Solved

Advanced DNS Security - Modify A Record ACL via a Script

Posted on 2008-10-06
11
3,126 Views
Last Modified: 2012-05-22
I performed a restore of an AD integrated Primary Zone in DNS, but it didn't restore the security properties for the records (this isn't possible with the type of backup we have).  All A records now have the default permissions for the Zone.  I want to add the HOSTNAME$ to the ACL for each A record in the Zone by writing a script.  I need to make sure computers and servers are able to modify their own A records.  My scripting skills are advanced; however, I can't find any WMI property or API that modifies the ACL for individual DNS records.  Does anyone know of a command line tool or other method to modify the security for a DNS record other than doing it manually through the DNS MMC?  I don't want to modify the permissions on the Zone, only individual records in the Zone.
0
Comment
Question by:PKundtz
11 Comments
 
LVL 8

Expert Comment

by:deadite
ID: 22655780
I skimmed the MSDN site, but didn't see anything on ACE's or ACL's....  Here is the link:

http://msdn.microsoft.com/en-us/library/ms682100%28VS.85%29.aspx

Maybe you can find something useful.  Otherwise, I would suggest looking for a script that modifies permissions in AD or DHCP because the code is probably similar.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22655964
I've heard the suggestion to increase the refresh interval for dynamic updates on clients via GPO and then turn off secure updates in DNS.  This will allow clients to update their records, but I'm not sure if their computer object gets added to the ACL on the record.  I want to avoid unsecured updates if possible.  I could always delete the client records and let them refresh.  I'll need to be cautious with the servers and update the ACLs individually.  This may be my only alternative if I can't find a way to script the ACL changes on individual records.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22657638

Hey :)

> Does anyone know of a command line tool or other method to modify the security for a DNS record
> other than doing it manually through the DNS MMC?  

Yes, but you're looking in the wrong direction. There's no difference between this and assigning permissions to objects in AD. DNS Records are stored in AD after all (for AD Integrated zones).

What's your preferred scripting language?

Chris
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22661772
VBSCRIPT.  Where in AD are the records stored?  I was browsing through ADSIEdit and couldn't find them, but I honestly didn't spend more than 5 minutes on it.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 22663829

It depends on your replication scope.

These are the locations:

"To all Domain Controllers in the Active Directory Domain ..":

ADSIEdit / Domain / CN=System / CN=MicrosoftDNS

Or:

AD Users and Computers / View + Advanced Features / System / MicrosoftDNS

Beneath that you should see each zone for that scope.

"To all DNS Servers in the Active Directory Domain ..":

ADSIEdit / Connect To ... / Select or type... / DC=DomainDNSZones,DC=yourdomain,DC=com

Then MicrosoftDNS as above.

"To all DNS Servers in the Active Directory Forest ..":

ADSIEdit / Connect To ... / Select or type... / DC=ForestDNSZones,DC=yourdomain,DC=com

Again, MicrosoftDNS under that.

Chris
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 22663834

For the replication scope, I'm referring to the "Replication" option visible when you open the properties for the zone in the DNS console.

Chris
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22664371
Replication for my domain zone is set to all DNS Servers in the Domain.  The MicrosoftDNS container does not have a container for my domain zone in ADUC (Advanced Settings), but I could connect to DC=DomainDNSZones,DC=yourdomain,DC=com in ADSIEdit and see what I need.  I believe I have a way to modify the permissions from here.  I'll test and post some code to let you know if it works.  Thanks!
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22665327
A lot of time went into this problem.  I think I have it.  Here's the basic script to modify an A record's DACL and give the computer full control over the record.  I didn't include any error handling or the loop to modify all computers at once.  Thanks for pointing me in the right direction!
Const ADS_RIGHT_WRITE_OWNER = &H80000

strComputer = "COMPUTER" 'Netbios name

strDomain = "DOMAIN" 'NT Domain Name, not the FQDN
 

Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")

Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")

Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
 

'List existing ACEs in the DACL (you can omit if you don't care to see them)

Wscript.Echo "Trustee, Access Mask, ACE Flags, ACE Type"

For Each Obj In DACL

   wscript.echo Obj.Trustee & "," & Obj.AccessMask & "," & Obj.ACEFlags & "," & Obj.ACEType

Next
 

Wscript.Echo ""
 

'Modify the DACL with a new ACE

Set ACE = CreateObject("AccessControlEntry") 

ACE.accessmask = -1

ACE.ACEtype = 0

ACE.ACEflags = ADS_RIGHT_WRITE_OWNER

ACE.trustee = strDomain & "\" & strComputer & "$"

DACL.addACE ACE

objNtSecurityDescriptor.DiscretionaryAcl = DACL

objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor

objDNSRecord.setinfo 

wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22667191

Good stuff, glad you found it :-D

Chris
0
 

Expert Comment

by:Mark_Mckie
ID: 37992893
Hey Guys

We are having big issues with this, we have changed all the variables but keep getting the below ERROR code

Error: A referral was returned from the server
Code 8007202B

How would this work with AD 2003 and how could we loop the script?

Pleeeeeaaaseeee help.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 37999174
Here's the example above put into a loop.  You can put your list of computer names into a text file that the script will read - 1 line per computer name.

Error Code 8007202B probably indicates you didn't enter the proper domain name in the variable.

Const ADS_RIGHT_WRITE_OWNER = &H80000
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInFile = objFSO.OpenTextFile("ComputerList.txt", 1)
strDomain = "DOMAIN Name" 'NT Domain Name, not the FQDN
 
 
Do Until objInFile.AtEndOfStream
  strComputer = objInFile.Readline
  Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
  Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
  Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
  'Modify the DACL with a new ACE
  Set ACE = CreateObject("AccessControlEntry") 
  ACE.accessmask = -1
  ACE.ACEtype = 0
  ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
  ACE.trustee = strDomain & "\" & strComputer & "$"
  DACL.addACE ACE
  objNtSecurityDescriptor.DiscretionaryAcl = DACL
  objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
  objDNSRecord.setinfo 
  wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Loop

Open in new window


The code worked for me a few years ago.  I haven't tested it on newer AD domains, and I don't have a lab set-up to help you.  Hopefully you can get it to work for your problem.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCEL: Random Select and Copy 10% of the Row 7 76
Child Domain and dns suffixes 9 41
How to make an ADE file by code? 11 79
Secondary DC 3 50
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now