I have a non-AD Windows Server 2012 machine (192.168.200.10) that has the DNS Server role installed, and it is the primary server for a number of zones. Unfortunately, I'm stuck with this server being 2012 for now, we can't replace it or do an in-place OS upgrade.
I have a new non-AD Server 2019 machine (192.168.200.20) that holds the secondary copy of all of the DNS zones, but I need to be able to manage it from the 2012 machine. Specifically, I need to be able to add and remove secondary zones using dnscmd.exe from the 2012 server.
When I try and add or remove zones with all the security settings at default values, I get:
dnscmd.exe 192.168.200.20 /ZoneAdd test.com /Secondary 192.168.200.10
Command failed: ERROR_ACCESS_DENIED 5 0x5
I know that I can change the dnscmd 'rpcprotocol' and 'rpcauthlevel' values on the 2019 like this:
dnscmd /config /rpcprotocol 7
dnscmd /config /rpcauthlevel 0
And I've confirmed that if I do that, using dnscmd on the 2012 server to add/remove zones on the 2019 server does start working. However, I don't want to leave the rpcprotocol/rpcauthlevel values like this if possible, I'd rather be more secure and have them both set to '5' on the 2019 server. My understanding is that MS implemented these new security protocols back in Server 2008 R2, so I'm not sure why this is even happening when I connect from my 2012 server to my 2019 server.... shouldn't they both already be using the more secure method? I have also confirmed that the 2012 server has both those values set to '5' as well.
Thanks!
0 Answers