Setting Security on DNS ACLs "Joe Cormane" <nobody[ at ]nowhere.com> 10.07.2007 15:06:24 Hello all, Currently I have a single-domain forest for my enterprise. We have extensive delegation enabled in AD for different locations in order for administrators of those locations to be able to manage their resources. Those admins have requested access to their DNS entries. The reverse zones are simple, but the forward zone is causing some trouble because I'm not to give them access to the entire zone. Instead I need a way to be able to, via a script, add an ACE to individual DNS records within our forward zone. We have a standard nomenclature so that makes things easier if we decided to script. Initially I thought DNSCMD might do the trick but it does not set security on zones or records. Has anyone done this before?

Re: Setting Security on DNS ACLs "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 10.07.2007 15:29:37 Read inline please. In news:%23a8HjPwwHHA.4076[ at ]TK2MSFTNGP06.phx.gbl, Joe Cormane <nobody[ at ]nowhere.com> typed: [Quoted Text] > Hello all, > > Currently I have a single-domain forest for my enterprise. We have > extensive delegation enabled in AD for different locations in order > for administrators of those locations to be able to manage their > resources. Those admins have requested access to their DNS entries. > The reverse zones are simple, but the forward zone is causing some > trouble because I'm not to give them access to the entire zone. > Instead I need a way to be able to, via a script, add an ACE to > individual DNS records within our forward zone. We have a standard > nomenclature so that makes things easier if we decided to script. > Initially I thought DNSCMD might do the trick but it does not set > security on zones or records. Has anyone done this before? The only way to do this if you don't want them to have access to the entire root domain zone, is to use delegated subzones. The problem with using delegated subzones is that for single-label hostname resolution to work is to add the subzone names to the DNS suffix search list. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: Setting Security on DNS ACLs "Joe Cormane" <nobody[ at ]nowhere.com> 10.07.2007 16:27:08 Thanks for the reply, Kevin. So I wouldn't have to do this in conjunction with creating a new windows domain within the forest? I suppose I always assumed that that would be the case. On DHCP enabled hosts I could add domain suffixes using option 135, correct? "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> wrote in message news:%23fFpgcwwHHA.4544[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] > Read inline please. > > In news:%23a8HjPwwHHA.4076[ at ]TK2MSFTNGP06.phx.gbl, > Joe Cormane <nobody[ at ]nowhere.com> typed: >> Hello all, >> >> Currently I have a single-domain forest for my enterprise. We have >> extensive delegation enabled in AD for different locations in order >> for administrators of those locations to be able to manage their >> resources. Those admins have requested access to their DNS entries. >> The reverse zones are simple, but the forward zone is causing some >> trouble because I'm not to give them access to the entire zone. >> Instead I need a way to be able to, via a script, add an ACE to >> individual DNS records within our forward zone. We have a standard >> nomenclature so that makes things easier if we decided to script. >> Initially I thought DNSCMD might do the trick but it does not set >> security on zones or records. Has anyone done this before? > > The only way to do this if you don't want them to have access to the > entire > root domain zone, is to use delegated subzones. The problem with using > delegated subzones is that for single-label hostname resolution to work is > to add the subzone names to the DNS suffix search list. > > > > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > =================================== > http://www.lonestaramerica.com/ > http://support.wftx.us/ > http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and more > http://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup: > http://www.oehelp.com/OEBackup/Default.aspx > =================================== > >

Re: Setting Security on DNS ACLs "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 12.07.2007 14:48:28 Read inline please. In news:ue8dq8wwHHA.3400[ at ]TK2MSFTNGP03.phx.gbl, Joe Cormane <nobody[ at ]nowhere.com> typed: [Quoted Text] > Thanks for the reply, Kevin. > > So I wouldn't have to do this in conjunction with creating a new > windows domain within the forest? I suppose I always assumed that > that would be the case. You could do it by creating a new domain, but it wouldn't have to be a domain, it can just as easily be done with a connection specific DNS suffix in a sub zone or even a new DNS tree. > > On DHCP enabled hosts I could add domain suffixes using option 135, > correct? I've not tested adding this option myself, from what I understand using the DHCP option may not work because the Windows DNS Client only picks up options it actually asks DHCP for, and it does not ask DHCP for a DNS Suffix search list. However if you configure option 015 with a connection specific DNS suffix, the DNS Client service adds this suffix to the search list. XP and later will use a GPO to configure the DNS Suffix search list, in addition to other settings used by the DNS Client service. Computer Configuration -Administrative templates -Network -DNS Client -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================