Delegating Control of a Zone

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface
  1. Open the DNS Management snap-in.

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.

  3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.

  4. Right-click on the name of the zone and select Properties.

  5. Click on the Security tab.

  6. Click the Add button.

  7. Use the Object Picker to locate the user or group to which you want to delegate control.

  8. Under Permissions, check the Full Control box.

  9. Click OK.

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

	> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G
	<UserOrGroup>:GA;;

Using VBScript
	' This code grants full control for the specified user or group over
	' an AD-Integrated zone.
	' ------ SCRIPT CONFIGURATION -------
	strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
	strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe
	' ------ END CONFIGURATION ---------

	set objZone = GetObject("LDAP://" & strZoneDN)
	'############################
	' Constants
	'############################
	' ADS_ACETYPE_ENUM
	Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

	' ADS_FLAGTYPE_ENUM
	Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

	' ADS_RIGHTS_ENUM
	Const ADS_RIGHT_GENERIC_ALL = &h10000000

	'############################
	' Create ACL
	'############################

	set objSD = objZone.Get("nTSecurityDescriptor")
	set objDACL = objSD.DiscretionaryAcl

	' Full Control
	set objACE1 = CreateObject("AccessControlEntry")
	objACE1.Trustee    = strUserOrGroup
	objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
	objACE1.AceFlags   = 0
	objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
	objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

	objDACL.AddAce objACE1

	'############################
	' Set ACL
	'############################
	objSD.DiscretionaryAcl = objDACL
	objZone.Put "nTSecurityDescriptor", objSD
	objZone.SetInfo
	WScript.Echo "Delegated  
control of " & strZoneDN & " to " & strUserOrGroup

Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant Full Control to an additional user or group over a particular zone.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s