Configure read only access for selcted users to AD integrated DNS

Majerovic, Tomas 0 Reputation points
2023-07-27T03:54:59.5066667+00:00

Hi all. I need to configure read only access for group of users to AD integrated DNS. They will access DNS from remote computer using dnsmgmt.msc. I made test setup on Azure with domain controller based on Windows 2019 Server (DC, AD, DNS) WINSRVDC01.domain01.com and application server joined to same domain01.com acting as remote computer used by user accessing DNS by dnsmgmt.msc. "DNSReadOnly" Domain Local security group is set. Test "domain01\user01" is created and set as member of "DNSReadOnly" and "Domain Users". My problem is that almost all is working as expected, except user with read only permissions can create new domain entry in DNS Forward Lookup Zone/Domain01.com. I'm unable prevent this action. User is unable to delete it despite that has rights to create it. Also I noticed that this new domain entry disappears after next DNS service or server restart. Please see configuration details bellow and advice how I can tune up security / permissions configuration to prevent user make changes on AD integrated DNS.

Permissions set on AD integrated DNS root:

  • Applied to: This object only.
  • This configuration allows user access AD integrated DNS server thru dnsmgmt.msc

User's image

Permissions set on Forward Lookup Zones and Reverse Lookup Zones (each individual zone has set these permissions):

  • Applied to: This object and all descendant objects.
  • This configuration restricts user make changes on AD integrated DNS server thru dnsmgmt.msc

User's image

additionally all Properties with "Write" are selected. Screenshot is not extended to this part of configuration as there is very long list of Properties.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,710 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,976 Reputation points
    2023-07-27T14:08:09.95+00:00

    Hello there,

    To configure read-only access for selected users to Active Directory (AD) integrated DNS, you will need to adjust the permissions on the DNS objects in Active Directory. By default, DNS objects are secured to prevent unauthorized changes, but you can customize the permissions to allow read-only access for specific users or groups. Here's a step-by-step guide to achieving this:

    Note: To perform these actions, you'll need to be logged in with an account that has administrative privileges in Active Directory.

    Open Active Directory Users and Computers (ADUC):

    On a domain controller or a machine with the Remote Server Administration Tools (RSAT) installed, open "Active Directory Users and Computers."

    Enable Advanced Features:

    In ADUC, click on "View" in the menu, then select "Advanced Features." This will enable additional options in the properties of AD objects.

    Locate the DNS Zone:

    Expand your domain, then navigate to "System" > "MicrosoftDNS" to find your DNS zones.

    Set Permissions:

    Right-click on the DNS zone you want to configure read-only access for and select "Properties."

    Security Tab:

    In the properties window, go to the "Security" tab.

    Add the Users/Groups:

    Click on the "Add" button and select the user or group you want to grant read-only access. For example, you can select a group named "DNS Read-Only Users."

    Set Permissions to Read:

    In the permissions list, find the "Read" permission and select the "Allow" checkbox for the user/group you added. You may also want to allow "List Contents" to view the subnodes.

    Apply Changes:

    Click "OK" to apply the changes and exit the properties window.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--