• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1933
  • Last Modified:

Remote management of DNS

We are working on implementing a web-based administration of our Windows 2003 AD-integrated DNS. The functions will, among other, include create and delete of resource records.
Does anyone know how to accomplish this? WMI has the functionality needed. We created a VB script to try the functions, but we cant execute the script remote as a DNSAdmin-user.

Since our DNS is AD-integrated, its running on a domain controller. Even though I give the Remote Enable permission in WMI to the DNSAdmin (even tried full control), the error 800A0046 Access denied is reported on the line:

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS")

If I run the script as Domain Admin it works fine.

I suspect the permissions issue is related to the fact that DNS runs on a domain controller. Has anyone else accomplished this? (Or other ways of creating a web-based (remote) administration?)

Thanks in advance
  • 3
  • 2
1 Solution
I think maybe you need to grant permission to the AD object storing the zone you wish to edit.

For example, if you're storing in DomainDNSZones, then grant permissions to this object and all children.
Check your zone replication scope in DNS management and grant the permissions accordingly.

If replication is:

All DCs in domain = CN=MicrosoftDNS, DC=domain, DC=local
All DNS servers in domain = CN=MicrosoftDNS, DC=DomainDNSZones, DC=domain, DC=local
All DNS servers in forest = CN=MicrosoftDNS, DC=ForestDNSZones, DC=domain, DC=local

itsupportollAuthor Commented:
I tried your suggestion, but I still get the same error. I don't think it's a permissions problem related to DNS, it's rather related to WMI.

I get the error message at this line:

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS")

If the script can countine it will read all the CNAMES from the zone "test.ad" (but I never get this far)
In this portion I guess I need sufficient permissions in DNS to continue.

Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_CNAMEType WHERE (ContainerName='test.ad')", "WQL", _
               wbemFlagReturnImmediately + wbemFlagForwardOnly)
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

It's not a permissions problem related to DNS. Members of the "DNS Admins" group already have the permissions ro manage DNS completely. This is solely remote DCOM/WMI related.
You need two different permissions for this to work, for DCOM and the WMI namespace.
To do this properly (that is, using AGDLP, http://en.wikipedia.org/wiki/AGDLP):
1. Create a domain local group "D-DCOM-UserDC-RA" (or according to your naming scheme; this is a resource control group for DCOM Remote Activation access on the DCs).
2. Create a domain local group "D-WMI-MicrosoftDNS-RA" (or according to your naming scheme; this is a resource control group for WMI Remote Activcation access of the MicrosoftDNS namespace)
3. Create a global group "G-DNS-WebAdmin" (or according to your naming scheme; this is a role group). Add the delegated user(s) as member to this group. Add this group as member to the two DL groups you just created, and add it to the default DL group "DNSAdmins" as well.
Your membership should now look like this:
Delegated User -> G-DNS-WebAdmin -> ("D-DCOM-UserDC-RA", "D-WMI-MicrosoftDNS-RA", "DNS Admins")

Now give DCOM Remote Activation permissions on the DCs to the group "D-DCOM-UserDC-RA", either in the Default Domain Controllers Security Policy or in a dedicated OU linked to your Domain Controllers (you can do it locally through dcomcnfg.exe as well, but then you'll have to do this on every DC manually):
Go to Windows Settings\Security Settings\Local Policies\Security Options, edit the policy "DCOM: Machine Launch Restrictions in SDDL"; add the group "D-DCOM-UserDC-RA" and give it "Remote Activation" permissions; leave the other groups.

Now give WMI permissions to the "D-WMI-MicrosoftDNS-RA" (I'm afraid this has to happen manually on all DCs/DNS servers): enter wmimgmt.msc in the Run menu (or use Services and Applications\WMI Control in compmgmt.msc), open the properties of "WMI Control". Go to the Security tab, expand "Root", highlight "MicrosoftDNS", click "Security". Add the group "D-WMI-MicrosoftDNS-RA", and give it Remote Activation permissions.

Log off with the delegated user, log back on, try again.

Some references:
Securing a Remote WMI Connection

Setting Namespace Security with the WMI Control
Run wmimgmt.msc on one of the servers and check the permissions here.

When the window opens, right click the top node (WMI Control - Local) and go 'Properties'.
On the 'Security' tab, browse to your object (root/MicrosoftDNS) and click 'security'. Ensure the right permissions are enabled here.

Give this a go.
itsupportollAuthor Commented:
Thanks' oBdA!

The DCOM permissions solved it.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now