none
DNS delegation of administrative rights RRS feed

  • Question

  • Hi,

    I hope that anyone can help me out on this one: if I want to delegate administration of DNS does the DNS zone have to be active directory integrated?

    Thanks in advance!

    Grtz,

    Joost

    Saturday, September 24, 2016 9:28 AM

Answers

  • Yes, you may delegate DNS administration of a DNS zone regardless of whether the DNS zone is AD-integrated or not.  But for non-AD integrated zone you need to apply the permissions directly on the \system32\dns folder and files.  This solution doesn't scale easily and can become confusing.  Therefore it is recommended to setup DNS so that it is integrated with AD environment and you can apply DNS permissions according to security groups - such as "DNS Admins" group which has by default delegation rights to administer all AD-integrated DNS zones.

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by John Lii Tuesday, October 11, 2016 8:29 AM
    • Marked as answer by Leo HanModerator Wednesday, October 12, 2016 9:23 AM
    Saturday, September 24, 2016 11:12 AM

All replies

  • Yes, you may delegate DNS administration of a DNS zone regardless of whether the DNS zone is AD-integrated or not.  But for non-AD integrated zone you need to apply the permissions directly on the \system32\dns folder and files.  This solution doesn't scale easily and can become confusing.  Therefore it is recommended to setup DNS so that it is integrated with AD environment and you can apply DNS permissions according to security groups - such as "DNS Admins" group which has by default delegation rights to administer all AD-integrated DNS zones.

    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by John Lii Tuesday, October 11, 2016 8:29 AM
    • Marked as answer by Leo HanModerator Wednesday, October 12, 2016 9:23 AM
    Saturday, September 24, 2016 11:12 AM
  • Hi Joost,

    I agree with Todd.

    Besides, if DNS did not integrate with AD, you could change user to be local administrator.

    Please reference the document below for details information:

    Securing DNS zones

    https://technet.microsoft.com/en-us/library/cc755193(v=ws.11).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 26, 2016 7:52 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 11, 2016 8:29 AM