Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Advanced DNS Security - Modify A Record ACL via a Script

Posted on 2008-10-06
11
Medium Priority
?
3,346 Views
Last Modified: 2012-05-22
I performed a restore of an AD integrated Primary Zone in DNS, but it didn't restore the security properties for the records (this isn't possible with the type of backup we have).  All A records now have the default permissions for the Zone.  I want to add the HOSTNAME$ to the ACL for each A record in the Zone by writing a script.  I need to make sure computers and servers are able to modify their own A records.  My scripting skills are advanced; however, I can't find any WMI property or API that modifies the ACL for individual DNS records.  Does anyone know of a command line tool or other method to modify the security for a DNS record other than doing it manually through the DNS MMC?  I don't want to modify the permissions on the Zone, only individual records in the Zone.
0
Comment
Question by:PKundtz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 8

Expert Comment

by:deadite
ID: 22655780
I skimmed the MSDN site, but didn't see anything on ACE's or ACL's....  Here is the link:

http://msdn.microsoft.com/en-us/library/ms682100%28VS.85%29.aspx

Maybe you can find something useful.  Otherwise, I would suggest looking for a script that modifies permissions in AD or DHCP because the code is probably similar.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22655964
I've heard the suggestion to increase the refresh interval for dynamic updates on clients via GPO and then turn off secure updates in DNS.  This will allow clients to update their records, but I'm not sure if their computer object gets added to the ACL on the record.  I want to avoid unsecured updates if possible.  I could always delete the client records and let them refresh.  I'll need to be cautious with the servers and update the ACLs individually.  This may be my only alternative if I can't find a way to script the ACL changes on individual records.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 22657638

Hey :)

> Does anyone know of a command line tool or other method to modify the security for a DNS record
> other than doing it manually through the DNS MMC?  

Yes, but you're looking in the wrong direction. There's no difference between this and assigning permissions to objects in AD. DNS Records are stored in AD after all (for AD Integrated zones).

What's your preferred scripting language?

Chris
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 2

Author Comment

by:PKundtz
ID: 22661772
VBSCRIPT.  Where in AD are the records stored?  I was browsing through ADSIEdit and couldn't find them, but I honestly didn't spend more than 5 minutes on it.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 22663829

It depends on your replication scope.

These are the locations:

"To all Domain Controllers in the Active Directory Domain ..":

ADSIEdit / Domain / CN=System / CN=MicrosoftDNS

Or:

AD Users and Computers / View + Advanced Features / System / MicrosoftDNS

Beneath that you should see each zone for that scope.

"To all DNS Servers in the Active Directory Domain ..":

ADSIEdit / Connect To ... / Select or type... / DC=DomainDNSZones,DC=yourdomain,DC=com

Then MicrosoftDNS as above.

"To all DNS Servers in the Active Directory Forest ..":

ADSIEdit / Connect To ... / Select or type... / DC=ForestDNSZones,DC=yourdomain,DC=com

Again, MicrosoftDNS under that.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22663834

For the replication scope, I'm referring to the "Replication" option visible when you open the properties for the zone in the DNS console.

Chris
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22664371
Replication for my domain zone is set to all DNS Servers in the Domain.  The MicrosoftDNS container does not have a container for my domain zone in ADUC (Advanced Settings), but I could connect to DC=DomainDNSZones,DC=yourdomain,DC=com in ADSIEdit and see what I need.  I believe I have a way to modify the permissions from here.  I'll test and post some code to let you know if it works.  Thanks!
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22665327
A lot of time went into this problem.  I think I have it.  Here's the basic script to modify an A record's DACL and give the computer full control over the record.  I didn't include any error handling or the loop to modify all computers at once.  Thanks for pointing me in the right direction!
Const ADS_RIGHT_WRITE_OWNER = &H80000
strComputer = "COMPUTER" 'Netbios name
strDomain = "DOMAIN" 'NT Domain Name, not the FQDN
 
Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
 
'List existing ACEs in the DACL (you can omit if you don't care to see them)
Wscript.Echo "Trustee, Access Mask, ACE Flags, ACE Type"
For Each Obj In DACL
   wscript.echo Obj.Trustee & "," & Obj.AccessMask & "," & Obj.ACEFlags & "," & Obj.ACEType
Next
 
Wscript.Echo ""
 
'Modify the DACL with a new ACE
Set ACE = CreateObject("AccessControlEntry") 
ACE.accessmask = -1
ACE.ACEtype = 0
ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
ACE.trustee = strDomain & "\" & strComputer & "$"
DACL.addACE ACE
objNtSecurityDescriptor.DiscretionaryAcl = DACL
objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
objDNSRecord.setinfo 
wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22667191

Good stuff, glad you found it :-D

Chris
0
 

Expert Comment

by:Mark_Mckie
ID: 37992893
Hey Guys

We are having big issues with this, we have changed all the variables but keep getting the below ERROR code

Error: A referral was returned from the server
Code 8007202B

How would this work with AD 2003 and how could we loop the script?

Pleeeeeaaaseeee help.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 37999174
Here's the example above put into a loop.  You can put your list of computer names into a text file that the script will read - 1 line per computer name.

Error Code 8007202B probably indicates you didn't enter the proper domain name in the variable.

Const ADS_RIGHT_WRITE_OWNER = &H80000
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInFile = objFSO.OpenTextFile("ComputerList.txt", 1)
strDomain = "DOMAIN Name" 'NT Domain Name, not the FQDN
 
 
Do Until objInFile.AtEndOfStream
  strComputer = objInFile.Readline
  Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
  Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
  Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
  'Modify the DACL with a new ACE
  Set ACE = CreateObject("AccessControlEntry") 
  ACE.accessmask = -1
  ACE.ACEtype = 0
  ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
  ACE.trustee = strDomain & "\" & strComputer & "$"
  DACL.addACE ACE
  objNtSecurityDescriptor.DiscretionaryAcl = DACL
  objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
  objDNSRecord.setinfo 
  wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Loop

Open in new window


The code worked for me a few years ago.  I haven't tested it on newer AD domains, and I don't have a lab set-up to help you.  Hopefully you can get it to work for your problem.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question