Access Denied in MMC DNS Snap-in

Discussion in 'Microsoft Windows 2000 DNS' started by Guest, Nov 24, 2003.

  1. Guest

    Guest Guest

    Hi

    I got a problem with read access to DNS. A regional Administrator that should have read access to two DNS servers (running on Windows 2000 SP3 Domain Controllers, both in same domain, same site, same DNS zones, both AD integrated and secondary) but it only works on one of the servers, he gets Access Denied when connecting to one of them. I have compared and found no differences in the security settings between the two servers
    The permissions he got is read via membership in Authenticated users on the DNS server and read via Everyone on the AD integrated zone
    When I (as Domain Admin) do the same it works
     
    Guest, Nov 24, 2003
    #1
    1. Advertisements

  2. Assuming he is logged on as the necessary user account from the domain, is
    the account blocked by any specific denials on that machine?

    Are the permissions you're talking about, since it;s an AD Integrated zone,
    on the zone properties, security tab?

    Were the permissions altered in ADSI Edit on that zone?

    When opening the MMC, if he hits the shift button, rt-clicks on the shortcut
    in Administrative tools, and logs on as someone else, does the problem still
    occur?

    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
    --
    =================================

    "Per S" <> wrote in message
    news:D...
    > Hi,
    >
    > I got a problem with read access to DNS. A regional Administrator that

    should have read access to two DNS servers (running on Windows 2000 SP3
    Domain Controllers, both in same domain, same site, same DNS zones, both AD
    integrated and secondary) but it only works on one of the servers, he gets
    Access Denied when connecting to one of them. I have compared and found no
    differences in the security settings between the two servers.
    > The permissions he got is read via membership in Authenticated users on

    the DNS server and read via Everyone on the AD integrated zone.
    > When I (as Domain Admin) do the same it works.
    >
     
    Ace Fekay [MVP], Nov 24, 2003
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    He is loggeded on to the domain with nessesary account
    There is no denials (that I can find)

    Yes it is the security tab on the zone (and also on the DNS server object in MMC)

    No the permissions has not been altered in ADSI edit on the zone

    Have tested with 4 different account with the same pemissions (also with Run-as) but still same problem

    It seems that he has enough permissions on the zone since he can read the same zone on the other server on site, I made a test account and got the same problem, when adding the account to DnsAdmins group (giving it write access) as a test, it works but this gives to mutch access, user should only have read.
     
    Guest, Nov 25, 2003
    #3
  4. Not sure what to say here. Maybe you can grant the DnsAdmin for him and deny
    write? Maybe someone else may have a better suggestion.

    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
    --
    =================================

    "Per S" <> wrote in message
    news:...
    > He is loggeded on to the domain with nessesary account.
    > There is no denials (that I can find).
    >
    > Yes it is the security tab on the zone (and also on the DNS server object

    in MMC).
    >
    > No the permissions has not been altered in ADSI edit on the zone.
    >
    > Have tested with 4 different account with the same pemissions (also with

    Run-as) but still same problem.
    >
    > It seems that he has enough permissions on the zone since he can read the

    same zone on the other server on site, I made a test account and got the
    same problem, when adding the account to DnsAdmins group (giving it write
    access) as a test, it works but this gives to mutch access, user should only
    have read.
     
    Ace Fekay [MVP], Nov 25, 2003
    #4
  5. Guest

    Guest Guest

    I installed W2K SP4 ant it seems to work now.
     
    Guest, Nov 25, 2003
    #5
  6. Sometimes we assume that the latest service packs are installed.
    Glad that did it.

    --
    Regards,
    Ace

    Please direct all replies to the newsgroup so all can benefit.
    This posting is provided "AS IS" with no warranties.

    Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
    Microsoft Windows MVP - Active Directory
    --
    =================================

    "Per S" <> wrote in message
    news:...
    > I installed W2K SP4 ant it seems to work now.
     
    Ace Fekay [MVP], Nov 25, 2003
    #6
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob Doyle
    Replies:
    3
    Views:
    6,195
    Dean Wells [MVP]
    Sep 27, 2003
  2. Carmen

    DNS- Snap in failed to intialize

    Carmen, Oct 29, 2003, in forum: Microsoft Windows 2000 DNS
    Replies:
    10
    Views:
    4,881
    Ace Fekay [MVP]
    Oct 30, 2003
  3. J
    Replies:
    2
    Views:
    185
  4. Guest
    Replies:
    1
    Views:
    180
    Kevin D. Goodknecht [MVP]
    Apr 18, 2004
  5. lunatic

    DNS Snap-IN not allowing secondary DNS server

    lunatic, Jun 8, 2007, in forum: Microsoft Windows 2000 DNS
    Replies:
    3
    Views:
    487
    Ace Fekay [MVP]
    Jun 12, 2007
Loading...

Share This Page