Select the product you need help with
Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or laterArticle ID: 2027440 - View products that this article applies to. SYMPTOMSAttempting to connect to a Windows Server 2008 R2 DNS Server using the Windows 2000 or Windows Sever 2003 version of DNS Manager snap-in, DNSMGMT.MSC fails with the error: “Access is denied. Would you like to add it anyway” (YES | NO) Clicking “Yes” displays the DNS Management snap-in but a red ball appears adjacent to W2K8 R2 DNS Sever in the left-hand pane of DNSMGT.MSC. The right-hand pane of DNS Manager displays the following text: Access is Denied Attempting to administer a W2K8 R2 DNS Server using the Windows 2000 or Windows Server 2003 version of DNSCMD.EXE fails with the one of two errors illustrated here by the “DNSCMD <servername> /info command depending on whether the remote computer is referenced by IP address, single label hostname or fully qualified hostname:You do not have permission to access this DNS Server. To retry the connection, either press F5 or Refresh on the Action menu. >dnscmd <IP address of W2K8 R2 DNS Server> /info> Info query failed status = 5 (0x00000005) Command failed: ERROR_ACCESS_DENIED 5 (00000005) >dnscmd <single label hostname> /info> Info query failed status = 1722 (0x000006ba) Command failed: RPC_S_SERVER_UNAVAILABLE 1722 (000006ba) >dnscmd <full qualified hostname of DNS Server> /info)Info query failed Status = 5 (0x00000005) Command failed: ERROR_ACCESS_DENIED 5 (00000005) A network trace of a DNS Manager tool run from a pre-Windows 2008 computer attempting to administer a Windows Server 2008 R2 DNS Server shows the DNS the following conversation: DNSP: R_DnssrvComplexOperation2 Request ….. MSRPC:c/o Fault: Call=0x1, Context = 0x0, Status = 0x5 Cancels = 0X0 with status 0x00000005 DnssrvComplexOperation2 is one of about 10 possible requests that could be generated by DNSMGMT.MSC and DNSCMD.EXE. The RPC fault with status 0x5 does not uniquely define this scenario but the response that you’ll see on the wire for this scenario CAUSE1. RPC Integrity required by Windows Server 2008 R2 DNS Servers are not supported by the versions of DNSMGMT.MSC or DNSCMD.EXE that run on Windows 2000, Windows XP and Windows Server 2003 computers. 2. RPC over Named Pipes communication favored by pre-W2K8 DNS admin tools when referencing remote DNS Servers by their single label host names is disabled on Windows Server 2008 R2 DNS Servers RESOLUTIONFor the most secure and seamless experience, W2K8 R2 DNS Servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE listed in the table located in the "More Information" section of this article. If compatible client operating systems are not immediately available, consider the following workarounds: · Administer Windows 2008 R2 DNS Servers directly from the console OR· Administer Windows 2008 R2 DNS Servers via Remote Desktop / Terminal Services. OR · Temporarily disable RPC Integrity by executing the following command within an admin-privileged CMD prompt from the console of each Windows Server 2008 R2 DNS Server that you want to manage from a down-level operating system. Warning: Microsoft recommends that you (1.) administer Windows Server 2008 R2 DNS Servers exclusively from computers that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE and (2.) not enable RPC over named pipes. >dnscmd /config /RpcAuthLevel 0 MORE INFORMATIONWindows Server 2008 R2 DNS Servers require that DNS management tools perform RPC integrity and to avoid sniffing and “man-in-the-middle” attacks while performing DNS administrative tasks. Windows Server 2008 and Windows Server 2008 R2 DNSMGT.MSC and DNSCMD.EXE support RPC Integrity and request RPC Privacy to interoperate with W2K8 R2 DNS Servers. The table below lists the client and server operating systems that can execute W2K8 or newer versions of DNSMGMT.MSC and DNSCMD.EXE needed to administer W2K8 R2 DNS Servers: Collapse this table
DNS security enhancements do not prevent Windows Server 2008, or Server 2008 R2 versions of DNSMGMT.MSC and DNSCMD.EXE from administering remote Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 computers and Windows 2000 DNS Servers. RPC over Named Pipes was disabled on Windows Server 2008 R2 DNS Servers because it is inherently less secure. NETSH interoperability is not impacted by this security change. Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.Properties |  |
Back to the top
