none
default permissions for DNS zone RRS feed

  • Question

  • Hello

    In an environment someone has changed the DNS zones default permissions. Now computer accounts after joining to domain are not able to create DNS record and PTR record. when I add computer account name and give it full permission it creates A and PTR records in DNS. I need to know what are the default permissions set on DNS zones and adding which group (authenticated users or domain computers or ...) could solve my problem without any security issue?

    Thanks in advance



    Saturday, June 8, 2019 12:35 PM

Answers

  • Hi Ghasem Shams,

    " someone has changed the DNS zones default permissions "

    It seems that this behavior has had a very serious negative impact on your environment.

    I consulted the senior engineer who said that your situation is rare. This problem needs to be corrected by collecting more logs or packets. So I would suggest that you open a case with Microsoft for more help.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ghasem Shams Monday, July 1, 2019 11:33 AM
    Thursday, June 27, 2019 9:01 AM

All replies

  • Hello Ghasem Shams,

    Thank you for posting in this forum.

    You can refer to this article for the default permissions settings.

    Securing DNS zones

    Also, if you have the habit of backing up, you can also restore back to the previous DNS from the backup.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 10, 2019 7:36 AM
  • hello 

    I have checked and set all permissions mentioned in that article. but no luck. same error.

    any other suggestions?


    Monday, June 10, 2019 11:15 AM
  • Hello Ghasem Shams,

    Please add that account to DnsAdmins Group.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 11, 2019 6:49 AM
  • I did so, but an event rises in clients eventvwr (event id 8018):

    The system failed to register host (A or AAAA) resource records (RRs) for network adapter
    with settings:

               Adapter Name : {03AF018D-4F1D-4380-B111-E4067BE26D32}
               Host Name : SRV53109
               Primary Domain Suffix : X.com
               DNS server list :
    10.0.53.3, 10.0.53.14
               Sent update to server : <?>
               IP Address(es) :
                 10.0.53.109

    The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

    To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

    I should mention there is no connectivity issue like needed open ports and ... . When I add computer account to ACL, it can register the record. I installed a new domain in lab and set my domains ACL exactly like that as default. but no luck yet. anything else?

                 
    Wednesday, June 12, 2019 12:51 PM
  • Hi Ghasem Shams,

    Have you enabled dynamic update on DNS server? ( Nonsecure and secure? Or Secure only? )

    What account are you using to log in to the client computer?

    Is the IP address of the client computer obtained via DHCP or manually configured?

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 13, 2019 5:50 AM
  • Hello

    Yes dear, Dynamic update is enabled and set on secure only. 

    I'm logging on with domain admin.

    IP address is configured manually on this server(DNS client)

    Thursday, June 13, 2019 11:26 AM
  • Hi,

    Is the DNS Client service on the client machine enabled? If it is not enabled, enable it. If it is enabled, restart it.

    Add the domain administrator account to the DnsUpdateProxy group as well.

    The current situation is that the machine that has joined the domain has created a record, but this record cannot be updated, is it?

    If so, right-click on this record in the DNS, choose Properties -> Security -> Advanced to see who is the owner of this record.

    You didn't set up a group policy to disable the client to update its records, right?

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 14, 2019 7:16 AM
  • Hi,

    Just checking the current situation of your problem.
    Please let us know if you would like further help.

    Best regards,
    Leon

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 6:58 AM
  • hello dear

    thanks for your follow up

    1- DNS Client service is enabled on the client. It is not an issue because its not happening for one or two machines. It's whole domain

    2- I added the domain administrator account to the DnsUpdateProxy group

    3-

    The current situation is that the machine that has joined the domain has created a record, but this record cannot be updated, is it?

    No, Machine does not create record when join to domain. we have to create the record manually, Or add the server computer account to ACL.

    4-

    You didn't set up a group policy to disable the client to update its records, right?

    No, There is not any policy like this.


    Sunday, June 23, 2019 12:12 PM
  • Hi,

    Did you check "Register this connection's addresses in DNS" in the NIC properties?

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 24, 2019 8:26 AM
  • Yes its exactly like your picture. DNS Servers IP addresses and everything checked again. WINS is enabled could be important?
    Monday, June 24, 2019 11:33 AM
  • Hi Ghasem Shams,

    " someone has changed the DNS zones default permissions "

    It seems that this behavior has had a very serious negative impact on your environment.

    I consulted the senior engineer who said that your situation is rare. This problem needs to be corrected by collecting more logs or packets. So I would suggest that you open a case with Microsoft for more help.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Ghasem Shams Monday, July 1, 2019 11:33 AM
    Thursday, June 27, 2019 9:01 AM