Remote management of DNS

Posted on 2009-02-23
Last Modified: 2013-12-04
We are working on implementing a web-based administration of our Windows 2003 AD-integrated DNS. The functions will, among other, include create and delete of resource records.
Does anyone know how to accomplish this? WMI has the functionality needed. We created a VB script to try the functions, but we cant execute the script remote as a DNSAdmin-user.

Since our DNS is AD-integrated, its running on a domain controller. Even though I give the Remote Enable permission in WMI to the DNSAdmin (even tried full control), the error 800A0046 Access denied is reported on the line:

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS")

If I run the script as Domain Admin it works fine.

I suspect the permissions issue is related to the fact that DNS runs on a domain controller. Has anyone else accomplished this? (Or other ways of creating a web-based (remote) administration?)

Thanks in advance
Question by:itsupportoll
    LVL 27

    Expert Comment

    I think maybe you need to grant permission to the AD object storing the zone you wish to edit.

    For example, if you're storing in DomainDNSZones, then grant permissions to this object and all children.
    LVL 27

    Expert Comment

    Check your zone replication scope in DNS management and grant the permissions accordingly.

    If replication is:

    All DCs in domain = CN=MicrosoftDNS, DC=domain, DC=local
    All DNS servers in domain = CN=MicrosoftDNS, DC=DomainDNSZones, DC=domain, DC=local
    All DNS servers in forest = CN=MicrosoftDNS, DC=ForestDNSZones, DC=domain, DC=local


    Author Comment

    I tried your suggestion, but I still get the same error. I don't think it's a permissions problem related to DNS, it's rather related to WMI.

    I get the error message at this line:

    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftDNS")

    If the script can countine it will read all the CNAMES from the zone "" (but I never get this far)
    In this portion I guess I need sufficient permissions in DNS to continue.

    Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_CNAMEType WHERE (ContainerName='')", "WQL", _
                   wbemFlagReturnImmediately + wbemFlagForwardOnly)
    LVL 82

    Accepted Solution

    It's not a permissions problem related to DNS. Members of the "DNS Admins" group already have the permissions ro manage DNS completely. This is solely remote DCOM/WMI related.
    You need two different permissions for this to work, for DCOM and the WMI namespace.
    To do this properly (that is, using AGDLP,
    1. Create a domain local group "D-DCOM-UserDC-RA" (or according to your naming scheme; this is a resource control group for DCOM Remote Activation access on the DCs).
    2. Create a domain local group "D-WMI-MicrosoftDNS-RA" (or according to your naming scheme; this is a resource control group for WMI Remote Activcation access of the MicrosoftDNS namespace)
    3. Create a global group "G-DNS-WebAdmin" (or according to your naming scheme; this is a role group). Add the delegated user(s) as member to this group. Add this group as member to the two DL groups you just created, and add it to the default DL group "DNSAdmins" as well.
    Your membership should now look like this:
    Delegated User -> G-DNS-WebAdmin -> ("D-DCOM-UserDC-RA", "D-WMI-MicrosoftDNS-RA", "DNS Admins")

    Now give DCOM Remote Activation permissions on the DCs to the group "D-DCOM-UserDC-RA", either in the Default Domain Controllers Security Policy or in a dedicated OU linked to your Domain Controllers (you can do it locally through dcomcnfg.exe as well, but then you'll have to do this on every DC manually):
    Go to Windows Settings\Security Settings\Local Policies\Security Options, edit the policy "DCOM: Machine Launch Restrictions in SDDL"; add the group "D-DCOM-UserDC-RA" and give it "Remote Activation" permissions; leave the other groups.

    Now give WMI permissions to the "D-WMI-MicrosoftDNS-RA" (I'm afraid this has to happen manually on all DCs/DNS servers): enter wmimgmt.msc in the Run menu (or use Services and Applications\WMI Control in compmgmt.msc), open the properties of "WMI Control". Go to the Security tab, expand "Root", highlight "MicrosoftDNS", click "Security". Add the group "D-WMI-MicrosoftDNS-RA", and give it Remote Activation permissions.

    Log off with the delegated user, log back on, try again.

    Some references:
    Securing a Remote WMI Connection

    Setting Namespace Security with the WMI Control
    LVL 27

    Expert Comment

    Run wmimgmt.msc on one of the servers and check the permissions here.

    When the window opens, right click the top node (WMI Control - Local) and go 'Properties'.
    On the 'Security' tab, browse to your object (root/MicrosoftDNS) and click 'security'. Ensure the right permissions are enabled here.

    Give this a go.

    Author Comment

    Thanks' oBdA!

    The DCOM permissions solved it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    This article will show, step by step, how to integrate R code into a R Sweave document
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to dynamically set the form action using jQuery.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now