dnscmd and access denied errors RRS feed

  • คำถาม

  • Hi,

    I have a domain which I started to upgrade to 2008R2, I have few 2008 R2 DCs and few 2003R2 DCs. I have a 2003 member server. I'm logged on using domain admins credentials on this server. When I try to issue following command against 2008R2 DC:

    dnscmd /enumrecords msft-dc-01  /detail

    All I get is an error:

    DNS Server failed to enumerate records for node
        Status = 5 (0x00000005)

    Command failed:  ERROR_ACCESS_DENIED     5  (00000005)

    When I issue the same command against 2003R2 DC - there are no access denied errors at all. How can I fix this issue? All of my scripts stopped working when I upgraded Dcs to 2008 R2. Thanks.
    18 มีนาคม 2553 7:52


  • I think that this quote explains everything:



    I can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 R2 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.


    This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

    If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

    dnscmd.exe /Config /RpcAuthLevel 0

    If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. More info here .

    • ทำเครื่องหมายเป็นคำตอบโดย Rimvydas 18 มีนาคม 2553 9:12
    18 มีนาคม 2553 9:12