I'm implementing DNS Policies, writing PowerShell scripts for certain tasks, and of course I don't want to schedule these tasks as domain admins; I want to use a least-privileged service account.
The thing is, I can't seem to figure out what's needed, and where. AD includes the DnsAdmins
group, but it's not enough.
DNS Policy Components
There are essentially 3 new elements to DNS Policies:
- Zone Scopes
- Client Subnets
- Policies
Zone Scopes are part of the zone itself, so on an AD-integrated zone, they are replicated with the zone.
But Client Subnets and Policies are not stored in AD, so they are not replicated and there's no directory partition for example, where you could check or set permissions.
Example Problem
Trying to create a Client Subnet entry, which works fine with a domain admin account, gives me a cryptic error about checking the internal exception details.
Doing that gives me a WIN32 1011 error:
The configuration registry key could not be opened.
Googling that error is fairly useless, and it never says which registry key it is.
This is with an account that is a normal domain user, but is a member of DnsAdmins
and has no other special privileges.
That account can read a DNS Client Subnet just fine. But adding one fails.
For contrast, a domain user that is not a member of DnsAdmins
, cannot read the client subnet entry (permission denied).
Code
# Read a Client Subnet
Get-DnsServerClientSubnet -cn MyDC -Name 'My_CS_Entry'
# Add a Client Subnet
Add-DnsServerClientSubnet -cn MyDC -Name 'My_CS_Entry'
So absent any documentation, I'm at a loss as to how to properly delegate permissions for this.
Well, this isn't the final answer I'm looking for, but it's something; I hope there will be more answers.
I've found that a member of the domain's
BUILTIN\Administrators
group has sufficient permissions for DNS Policies.That's not surprising since it's essentially a domain admin without the administrative access to member computers.
I'd really like to find something more limited, but for now this is what I'm going with.
It may caused by the Security permissions for the DnsAdmins security group are not automatically added on the newly created Active Directory Integrated zones. To workaround this issue,you sould manually add the DnsAdmins security group to the zone access control list (ACL) and grant Full Control.
There are 3 ways you could do that:
1.Use the Dsacls.exe tool.
2.Use Active Directory Service Interfaces (ADSI) Editor
3.Use DNS manager.
You could check this KB from Microsoft for the details: KB837335