none
Accidental Deletion Prevention DNZ Zone

    Question

  • Hi,

    We would like to set Deny Delete and Deny Delete Subtree for Everyone in the DNS Zone to protect against accidental deletion in the DNZ zone.  

    - What is the ramification of doing that?

    - Will our Scavenging on DNS still work after doing this? 

    - Is this as easy as just selecting Deny here and checking  Delete and Delete Subtree?

    Please advise. Thanks!

    Wednesday, March 8, 2017 11:04 PM

Answers

  • Hi,
    If you set the action as you posted, then no one could delete the DNS zone, and If you want to prevent accidental DNS Zone deletions, you could select flag of “Protect object from accidental deletion” by browsing to Active Directory Users and Computers \ Domain Name \ System \ Microsoft DNS \ DNS Zone name.
    https://blogs.technet.microsoft.com/networking/2016/08/11/how-to-prevent-accidental-dns-zone-deletions-in-windows-server/
    In addition, based on my test in the lab environment, I have set Deny Delete and Deny Delete Subtree for Everyone in the DNS Zone, and enabled Scavenging on DNS, Scavenging on DNS is still work.
    Hope it could offer you some reference.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by DoBongSoon Thursday, March 9, 2017 4:15 PM
    Thursday, March 9, 2017 5:27 AM
    Moderator

All replies

  • Hi,
    If you set the action as you posted, then no one could delete the DNS zone, and If you want to prevent accidental DNS Zone deletions, you could select flag of “Protect object from accidental deletion” by browsing to Active Directory Users and Computers \ Domain Name \ System \ Microsoft DNS \ DNS Zone name.
    https://blogs.technet.microsoft.com/networking/2016/08/11/how-to-prevent-accidental-dns-zone-deletions-in-windows-server/
    In addition, based on my test in the lab environment, I have set Deny Delete and Deny Delete Subtree for Everyone in the DNS Zone, and enabled Scavenging on DNS, Scavenging on DNS is still work.
    Hope it could offer you some reference.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by DoBongSoon Thursday, March 9, 2017 4:15 PM
    Thursday, March 9, 2017 5:27 AM
    Moderator
  • Thanks Wendy!
    Thursday, March 9, 2017 4:15 PM
  • Hi,
    My pleasure, you are welcome.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 10, 2017 1:31 AM
    Moderator
  • Hi Wendy

    I have a follow up question.  If I click down and select "DENY", I will select Delete and Delete Subtree.  Should I just simply uncheck all check boxes to prevent deny of all other permissions?

    The interface is confusing to me.  If my step above is wrong can you please walk me through how you select deny correctly? Thanks!

    Friday, March 10, 2017 7:24 PM
  • Hi,
    Based on my experience, what you have done is right for me, have you suffered any errors?
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 1:42 AM
    Moderator
  • Hi Wendy,

    Thanks.  Just want to confirm the proper actions I should do.... that I should "uncheck the rest" under DENY.  The ACL permission was confusing to me.  I was expecting that if I click down and select DENY, it will switch the interface and show me the permissions that are currently denied.  However instead, it is a manual process that I have to uncheck things that were ALLOW while under the DENY box.  In previous Windows it shows me side by side Allow and Deny.  That's much better but oh well.

    Yes, we suffered from error.  I selected DENY Delete and Delete Subtree and press OK.  I didn't know that I have to uncheck the rest manually. Our DNS disappeared (not got deleted) because of denied permissions from everyone.  After 8 hours of catastrophe, we recovered from it. Another story but we eventually resolved it.

    Thanks so much for your time and help on this. I appreciate it a lot!


    • Edited by DoBongSoon Monday, March 13, 2017 3:40 PM
    Monday, March 13, 2017 3:19 PM
  • Hi,
    My pleasure, and you are welcome.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 14, 2017 1:39 AM
    Moderator