Allow IT staff to add records to AD DNS servers (not domain admins)


We would like the ability for our network staff to add A and PTR records to our AD integrated DNS zones, however we do not want to grant them domain admin rights

We have 5 DNS servers all running on windows 2008R2 domain controllers

What is the best way of doing this

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SandeshdubeySenior Server EngineerCommented:
You can assign the permision to users/groups to from DNS console see this:

Delegating Control of an Active Directory Integrated Zone

I will not recommend normal users to perform this activity for security reasons.But if there is strong business requirement then you have no choice.In addition I will recommend to enable auditing to track the activities.

Auditing a DNS Zone

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ncomperAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.