Solved

Advanced DNS Security - Modify A Record ACL via a Script

Posted on 2008-10-06
11
3,242 Views
Last Modified: 2012-05-22
I performed a restore of an AD integrated Primary Zone in DNS, but it didn't restore the security properties for the records (this isn't possible with the type of backup we have).  All A records now have the default permissions for the Zone.  I want to add the HOSTNAME$ to the ACL for each A record in the Zone by writing a script.  I need to make sure computers and servers are able to modify their own A records.  My scripting skills are advanced; however, I can't find any WMI property or API that modifies the ACL for individual DNS records.  Does anyone know of a command line tool or other method to modify the security for a DNS record other than doing it manually through the DNS MMC?  I don't want to modify the permissions on the Zone, only individual records in the Zone.
0
Comment
Question by:PKundtz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 8

Expert Comment

by:deadite
ID: 22655780
I skimmed the MSDN site, but didn't see anything on ACE's or ACL's....  Here is the link:

http://msdn.microsoft.com/en-us/library/ms682100%28VS.85%29.aspx

Maybe you can find something useful.  Otherwise, I would suggest looking for a script that modifies permissions in AD or DHCP because the code is probably similar.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22655964
I've heard the suggestion to increase the refresh interval for dynamic updates on clients via GPO and then turn off secure updates in DNS.  This will allow clients to update their records, but I'm not sure if their computer object gets added to the ACL on the record.  I want to avoid unsecured updates if possible.  I could always delete the client records and let them refresh.  I'll need to be cautious with the servers and update the ACLs individually.  This may be my only alternative if I can't find a way to script the ACL changes on individual records.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22657638

Hey :)

> Does anyone know of a command line tool or other method to modify the security for a DNS record
> other than doing it manually through the DNS MMC?  

Yes, but you're looking in the wrong direction. There's no difference between this and assigning permissions to objects in AD. DNS Records are stored in AD after all (for AD Integrated zones).

What's your preferred scripting language?

Chris
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 2

Author Comment

by:PKundtz
ID: 22661772
VBSCRIPT.  Where in AD are the records stored?  I was browsing through ADSIEdit and couldn't find them, but I honestly didn't spend more than 5 minutes on it.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 22663829

It depends on your replication scope.

These are the locations:

"To all Domain Controllers in the Active Directory Domain ..":

ADSIEdit / Domain / CN=System / CN=MicrosoftDNS

Or:

AD Users and Computers / View + Advanced Features / System / MicrosoftDNS

Beneath that you should see each zone for that scope.

"To all DNS Servers in the Active Directory Domain ..":

ADSIEdit / Connect To ... / Select or type... / DC=DomainDNSZones,DC=yourdomain,DC=com

Then MicrosoftDNS as above.

"To all DNS Servers in the Active Directory Forest ..":

ADSIEdit / Connect To ... / Select or type... / DC=ForestDNSZones,DC=yourdomain,DC=com

Again, MicrosoftDNS under that.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22663834

For the replication scope, I'm referring to the "Replication" option visible when you open the properties for the zone in the DNS console.

Chris
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22664371
Replication for my domain zone is set to all DNS Servers in the Domain.  The MicrosoftDNS container does not have a container for my domain zone in ADUC (Advanced Settings), but I could connect to DC=DomainDNSZones,DC=yourdomain,DC=com in ADSIEdit and see what I need.  I believe I have a way to modify the permissions from here.  I'll test and post some code to let you know if it works.  Thanks!
0
 
LVL 2

Author Comment

by:PKundtz
ID: 22665327
A lot of time went into this problem.  I think I have it.  Here's the basic script to modify an A record's DACL and give the computer full control over the record.  I didn't include any error handling or the loop to modify all computers at once.  Thanks for pointing me in the right direction!
Const ADS_RIGHT_WRITE_OWNER = &H80000
strComputer = "COMPUTER" 'Netbios name
strDomain = "DOMAIN" 'NT Domain Name, not the FQDN
 
Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
 
'List existing ACEs in the DACL (you can omit if you don't care to see them)
Wscript.Echo "Trustee, Access Mask, ACE Flags, ACE Type"
For Each Obj In DACL
   wscript.echo Obj.Trustee & "," & Obj.AccessMask & "," & Obj.ACEFlags & "," & Obj.ACEType
Next
 
Wscript.Echo ""
 
'Modify the DACL with a new ACE
Set ACE = CreateObject("AccessControlEntry") 
ACE.accessmask = -1
ACE.ACEtype = 0
ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
ACE.trustee = strDomain & "\" & strComputer & "$"
DACL.addACE ACE
objNtSecurityDescriptor.DiscretionaryAcl = DACL
objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
objDNSRecord.setinfo 
wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Open in new window

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22667191

Good stuff, glad you found it :-D

Chris
0
 

Expert Comment

by:Mark_Mckie
ID: 37992893
Hey Guys

We are having big issues with this, we have changed all the variables but keep getting the below ERROR code

Error: A referral was returned from the server
Code 8007202B

How would this work with AD 2003 and how could we loop the script?

Pleeeeeaaaseeee help.
0
 
LVL 2

Author Comment

by:PKundtz
ID: 37999174
Here's the example above put into a loop.  You can put your list of computer names into a text file that the script will read - 1 line per computer name.

Error Code 8007202B probably indicates you didn't enter the proper domain name in the variable.

Const ADS_RIGHT_WRITE_OWNER = &H80000
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInFile = objFSO.OpenTextFile("ComputerList.txt", 1)
strDomain = "DOMAIN Name" 'NT Domain Name, not the FQDN
 
 
Do Until objInFile.AtEndOfStream
  strComputer = objInFile.Readline
  Set objDNSRecord = GetObject("LDAP://DC=" & strComputer & ",DC=FQDN,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com")
  Set objNtSecurityDescriptor = objDNSRecord.Get("ntSecurityDescriptor")
  Set DACL = objNtSecurityDescriptor.DiscretionaryAcl
  'Modify the DACL with a new ACE
  Set ACE = CreateObject("AccessControlEntry") 
  ACE.accessmask = -1
  ACE.ACEtype = 0
  ACE.ACEflags = ADS_RIGHT_WRITE_OWNER
  ACE.trustee = strDomain & "\" & strComputer & "$"
  DACL.addACE ACE
  objNtSecurityDescriptor.DiscretionaryAcl = DACL
  objDNSRecord.put "ntSecurityDescriptor", objNtSecurityDescriptor
  objDNSRecord.setinfo 
  wscript.echo ACE.trustee & " was added to the DACL for " & strComputer

Loop

Open in new window


The code worked for me a few years ago.  I haven't tested it on newer AD domains, and I don't have a lab set-up to help you.  Hopefully you can get it to work for your problem.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Why NS record is needed in Zone file? 11 56
Outlook Macro to delete emails not meeting keywords 56 114
dropdownlist in asp.net vb. 3 21
Demoting 2008 DC 1 19
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question