0

The only topics I can find on dnscmd.exe access denied are all "when we upgraded to Server 2008 this error started". Well, I'm using Windows XP client and Server 2003 and getting this error. I can use computer manager to view sessions, open files, services (start/stop works also) from my XP workstation, but when I try to use the DNS Manager snap-in or dnscmd.exe I always get Access Denied (5) error. I have confirmed that RPC over TCP/IP is enabled for the DNS service (when I disable I get a connection reset error instead).

More info on setup:

DNS Server:

Windows 2003 Standard Edition SP2
Computer Name: PSServer
Workgroup Name: TELEXSI

Workstation using dnscmd.exe:

Windows XP Pro SP3
Computer Name: DEVELOPER
Workgroup Name: TELEXSI

DNS command-lines tried:

dnscmd.exe mydomain.com /Info

Also tried using the IP (it is an external/Internet IP) instead of domain name.

In computer manager when I view the list of active sessions, I see my XP workstation listed (by its external IP) and the user name is a user in the admin group, and not as guest. This is the one and only login we use for everything, start/stop services, install software, etc, so I know it has full-access/admin rights.

Is this a known restriction of a Workgroup over WAN? Seems odd that I can do everything else remotely, but this one area (DNS Server) I am having issues with.

eselk
  • 105
  • 6
  • Using DNS RPC over a WAN link is a Bad Idea. Try running the command from an internal network. – Nathan C Jun 11 '13 at 17:26
  • Sorry, I'm very new to this, could you explain why it is a bad idea? Security? Bugs? Unsupported? – eselk Jun 11 '13 at 19:11
  • Vulnerabilities like this: http://technet.microsoft.com/en-us/security/bulletin/ms07-029 If you *must* have access, use a VPN. Most likely it's being denied by the system itself because of the security issues. – Nathan C Jun 11 '13 at 19:13
  • I see, thank you. I will explore the VPN option and maybe ask a separate question about my setup and options. I have 2 DNS servers in different remote locations and need both to have identical records, except for the IPs they return (each maps to itself). Was hoping to create some BAT files using dnscmd.exe to update both at once. – eselk Jun 11 '13 at 19:21

1 Answers1

0

RPC and VPNs aside, can you:

  1. Confirm whether you are talking about Active Directory integrated DNS
  2. Logon locally to the DNS server and confirm whether you can launch dnsmgmt.msc
  3. Enable the Advanced view in the DNS management tool and check the permissions on your DNS zones (specifically check that your user account is in one of the groups that has access)
  4. Whilst checking the above, ensure that DnsAdmins has appropriate access to your zone(s)
Simon Catlin
  • 5,222
  • 3
  • 16
  • 20
  • 1. I'm not using with AD, but it is the Windows built-in DNS server. Start->Programs->Admin Tools->DNS – eselk Jun 11 '13 at 23:09
  • 2. Yes, works great locally. 3. Found Advanced option under View menu, but don't see anything about permissions. 4. I don't see DnsAdmins anywhere (not under user management either, to add my user to that group), maybe because I'm not using a domain setup and/or not running AD? – eselk Jun 11 '13 at 23:14
  • DnsAdmins is a domain-local group. As you suggest, perhaps this isn't relevant for non-AD DNS. I don't have a non-AD test environment to check this against. – Simon Catlin Jun 12 '13 at 20:33