0

Anyone know an easy way to modify security across many zones? For example I have a hundred or so reverse pointer zones and I want to make sure a group has certain permission level on all zones. Is there a way to avoid right clicking each and going into security? Also I'd like all new zones to automatically get this group.

Keeping DNS consistent across many DNS servers and managing zones is more painful then it needs to be. Wish I could right-click->security on "Reverse Lookup Zones", similar to how you can set permission at the domain level in AD.

Thanks for any help, Fred

FredS
  • 5
  • 3
  • 7
  • What permission, and are the zones AD-integrated? – Greg Askew Jan 09 '17 at 14:36
  • Full Control on zone and all sub objects for group "DNSAdmins". Yes AD integrated. – FredS Jan 09 '17 at 16:25
  • The domain builtin group DNSAdmins by default has everything except the full control checkbox on the DomainDNSZones partition. Are these zones replicated to the domain or forest? – Greg Askew Jan 09 '17 at 18:11
  • Yes I thought that was the case but doesn't seem to be in my environment for some reason. Zones are AD-Integrated and Replicate to "all DNS servers in this domain". DNSAdmins are not on the security tab of a new test zone I created. – FredS Jan 09 '17 at 20:52

1 Answers1

1

You can use ADSIEdit for this.

Connect to the DomainDNSZones partition:

ConnectTo

DomainDNSZones

Right-click CN=MicrosoftDNS > Properties

Security tab
Advanced

Advanced

If DNSAdmins does not exist, add it, with Applies To: This object and all descendant objects, and check the Full Control box.

DNSAdmins

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • This did it for me, DNSAdmins was only set to "this object" not also "descendant objects". Thanks! – FredS Jan 10 '17 at 14:03