Re: dns administration delegation
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Tue, 12 Jun 2007 22:59:29 -0500
"doh" <doh@xxxxxxxxxxx> wrote in message news:f4nglt$hnl$1@xxxxxxxxxxx
4 total DNS servers runnin on domain controllers
2 domain controllers are in site A
2 domain controllers are in site B
I want admins from site A to be able to manage only the DNS servers at
site A.
I want admins from site B to be able to manage only the DNS servers at
site B.
I create a group named siteA_dns and add this group to the two servers
security tab in site A to read/write access.
Are you doing this in the DNS MMC properties on the Security tab?
Does this work?
I will look forward to other answers but I don't think this is the way to do
this, and have always done it with a GPO to delegate control of the service.
(There is a problem with this method in your case however which may be
as bad as what you are seeing even though it is different.)
I am not even sure that permissions you are actually delegating there --
if you look at the Standard Permissions permissions you see there is
nothing in there for stopping and starting the service. If you further look
in the Special Permission for any ACE you will also see this is missing
but worse there seems to be all sorts of additional permissions that seem
to be concerned with all sorts of unrelated (and in your case undesirable)
areas.
Replication takes effect and I check the two dns server in site B. They
both now have the same security read/write access for the siteA_dns group.
Anyone know of a way to work around this to be able to prevent admins from
one site making mods at another site (besides blocking rpc via registry)?
The problem with doing it through a GPO is that you would normally want to
do this by putting the servers in different OUs -- you must however NOT
move your DCs outside of the Domain Controller OU.
Some claim you can put them in child OUs but my experience was NOT
good when I tried that and I have never tested it again.
You could however (with no problem I can conceive) link to the existing
DC OU but use permissions (on the DC computer accounts) to filter
the GPO to only apply to one set of DC and then the other set of DCs
for the other users.
Or you could link the GPOs to the respective SITES instead of using
permission filtering.
Since these are all one DCs do you really have trouble with admins messing
where they shouldn't?
Can't you just (reliably) make business/security rules where one set of
Admins
doesn't mess with the other set of DNS servers?
Presumably these are NOT "domain admins" either -- but just something you
are calling Site admins?
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: dns administration delegation
- From: doh
- Re: dns administration delegation
- References:
- dns administration delegation
- From: doh
- dns administration delegation
- Prev by Date: dns administration delegation
- Next by Date: RE: Second DNS server in AD environment
- Previous by thread: dns administration delegation
- Next by thread: Re: dns administration delegation
- Index(es):
Relevant Pages
|
