3

I'm implementing DNS Policies, writing PowerShell scripts for certain tasks, and of course I don't want to schedule these tasks as domain admins; I want to use a least-privileged service account.

The thing is, I can't seem to figure out what's needed, and where. AD includes the DnsAdmins group, but it's not enough.

DNS Policy Components

There are essentially 3 new elements to DNS Policies:

  • Zone Scopes
  • Client Subnets
  • Policies

Zone Scopes are part of the zone itself, so on an AD-integrated zone, they are replicated with the zone.

But Client Subnets and Policies are not stored in AD, so they are not replicated and there's no directory partition for example, where you could check or set permissions.

Example Problem

Trying to create a Client Subnet entry, which works fine with a domain admin account, gives me a cryptic error about checking the internal exception details.

Doing that gives me a WIN32 1011 error:

The configuration registry key could not be opened.

Googling that error is fairly useless, and it never says which registry key it is.

This is with an account that is a normal domain user, but is a member of DnsAdmins and has no other special privileges.

That account can read a DNS Client Subnet just fine. But adding one fails.

For contrast, a domain user that is not a member of DnsAdmins, cannot read the client subnet entry (permission denied).

Code

# Read a Client Subnet
Get-DnsServerClientSubnet -cn MyDC -Name 'My_CS_Entry'

# Add a Client Subnet
Add-DnsServerClientSubnet -cn MyDC -Name 'My_CS_Entry'

So absent any documentation, I'm at a loss as to how to properly delegate permissions for this.

briantist
  • 2,535
  • 18
  • 34
  • Could you use Get-acl in some way to iterate through the registry for all keys your DNSADMINS account just has read access to and go from there? – Richard Apr 25 '17 at 02:15
  • That's going to be a whole lot of keys, and since the neither the account nor the DnsAdmins group are likely to be granted access directly, I'll have to resolve group memberships, or run as the user and try to access every key. The information doesn't appear to actually be stored in the dns service's keys otherwise it would be straightforward. I'm not convinced that the error message is completely accurate anyway; I'm skeptical this could be solved completely in the registry. – briantist Apr 25 '17 at 16:38

2 Answers2

1

Well, this isn't the final answer I'm looking for, but it's something; I hope there will be more answers.

I've found that a member of the domain's BUILTIN\Administrators group has sufficient permissions for DNS Policies.

That's not surprising since it's essentially a domain admin without the administrative access to member computers.

I'd really like to find something more limited, but for now this is what I'm going with.

briantist
  • 2,535
  • 18
  • 34
0

It may caused by the Security permissions for the DnsAdmins security group are not automatically added on the newly created Active Directory Integrated zones. To workaround this issue,you sould manually add the DnsAdmins security group to the zone access control list (ACL) and grant Full Control.

There are 3 ways you could do that:

1.Use the Dsacls.exe tool.

2.Use Active Directory Service Interfaces (ADSI) Editor

3.Use DNS manager.

You could check this KB from Microsoft for the details: KB837335

Lord Shin
  • 1
  • Thanks, I have seen this before, but it was already done in my organization (technically a separate group was created and the permissions applied). But as I said, the non-replicating portions of DNS Policies are not stored in AD anyway, so whatever permissions are missing, I don't think they're in the directory. – briantist Apr 26 '17 at 15:23