I am consulting for a worldwide company that is in the design stages of Active Directory. It has decided to set up DNS as AD-integrated zones. They are designing a one-domain infrastructure wherein local IT personnel have full admin rights to their perspective OUs. No local IT engineer will have domain administrator privileges.
The question regarding this setup involves DNS administration. How can a local engineer will full OU rights, but...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
who is not a domain administrator, manage the AD-integrated zone on his local DNS server? The local engineer will need this access to add and remove Unix workstations and older OSes that do not support dynamic updates.
In order to provide the ability to administer DNS, you put the users account in a group called DNSAdmins. When you install DNS on a Windows 2000 machine the group DNSAdmins is created and given full control over all zones in the domain in which the DNS server exists. If you have other zones you can create additional groups and assign them rights to the zones by going into the DNS MMC, right-clicking the zone and clicking on Properties then finally the Security Tab.