none
dnscmd and access denied errors RRS feed

  • Dotaz

  • Hi,

    I have a domain which I started to upgrade to 2008R2, I have few 2008 R2 DCs and few 2003R2 DCs. I have a 2003 member server. I'm logged on using domain admins credentials on this server. When I try to issue following command against 2008R2 DC:

    dnscmd msft-dc-01.domain.com. /enumrecords domain.com msft-dc-01  /detail

    All I get is an error:

    DNS Server failed to enumerate records for node msft-dc-01.comain.com
        Status = 5 (0x00000005)

    Command failed:  ERROR_ACCESS_DENIED     5  (00000005)

    When I issue the same command against 2003R2 DC - there are no access denied errors at all. How can I fix this issue? All of my scripts stopped working when I upgraded Dcs to 2008 R2. Thanks.
    čtvrtek 18. března 2010 7:52

Odpovědi

  • I think that this quote explains everything:

    -------

    Question:

    I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

    Answer:

    This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here .


    • Označen jako odpověď Rimvydas čtvrtek 18. března 2010 9:12
    čtvrtek 18. března 2010 9:12

Všechny reakce

  • Please use the elevated command prompt and check the issue.
    http://www.virmansec.com/blogs/skhairuddin
    • Navržen jako odpověď Meinolf Weber čtvrtek 18. března 2010 8:09
    • Zrušeno navržení jako odpověď Rimvydas čtvrtek 18. března 2010 8:24
    čtvrtek 18. března 2010 7:56
  • Elevated command prompt on 2003 server??? How does it look like?

    dnscmd is run  on 2003 member server.
    čtvrtek 18. března 2010 8:24
  • few more notes.

    I've tried to run the same command from windows 7 workstation using ordinary domain user security context. And it didn't returned ANY errors at all.

    But when I run this command from 2003 member server against 2008R2 DC I get access denied errors:/ WHY? Is it a bug?
    čtvrtek 18. března 2010 8:49
  • I think that this quote explains everything:

    -------

    Question:

    I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

    Answer:

    This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here .


    • Označen jako odpověď Rimvydas čtvrtek 18. března 2010 9:12
    čtvrtek 18. března 2010 9:12
  • You may need to set the RpcProtocol as well.

    dnscmd.exe /Conf /RpcProtocol 7
    Remeber to restart the DNS Server service after applying the above two commands for them to take effect.

    středa 1. prosince 2010 20:34
  • Thank you, that worked for me.
    Bluegill Fisherman
    úterý 10. ledna 2012 21:50