Microsoft KB Archive/256643

= Unable to Prevent DNS Zone Administrator from Creating New Zones =

Article ID: 256643

Article Last Modified on 10/12/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q256643



SYMPTOMS
The Windows 2000 DNS White Paper describes how to delegate administration of a zone to a DNS administrator so that a DNS administrator can administer a specific zone but is not able to modify other configured zones.

After you follow instructions in the White Paper, the DNS administrator can administer the delegated zone and is unable to modify another existing DNS zone. However, the DNS administrator is able to create new forward lookup zones, and this may occur even though you did not specifically give the appropriate rights to do so.



CAUSE
This problem can occur because DNS Manager does not validate the security credentials correctly.



RESOLUTION
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

  Date        Time     Version        Size     File name --  05/16/2000  3:55 PM  5.0.2195.2096  321,296  Dns.exe



WORKAROUND
To work around this problem without installing the hotfix, do not delegate zones if you don't want the zone administrator to be able to create new zones.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
This is the related information from the white paper:

DNS Admins Group
By default the DNS Admins group has full control of all zones and records in a Windows 2000 domain in which it is specified. In order for a user to be able to enumerate zones in a specific Windows 2000 domain, the user (or a group the user belongs to) must be enlisted in the DNS Admin group. At the same time it is possible that a domain administrator(s) may not want to grant such a high level of administration (full control) to all users listed in the DNS administrator group. The typical case would be if a domain administrator wanted to grant full control for a specific zone and read only control for other zones in the domain to a set of users. Create the groups; Zone1Admins, Zone2Admins, and so forth for the zones 1,2, and so on respectively. Then the ACL for zone N will contain a group ZoneNAdmins with full control. At the same time all the groups Zone1Admins, Zone2Admins, and so forth will be included in the DNS Admins group. The DNS Admins group should have read permission only. Since a zone's ACL always contains the DNS Admins group, all users enlisted in the Zone1Admins, Zone2Admins, and so forth will have read permission for all the zones in the Domain.

The DNS Admins group is configurable through the Active Directory Users and Computers manager. For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words: security

Keywords: kbhotfixserver kbqfe kbbug kbdns kbfix kbnetwork kbwin2000presp2fix KB256643

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.