8007202B probably indicates you didn't enter the proper domain name in the variable.

Const ADS_RIGHT_WRITE_OWNER = &H80000
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInFile = objFSO.OpenTextFile("ComputerList.txt", 1)
strDomain = "DOMAIN Name" 'NT Domain Name, not the FQDN
 
 
Do Until objInFile.AtEndOfStream
  strComputer = objInFile.Readline
  Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
  Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
  Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
  'Modify the DACL with a new ACE
  Set ACE = CreateObject("AccessControlEntry") 
  ACE.accessmask = -1
  ACE.ACEtype = 0
  ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
  ACE.trustee = strDomain & "\" & strComputer & "$"
  DACL.addACE ACE
  objNtSecurityDescriptor.DiscretionaryAcl = DACL
  objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
  objDNSRecord.setinfo 
  wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Loop

Open in new window


The code worked for me a few years ago.  I haven't tested it on newer AD domains, and I don't have a lab set-up to help you.  Hopefully you can get it to work for your problem.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now