Unable to Prevent DNS Zone Administrator from Creating New Zones

The Windows 2000 DNS White Paper describes how to delegate administration of a zone to a DNS administrator so that a DNS administrator can administer a specific zone but is not able to modify other configured zones.

After you follow instructions in the White Paper, the DNS administrator can administer the delegated zone and is unable to modify another existing DNS zone. However, the DNS administrator is able to create new forward lookup zones, and this may occur even though you did not specifically give the appropriate rights to do so.

This problem can occur because DNS Manager does not validate the security credentials correctly.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this fix should have the following file attributes or later:

To work around this problem without installing the hotfix, do not delegate zones if you don't want the zone administrator to be able to create new zones.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This is the related information from the white paper:

DNS Admins Group

By default the DNS Admins group has full control of all zones and records in a Windows 2000 domain in which it is specified. In order for a user to be able to enumerate zones in a specific Windows 2000 domain, the user (or a group the user belongs to) must be enlisted in the DNS Admin group. At the same time it is possible that a domain administrator(s) may not want to grant such a high level of administration (full control) to all users listed in the DNS administrator group. The typical case would be if a domain administrator wanted to grant full control for a specific zone and read only control for other zones in the domain to a set of users. Create the groups; Zone1Admins, Zone2Admins, and so forth for the zones 1,2, and so on respectively. Then the ACL for zone N will contain a group ZoneNAdmins with full control. At the same time all the groups Zone1Admins, Zone2Admins, and so forth will be included in the DNS Admins group. The DNS Admins group should have read permission only. Since a zone's ACL always contains the DNS Admins group, all users enlisted in the Zone1Admins, Zone2Admins, and so forth will have read permission for all the zones in the Domain.

The DNS Admins group is configurable through the Active Directory Users and Computers manager. For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base: