Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later

Article ID: 2027440 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Attempting to connect to a Windows Server 2008 R2 DNS Server using the Windows 2000 or Windows Sever 2003 version of DNS Manager snap-in, DNSMGMT.MSC fails with the error:

“Access is denied. Would you like to add it anyway” (YES | NO) 


Clicking “Yes” displays the DNS Management snap-in but a red ball appears adjacent to W2K8 R2 DNS Sever in the left-hand pane of DNSMGT.MSC. The right-hand pane of DNS Manager displays the following text: 

Access is Denied
You do not have permission to access this DNS Server.
To retry the connection, either press F5 or Refresh on the Action menu. 


Attempting to administer a W2K8 R2 DNS Server using the Windows 2000 or Windows Server 2003 version of DNSCMD.EXE fails with the one of two errors illustrated here by the “DNSCMD <servername> /info command depending on whether the remote computer is referenced by IP address, single label hostname or fully qualified hostname:

>dnscmd <IP address of W2K8 R2 DNS Server> /info>

Info query failed
 status = 5 (0x00000005)

Command failed: ERROR_ACCESS_DENIED 5 (00000005)
 
>dnscmd <single label hostname> /info>

Info query failed
status = 1722 (0x000006ba)
Command failed:  RPC_S_SERVER_UNAVAILABLE     1722  (000006ba)

>dnscmd <full qualified hostname of DNS Server> /info)

Info query failed
Status = 5 (0x00000005)

Command failed: ERROR_ACCESS_DENIED     5  (00000005)

 
A network trace of a DNS Manager tool run from a pre-Windows 2008 computer attempting to administer a Windows Server 2008 R2 DNS Server shows the DNS the following conversation:

 DNSP: R_DnssrvComplexOperation2 Request …..
 MSRPC:c/o Fault: Call=0x1, Context = 0x0, Status = 0x5 Cancels = 0X0 with status 0x00000005


DnssrvComplexOperation2 is one of about 10 possible requests that could be generated by DNSMGMT.MSC and DNSCMD.EXE. The RPC fault with status 0x5 does not uniquely define this scenario but the response that you’ll see on the wire for this scenario



CAUSE

1. RPC Integrity required by Windows Server 2008 R2 DNS Servers are not supported by the versions of DNSMGMT.MSC or DNSCMD.EXE that run on Windows 2000, Windows XP and Windows Server 2003 computers.

2. RPC over Named Pipes communication favored by pre-W2K8 DNS admin tools when referencing remote DNS Servers by their single label host names is disabled on Windows Server 2008 R2 DNS Servers

RESOLUTION

For the most secure and seamless experience, W2K8 R2 DNS Servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE listed in the table located in the "More Information" section of this article. If compatible client operating systems are not immediately available, consider the following workarounds:

· Administer Windows 2008 R2 DNS Servers directly from the console
OR

· Administer Windows 2008 R2 DNS Servers via Remote Desktop / Terminal Services.
OR 

· Temporarily disable RPC Integrity by executing the following command within an admin-privileged CMD prompt from the console of each Windows Server 2008 R2 DNS Server that you want to manage from a down-level operating system. 

>dnscmd /config /RpcAuthLevel 0 


Warning: Microsoft recommends that you (1.) administer Windows Server 2008 R2 DNS Servers exclusively from computers that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE and (2.) not enable RPC over named pipes. 

MORE INFORMATION

Windows Server 2008 R2 DNS Servers require that DNS management tools perform RPC integrity and to avoid sniffing and “man-in-the-middle” attacks while performing DNS administrative tasks. Windows Server 2008 and Windows Server 2008 R2 DNSMGT.MSC and DNSCMD.EXE support RPC Integrity and request RPC Privacy to interoperate with W2K8 R2 DNS Servers.

 The table below lists the client and server operating systems that can execute W2K8 or newer versions of DNSMGMT.MSC and DNSCMD.EXE needed to administer W2K8 R2 DNS Servers:



Collapse this tableExpand this table
 DNSMGMT.MSC DNSCMD.EXE Comment
    
Windows 2000 Workstation NNW2K DNS admin tools are installed by the Windows 2000 adminpack + support tools
Windows 2000 Server NN 
Windows XP NNW2K3 DNS admin tools are installed by the W2K3 adminpack + support tools
Windows Server 2003 NN 
Windows Vista YYWindows Server 2008 DNS admin tools are available in the Microsoft Remote Server Administration Tools for Windows Vista
Windows Server 2008 yYWindows Server 2008 DNS admin tools are installed by the "Features" node of Server Manager or with the install of corresponding server role
Windows 7 client YYWindows Server 2008 R2 DNS admin tools are installed by the Remote Server Administration Tools for Windows 7
Windows Server 2008 R2 yYWindows Server 2008 R2 DNS admin tools are installed by the
"Features" node of Server Manager or with the install of corresponding server role

DNS security enhancements do not prevent Windows Server 2008, or Server 2008 R2 versions of DNSMGMT.MSC and DNSCMD.EXE from administering remote Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 computers and Windows 2000 DNS Servers. 


RPC over Named Pipes was disabled on Windows Server 2008 R2 DNS Servers because it is inherently less secure.

 
NETSH interoperability is not impacted by this security change.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2027440 - Last Review: December 16, 2010 - Revision: 4.0
APPLIES TO
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
Keywords: 
KB2027440

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com