Microsoft KB Archive/939090

= Members of the DnsAdmins group on a Windows Server 2003-based DNS server cannot create new DNS zones that will be replicated to DNS servers in a domain or in a forest =

Article ID: 939090

Article Last Modified on 8/7/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



SYMPTOMS
You are a member of the DnsAdmins group on a Windows Server 2003-based DNS server. You try to create new DNS zones that can be replicated to all the DNS servers in an Active Directory domain or in an Active Directory forest. However, you notice that the following conditions are true:
 * You cannot create the DNS zones.
 * You can create DNS zones that can be replicated to all the domain controllers in the current Active Directory domain.



CAUSE
This issue occurs because of the permissions that are set in the Active Directory directory service. In Windows Server 2003, members of the DnsAdmins group have permissions only on the following object:

CN=MicrosoftDNS,CN=System,DC= ,DC=

The members of the DnsAdmins group do not have permissions on the following application partitions:
 * CN=MicrosoftDNS,DC=ForestDNSZones,DC= ,DC=
 * CN=MicrosoftDNS,DC=DomainDNSZones,DC= ,DC=



RESOLUTION
The following procedure requires access to Windows Server 2003 Support Tools. To install the Support Tools on a computer that is running Windows Server 2003, run the Setup.exe file from the \Support\Tools folder on the Windows Server 2003 CD.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To resolve this issue, set permissions for the DnsAdmins group on the DomainDNSZones application partition and on the ForestDNSZones application partition. To do this, follow these steps:  Log on to the Windows Server 2003-based DNS server as a user who has administrative rights. Set permissions for the DnsAdmins group on the DomainDNSZones application partition. To do this, follow these steps:  Click Start, click Run, type Adsiedit.msc, and then click OK. In the task pane, right-click ADSI Edit, and then click Connect to. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

CN=MicrosoftDNS,DC= DomainDNSZones,DC= ,DC= 

 In the task pane, locate and right-click CN=MicrosoftDNS,DC= DomainDNSZones,DC= ,DC= , and then click Properties. Click the Security tab, and then click Advanced. The Advanced Security Settings for MicrosoftDNS dialog box appears.</li> In the Permissions tab, click Add.</li> In the Enter the object name to select box, type DnsAdmins, and then click Check Names to verify the name.</li> Click OK. The Permission Entry for Microsoft DNS dialog box appears.</li> In the Apply onto drop-down list, click This object only.</li> Click to select the Allow check box for the Full Control permission, and then click OK.</li> In the Advanced Security Settings for MicrosoftDNS dialog box, click Apply, and then click OK.</li> Click OK to close the properties dialog box for the DomainDNSZones application partition.</li> Close the ADSI Edit window.</li> Test whether you can create a new DNS zone now.</li></ol> </li> Set permissions for the DnsAdmins group on the ForestDNSZones application partition. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type Adsiedit.msc, and then click OK.</li> In the task pane, right-click ADSI Edit, and then click Connect to.</li> Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

CN=MicrosoftDNS,DC= ForestDNSZones,DC= ,DC=

</li> In the task pane, locate and right-click CN=MicrosoftDNS,DC= ForestDNSZones,DC= ,DC= , and then click Properties.</li> Click the Security tab, and then click Advanced. The Advanced Security Settings for MicrosoftDNS dialog box appears.</li> <li>In the Permissions tab, click Add.</li> <li>In the Enter the object name to select box, type DnsAdmins, and then click Check Names to verify the name.</li> <li>Click OK. The Permission Entry for Microsoft DNS dialog box appears.</li> <li>In the Apply onto drop-down list, click This object only.</li> <li>Click to select the Allow check box for the Full Control permission, and then click OK.</li> <li>In the Advanced Security Settings for MicrosoftDNS dialog box, click Apply, and then click OK.</li> <li>Click OK to close the properties dialog box for the ForestDNSZones application partition.</li> <li>Close the ADSI Edit window.</li> <li>Test whether you can create a new DNS zone now.</li></ol> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:

817470 How to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Windows 2000 to Windows Server 2003

885010 The &quot;Available columns&quot; list is empty in the Active Directory Users and Computers snap-in after you install Microsoft Office Live Communications Server 2003

896983 You cannot apply Group Policy settings after you rename a Windows Server 2003-based domain

Keywords: kbexpertiseadvanced kbtshoot kbprb KB939090

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.