Ask the Expert

How can someone with full OU rights, but who is not a domain admin, manage an AD-integrated zone on

I am consulting for a worldwide company that is in the design stages of Active Directory. It has decided to set up DNS as AD-integrated zones. They are designing a one-domain infrastructure wherein local IT personnel have full admin rights to their perspective OUs. No local IT engineer will have domain administrator privileges.

The question regarding this setup involves DNS administration. How can a local engineer will full OU rights, but who is not a domain administrator, manage the AD-integrated zone on his local DNS server? The local engineer will need this access to add and remove Unix workstations and older OSes that do not support dynamic updates.

Requires Free Membership to View

In order to provide the ability to administer DNS, you put the users account in a group called DNSAdmins. When you install DNS on a Windows 2000 machine the group DNSAdmins is created and given full control over all zones in the domain in which the DNS server exists. If you have other zones you can create additional groups and assign them rights to the zones by going into the DNS MMC, right-clicking the zone and clicking on Properties then finally the Security Tab.

This was first published in January 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: