Hi

I got a problem with read access to DNS. A regional Administrator that should have read access to two DNS servers (running on Windows 2000 SP3 Domain Controllers, both in same domain, same site, same DNS zones, both AD integrated and secondary) but it only works on one of the servers, he gets Access Denied when connecting to one of them. I have compared and found no differences in the security settings between the two servers
The permissions he got is read via membership in Authenticated users on the DNS server and read via Everyone on the AD integrated zone
When I (as Domain Admin) do the same it works

Assuming he is logged on as the necessary user account from the domain, is
the account blocked by any specific denials on that machine?

Are the permissions you're talking about, since it;s an AD Integrated zone,
on the zone properties, security tab?

Were the permissions altered in ADSI Edit on that zone?

When opening the MMC, if he hits the shift button, rt-clicks on the shortcut
in Administrative tools, and logs on as someone else, does the problem still
occur?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Per S" <(E-Mail Removed)> wrote in message
newsB91CEF3-021B-42E4-9540-(E-Mail Removed)...
> Hi,
>
> I got a problem with read access to DNS. A regional Administrator that
should have read access to two DNS servers (running on Windows 2000 SP3
Domain Controllers, both in same domain, same site, same DNS zones, both AD
integrated and secondary) but it only works on one of the servers, he gets
Access Denied when connecting to one of them. I have compared and found no
differences in the security settings between the two servers.
> The permissions he got is read via membership in Authenticated users on
the DNS server and read via Everyone on the AD integrated zone.
> When I (as Domain Admin) do the same it works.
>

He is loggeded on to the domain with nessesary account
There is no denials (that I can find)

Yes it is the security tab on the zone (and also on the DNS server object in MMC)

No the permissions has not been altered in ADSI edit on the zone

Have tested with 4 different account with the same pemissions (also with Run-as) but still same problem

It seems that he has enough permissions on the zone since he can read the same zone on the other server on site, I made a test account and got the same problem, when adding the account to DnsAdmins group (giving it write access) as a test, it works but this gives to mutch access, user should only have read.

Not sure what to say here. Maybe you can grant the DnsAdmin for him and deny
write? Maybe someone else may have a better suggestion.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Per S" <(E-Mail Removed)> wrote in message
news:AB95064A-4E27-4BE7-A219-(E-Mail Removed)...
> He is loggeded on to the domain with nessesary account.
> There is no denials (that I can find).
>
> Yes it is the security tab on the zone (and also on the DNS server object
in MMC).
>
> No the permissions has not been altered in ADSI edit on the zone.
>
> Have tested with 4 different account with the same pemissions (also with
Run-as) but still same problem.
>
> It seems that he has enough permissions on the zone since he can read the
same zone on the other server on site, I made a test account and got the
same problem, when adding the account to DnsAdmins group (giving it write
access) as a test, it works but this gives to mutch access, user should only
have read.

I installed W2K SP4 ant it seems to work now.

Sometimes we assume that the latest service packs are installed.
Glad that did it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Per S" <(E-Mail Removed)> wrote in message
news:B8981760-7D33-4B1A-B67A-(E-Mail Removed)...
> I installed W2K SP4 ant it seems to work now.