How can someone with full OU rights, but who is not a domain admin, manage an AD-integrated zone on
I am consulting for a worldwide company that is in the design stages of
Active Directory. It has decided to set up DNS as AD-integrated zones. They are designing a
one-domain infrastructure wherein local IT personnel have full admin rights to their perspective
OUs. No local IT engineer will have domain administrator privileges.
The question regarding this setup involves DNS administration. How can a local engineer will
full OU rights, but who is not a domain administrator, manage the AD-integrated zone on his local
DNS server? The local engineer will need this access to add and remove Unix workstations and older
OSes that do not support dynamic updates.
In order to provide the ability to administer DNS, you put the users account in a group called
DNSAdmins. When you install DNS on a Windows 2000 machine the group DNSAdmins is created and given
full control over all zones in the domain in which the DNS server exists. If you have other zones
you can create additional groups and assign them rights to the zones by going into the DNS MMC,
right-clicking the zone and clicking on Properties then finally the Security Tab.
This was first published in January 2003