Members of the DnsAdmins group on a Windows Server 2003-based DNS server cannot create new DNS zones that will be replicated to DNS servers in a domain or in a forest

View products that this article applies to.

SYMPTOMS

You are a member of the DnsAdmins group on a Windows Server 2003-based DNS server. You try to create new DNS zones that can be replicated to all the DNS servers in an Active Directory domain or in an Active Directory forest. However, you notice that the following conditions are true:

You cannot create the DNS zones.
You can create DNS zones that can be replicated to all the domain controllers in the current Active Directory domain.

Back to the top

CAUSE

This issue occurs because of the permissions that are set in the Active Directory directory service. In Windows Server 2003, members of the DnsAdmins group have permissions only on the following object:

CN=MicrosoftDNS,CN=System,DC=Domain,DC=Domain_Extension

The members of the DnsAdmins group do not have permissions on the following application partitions:

CN=MicrosoftDNS,DC=ForestDNSZones,DC=Domain,DC=Domain_Extension
CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=Domain_Extension

Back to the top

RESOLUTION

The following procedure requires access to Windows Server 2003 Support Tools. To install the Support Tools on a computer that is running Windows Server 2003, run the Setup.exe file from the \Support\Tools folder on the Windows Server 2003 CD.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To resolve this issue, set permissions for the DnsAdmins group on the DomainDNSZones application partition and on the ForestDNSZones application partition. To do this, follow these steps:

Log on to the Windows Server 2003-based DNS server as a user who has administrative rights.
Set permissions for the DnsAdmins group on the DomainDNSZones application partition. To do this, follow these steps:
1. Click Start, click Run, type Adsiedit.msc, and then click OK.
2. In the task pane, right-click ADSI Edit, and then click Connect to.
3. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:
  CN=MicrosoftDNS,DC= DomainDNSZones,DC=Domain,DC=Domain_Extension
4. In the task pane, locate and right-click CN=MicrosoftDNS,DC= DomainDNSZones,DC=Domain,DC=Domain_Extension, and then click Properties.
5. Click the Security tab, and then click Advanced. The Advanced Security Settings for MicrosoftDNS dialog box appears.
6. In the Permissions tab, click Add.
7. In the Enter the object name to select box, type DnsAdmins, and then click Check Names to verify the name.
8. Click OK. The Permission Entry for Microsoft DNS dialog box appears.
9. In the Apply onto drop-down list, click This object only.
10. Click to select the Allow check box for the Full Control permission, and then click OK.
11. In the Advanced Security Settings for MicrosoftDNS dialog box, click Apply, and then click OK.
12. Click OK to close the properties dialog box for the DomainDNSZones application partition.
13. Close the ADSI Edit window.
14. Test whether you can create a new DNS zone now.
Set permissions for the DnsAdmins group on the ForestDNSZones application partition. To do this, follow these steps:
1. Click Start, click Run, type Adsiedit.msc, and then click OK.
2. In the task pane, right-click ADSI Edit, and then click Connect to.
3. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:
  CN=MicrosoftDNS,DC= ForestDNSZones,DC=Domain,DC=Domain_Extension
4. In the task pane, locate and right-click CN=MicrosoftDNS,DC= ForestDNSZones,DC=Domain,DC=Domain_Extension, and then click Properties.
5. Click the Security tab, and then click Advanced. The Advanced Security Settings for MicrosoftDNS dialog box appears.
6. In the Permissions tab, click Add.
7. In the Enter the object name to select box, type DnsAdmins, and then click Check Names to verify the name.
8. Click OK. The Permission Entry for Microsoft DNS dialog box appears.
9. In the Apply onto drop-down list, click This object only.
10. Click to select the Allow check box for the Full Control permission, and then click OK.
11. In the Advanced Security Settings for MicrosoftDNS dialog box, click Apply, and then click OK.
12. Click OK to close the properties dialog box for the ForestDNSZones application partition.
13. Close the ADSI Edit window.
14. Test whether you can create a new DNS zone now.

Back to the top

MORE INFORMATION

For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:

817470 (http://support.microsoft.com/kb/817470/ ) How to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Windows 2000 to Windows Server 2003

885010 (http://support.microsoft.com/kb/885010/ ) The "Available columns" list is empty in the Active Directory Users and Computers snap-in after you install Microsoft Office Live Communications Server 2003

896983 (http://support.microsoft.com/kb/896983/ ) You cannot apply Group Policy settings after you rename a Windows Server 2003-based domain

Back to the top