Solved

Advanced DNS Security - Modify A Record ACL via a Script

Posted on 2008-10-06
11
3,274 Views
Last Modified: 2012-05-22
I performed a restore of an AD integrated Primary Zone in DNS, but it didn't restore the security properties for the records (this isn't possible with the type of backup we have).  All A records now have the default permissions for the Zone.  I want to add the HOSTNAME$ to the ACL for each A record in the Zone by writing a script.  I need to make sure computers and servers are able to modify their own A records.  My scripting skills are advanced; however, I can't find any WMI property or API that modifies the ACL for individual DNS records.  Does anyone know of a command line tool or other method to modify the security for a DNS record other than doing it manually through the DNS MMC?  I don't want to modify the permissions on the Zone, only individual records in the Zone.
0
Comment
Question by:PKundtz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 8

Expert Comment

by:deadite
ID: 22655780
I skimmed the MSDN site, but didn't see anything on ACE's or ACL's....  Here is the link:

http://msdn.microsoft.com/en-us/library/ms682100%28VS.85%29.aspx

Maybe you can find something useful.  Otherwise, I would suggest looking for a script that modifies permissions in AD or DHCP because the code is probably similar.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22655964
I've heard the suggestion to increase the refresh interval for dynamic updates on clients via GPO and then turn off secure updates in DNS.  This will allow clients to update their records, but I'm not sure if their computer object gets added to the ACL on the record.  I want to avoid unsecured updates if possible.  I could always delete the client records and let them refresh.  I'll need to be cautious with the servers and update the ACLs individually.  This may be my only alternative if I can't find a way to script the ACL changes on individual records.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22657638

Hey :)

> Does anyone know of a command line tool or other method to modify the security for a DNS record
> other than doing it manually through the DNS MMC?  

Yes, but you're looking in the wrong direction. There's no difference between this and assigning permissions to objects in AD. DNS Records are stored in AD after all (for AD Integrated zones).

What's your preferred scripting language?

Chris
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 2

Author Comment

by:PKundtz
ID: 22661772
VBSCRIPT.  Where in AD are the records stored?  I was browsing through ADSIEdit and couldn't find them, but I honestly didn't spend more than 5 minutes on it.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 22663829

It depends on your replication scope.

These are the locations:

"To all Domain Controllers in the Active Directory Domain ..":

ADSIEdit / Domain / CN=System / CN=MicrosoftDNS

Or:

AD Users and Computers / View + Advanced Features / System / MicrosoftDNS

Beneath that you should see each zone for that scope.

"To all DNS Servers in the Active Directory Domain ..":

ADSIEdit / Connect To ... / Select or type... / DC=DomainDNSZones,DC=yourdomain,DC=com

Then MicrosoftDNS as above.

"To all DNS Servers in the Active Directory Forest ..":

ADSIEdit / Connect To ... / Select or type... / DC=ForestDNSZones,DC=yourdomain,DC=com

Again, MicrosoftDNS under that.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22663834

For the replication scope, I'm referring to the "Replication" option visible when you open the properties for the zone in the DNS console.

Chris
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22664371
Replication for my domain zone is set to all DNS Servers in the Domain.  The MicrosoftDNS container does not have a container for my domain zone in ADUC (Advanced Settings), but I could connect to DC=DomainDNSZones,DC=yourdomain,DC=com in ADSIEdit and see what I need.  I believe I have a way to modify the permissions from here.  I'll test and post some code to let you know if it works.  Thanks!
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22665327
A lot of time went into this problem.  I think I have it.  Here's the basic script to modify an A record's DACL and give the computer full control over the record.  I didn't include any error handling or the loop to modify all computers at once.  Thanks for pointing me in the right direction!
Const ADS_RIGHT_WRITE_OWNER = &H80000
strComputer = "COMPUTER" 'Netbios name
strDomain = "DOMAIN" 'NT Domain Name, not the FQDN
 
Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
 
'List existing ACEs in the DACL (you can omit if you don't care to see them)
Wscript.Echo "Trustee, Access Mask, ACE Flags, ACE Type"
For Each Obj In DACL
   wscript.echo Obj.Trustee & "," & Obj.AccessMask & "," & Obj.ACEFlags & "," & Obj.ACEType
Next
 
Wscript.Echo ""
 
'Modify the DACL with a new ACE
Set ACE = CreateObject("AccessControlEntry") 
ACE.accessmask = -1
ACE.ACEtype = 0
ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
ACE.trustee = strDomain & "\" & strComputer & "$"
DACL.addACE ACE
objNtSecurityDescriptor.DiscretionaryAcl = DACL
objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
objDNSRecord.setinfo 
wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22667191

Good stuff, glad you found it :-D

Chris
0
 

Expert Comment

by:Mark_Mckie
ID: 37992893
Hey Guys

We are having big issues with this, we have changed all the variables but keep getting the below ERROR code

Error: A referral was returned from the server
Code 8007202B

How would this work with AD 2003 and how could we loop the script?

Pleeeeeaaaseeee help.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 37999174
Here's the example above put into a loop.  You can put your list of computer names into a text file that the script will read - 1 line per computer name.

Error Code 8007202B probably indicates you didn't enter the proper domain name in the variable.

Const ADS_RIGHT_WRITE_OWNER = &H80000
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInFile = objFSO.OpenTextFile("ComputerList.txt", 1)
strDomain = "DOMAIN Name" 'NT Domain Name, not the FQDN
 
 
Do Until objInFile.AtEndOfStream
  strComputer = objInFile.Readline
  Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
  Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
  Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
  'Modify the DACL with a new ACE
  Set ACE = CreateObject("AccessControlEntry") 
  ACE.accessmask = -1
  ACE.ACEtype = 0
  ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
  ACE.trustee = strDomain & "\" & strComputer & "$"
  DACL.addACE ACE
  objNtSecurityDescriptor.DiscretionaryAcl = DACL
  objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
  objDNSRecord.setinfo 
  wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Loop

Open in new window


The code worked for me a few years ago.  I haven't tested it on newer AD domains, and I don't have a lab set-up to help you.  Hopefully you can get it to work for your problem.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question