locked
Access Denied Error when searching MicrosoftDNS resource records through WMI RRS feed

  • Question

  • I'm trying to add DNS entries via WMI,. The DNS entries are created inside a webservice call process hosted in IIS (running as a specified app pool account), and changing DNS entries on the local machine.

    Here's the code that's failing:

    ConnectionOptions co = new ConnectionOptions();
    co.Impersonation = ImpersonationLevel.Impersonate;
    _scope = new ManagementScope(@"\\.\root\MicrosoftDNS", co);
    _scope.Connect();  
    string query = String.Format("SELECT * FROM MicrosoftDNS_ResourceRecord WHERE DomainName='{0}'", domain);
    ManagementObjectSearcher searcher = new ManagementObjectSearcher(_scope, new ObjectQuery(query));
     
    ManagementObjectCollection collection = searcher.Get();
    Console.WriteLine(domain);
    List<DNSRecord> records = new List<DNSRecord>();
    foreach (ManagementObject p in collection) //Fails HERE
    This is the error I'm getting

    Generic failure 

     at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

    <INSTANCE CLASSNAME="__ExtendedStatus">
    <QUALIFIER NAME="abstract" PROPAGATED="true" TYPE="boolean" OVERRIDABLE="false" TOINSTANCE="true">
    <VALUE>TRUE</VALUE>
    </QUALIFIER>
    <PROPERTY NAME="__PATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__NAMESPACE" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__SERVER" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY.ARRAY NAME="__DERIVATION" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE.ARRAY>
    <VALUE>__NotifyStatus</VALUE>
    </VALUE.ARRAY>
    </PROPERTY.ARRAY>
    <PROPERTY NAME="__PROPERTY_COUNT" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    <VALUE>5</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__RELPATH" CLASSORIGIN="___SYSTEM" TYPE="string"></PROPERTY>
    <PROPERTY NAME="__DYNASTY" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__NotifyStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__SUPERCLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__NotifyStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__CLASS" CLASSORIGIN="___SYSTEM" TYPE="string">
    <VALUE>__ExtendedStatus</VALUE>
    </PROPERTY>
    <PROPERTY NAME="__GENUS" CLASSORIGIN="___SYSTEM" TYPE="sint32">
    <VALUE>2</VALUE>
    </PROPERTY>
    <PROPERTY NAME="Description" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>ERROR_ACCESS_DENIED</VALUE>
    </PROPERTY>
    <PROPERTY NAME="Operation" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>ExecQuery</VALUE>
    </PROPERTY>
    <PROPERTY NAME="ParameterInfo" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>SELECT * FROM MicrosoftDNS_ResourceRecord WHERE DomainName='paretoplatform.com'</VALUE>
    </PROPERTY>
    <PROPERTY NAME="ProviderName" CLASSORIGIN="__ExtendedStatus" TYPE="string">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>string</VALUE>
    </QUALIFIER>
    <VALUE>WinMgmt</VALUE>
    </PROPERTY>
    <PROPERTY NAME="StatusCode" CLASSORIGIN="__NotifyStatus" PROPAGATED="true" TYPE="uint32">
    <QUALIFIER NAME="CIMTYPE" PROPAGATED="true" TYPE="string" TOINSTANCE="true">
    <VALUE>uint32</VALUE>
    </QUALIFIER>
    </PROPERTY>
    </INSTANCE>
    I've tried in WMI security settings -> MicrosoftDNS that BOTH the app pool user and the executing user have all permissions as well as both administrators on the machine.

    I get the same error if I run the code as a standalone app as the application pool identity. If I run in an elevated context, everything works great. 

    Note: This exact same code works fine on another dns server (the domain controller actually), and as far as I can tell I've set up the permissions exactly the same in both places.

    Any suggestions?



    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here


    Monday, May 7, 2012 5:08 PM

All replies

  • Hello Paulo,


    Your query involves coding and scripting. And for general WMI related queries, we’d recommend post in Microsoft Scripting forum.


    The Official Scripting Guys Forum!
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads


    Thanks
    Zhang

    Tuesday, May 8, 2012 7:01 AM
  • Ok, I'll repost there, thanks.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, May 8, 2012 2:46 PM
  • Ok, those guys are saying they can't help because its a permissions issue... I'm just going to add the same info here as well and hopefully someone will see and have some insight as it seems that no forum is willing to have my question on it.

    The DNS server is on the same machine and the service. The commands are being executed under one of two users (I can't seem to figure out which one specifically). 

    WindowsIdentity: PARETOPLATFORM\CRM5APPSERVICE
    Thread Principal: PARETOPLATFORM\pcristini

    The machine's Administrator's group:

    DCOM User's group:

    WMI > MicrosoftDNS > Security (both users have everything but the Read/Edit Security)

    Component Services > Windows Management Instrumentation > Security > Access Permissions > Customize 

    As far as I can tell these are all the permissions required.


    Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

    Tuesday, May 8, 2012 3:59 PM