none
dnscmd and access denied errors RRS feed

  • Frage

  • Hi,

    I have a domain which I started to upgrade to 2008R2, I have few 2008 R2 DCs and few 2003R2 DCs. I have a 2003 member server. I'm logged on using domain admins credentials on this server. When I try to issue following command against 2008R2 DC:

    dnscmd msft-dc-01.domain.com. /enumrecords domain.com msft-dc-01  /detail

    All I get is an error:

    DNS Server failed to enumerate records for node msft-dc-01.comain.com
        Status = 5 (0x00000005)

    Command failed:  ERROR_ACCESS_DENIED     5  (00000005)

    When I issue the same command against 2003R2 DC - there are no access denied errors at all. How can I fix this issue? All of my scripts stopped working when I upgraded Dcs to 2008 R2. Thanks.
    Donnerstag, 18. März 2010 07:52

Antworten

  • I think that this quote explains everything:

    -------

    Question:

    I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

    Answer:

    This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here .


    • Als Antwort markiert Rimvydas Donnerstag, 18. März 2010 09:12
    Donnerstag, 18. März 2010 09:12

Alle Antworten

  • Please use the elevated command prompt and check the issue.
    http://www.virmansec.com/blogs/skhairuddin
    • Als Antwort vorgeschlagen Meinolf Weber Donnerstag, 18. März 2010 08:09
    • Nicht als Antwort vorgeschlagen Rimvydas Donnerstag, 18. März 2010 08:24
    Donnerstag, 18. März 2010 07:56
  • Elevated command prompt on 2003 server??? How does it look like?

    dnscmd is run  on 2003 member server.
    Donnerstag, 18. März 2010 08:24
  • few more notes.

    I've tried to run the same command from windows 7 workstation using ordinary domain user security context. And it didn't returned ANY errors at all.

    But when I run this command from 2003 member server against 2008R2 DC I get access denied errors:/ WHY? Is it a bug?
    Donnerstag, 18. März 2010 08:49
  • I think that this quote explains everything:

    -------

    Question:

    I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

    Answer:

    This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here .


    • Als Antwort markiert Rimvydas Donnerstag, 18. März 2010 09:12
    Donnerstag, 18. März 2010 09:12
  • You may need to set the RpcProtocol as well.

    dnscmd.exe /Conf /RpcProtocol 7
    Remeber to restart the DNS Server service after applying the above two commands for them to take effect.

    Mittwoch, 1. Dezember 2010 20:34
  • Thank you, that worked for me.
    Bluegill Fisherman
    Dienstag, 10. Januar 2012 21:50