Access Denied in MMC DNS Snap-in

G

Guest

Hi

I got a problem with read access to DNS. A regional Administrator that should have read access to two DNS servers (running on Windows 2000 SP3 Domain Controllers, both in same domain, same site, same DNS zones, both AD integrated and secondary) but it only works on one of the servers, he gets Access Denied when connecting to one of them. I have compared and found no differences in the security settings between the two servers
The permissions he got is read via membership in Authenticated users on the DNS server and read via Everyone on the AD integrated zone
When I (as Domain Admin) do the same it works
 
A

Ace Fekay [MVP]

Assuming he is logged on as the necessary user account from the domain, is
the account blocked by any specific denials on that machine?

Are the permissions you're talking about, since it;s an AD Integrated zone,
on the zone properties, security tab?

Were the permissions altered in ADSI Edit on that zone?

When opening the MMC, if he hits the shift button, rt-clicks on the shortcut
in Administrative tools, and logs on as someone else, does the problem still
occur?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Per S said:
Hi,

I got a problem with read access to DNS. A regional Administrator that
should have read access to two DNS servers (running on Windows 2000 SP3
Domain Controllers, both in same domain, same site, same DNS zones, both AD
integrated and secondary) but it only works on one of the servers, he gets
Access Denied when connecting to one of them. I have compared and found no
differences in the security settings between the two servers.
The permissions he got is read via membership in Authenticated users on
the DNS server and read via Everyone on the AD integrated zone.
 
G

Guest

He is loggeded on to the domain with nessesary account
There is no denials (that I can find)

Yes it is the security tab on the zone (and also on the DNS server object in MMC)

No the permissions has not been altered in ADSI edit on the zone

Have tested with 4 different account with the same pemissions (also with Run-as) but still same problem

It seems that he has enough permissions on the zone since he can read the same zone on the other server on site, I made a test account and got the same problem, when adding the account to DnsAdmins group (giving it write access) as a test, it works but this gives to mutch access, user should only have read.
 
A

Ace Fekay [MVP]

Not sure what to say here. Maybe you can grant the DnsAdmin for him and deny
write? Maybe someone else may have a better suggestion.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Per S said:
He is loggeded on to the domain with nessesary account.
There is no denials (that I can find).

Yes it is the security tab on the zone (and also on the DNS server object in MMC).

No the permissions has not been altered in ADSI edit on the zone.

Have tested with 4 different account with the same pemissions (also with
Run-as) but still same problem.
It seems that he has enough permissions on the zone since he can read the
same zone on the other server on site, I made a test account and got the
same problem, when adding the account to DnsAdmins group (giving it write
access) as a test, it works but this gives to mutch access, user should only
have read.
 
A

Ace Fekay [MVP]

Sometimes we assume that the latest service packs are installed.
Glad that did it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New AD DNS Configuration Question 12
New DNS server 4
dns on multiple domains 7
Secondary DNS 4
missing A record on DNS Serve 16
Secondary DNS setup 2
Dns Prob 6
Zone Transfer between Novell DNS and MS DNS. 1

Top