DNS Permission Delegation

Sometimes in large organizations it is desirable to delegate the management of DNS to administrators other than full domain admins. Microsoft provides a group called DNSAdmins, however it does not have full control of all aspects of the DNS service. For instance, they can not create or delete AD integrated zones. You would think this is a right Microsoft would include with the default permissions, but it is not.

For customers that do need to delegate full control of even AD integrated DNS zones, there is a way to do it. It takes some editing with ADSI, but this is the PSS recommend method.

The two AD objects that need permissions changed are:

CN=MicrosoftDNS,DC=domaindnszones,dc=your,dc=domain

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

CN=MicrosoftDNS,DC=forestdnszones,dc=your,dc=domain

After this change, the DNSAdmins group will have virtually full control of all DNS zones and objects stored in AD. The permissions are:

Apply onto: dnsNode objects

Permissions: "Allow" for everything EXCEPT "Full Control" and "Modify Owner".