Updated: Jul 12
DNSAdmins is a default security group in Active Directory that delegates administrative control over the DNS Zones and some DNS servers settings to a specific user account or Group. Members of this group have permission to manage DNS zones and records and configure DNS server settings including Forwarders etc.
However, it may not be desirable to delegate the entire DNSAdmin permission to a user via DNSAdmins and a more targeted approach of delegating zone management or creation could be necessary.
The script (here), creates the required groups to delegate DNS Server management, the ability to create and delete zones and finally zone management. Group names will either be named DNSServer or DNSZone, where 'MicrosoftDNS' is used the group defines a top-level permission. Also, AD groups follow the suggested Microsoft naming convention of 'AT' or Action Task.
Here are a few examples:
AT_DNSServer_MicrosoftDNS_Manage is defined as the ability to change settings for the DNS Server eg create Forwarders or scavenging.
AT_DNSZone_MicrosoftDNS_Manage is defined as the ability to create and delete Zones but not change any DNS Server settings.
AT_DNSZone_Microsoft.com_Manage is defined as the ability to manage the Microsoft.com DNS Zone.
Note: DNSAdmin group on its own does not have enough permissions and requires Server Operators, Administrators for the Domain or Domain Admin, basically local administrative rights over Domain Controllers.
The setup is pretty straightforward a virtual Domain Controller and Member Server. An OU for the delegated groups with a pre-existing group named AT_Server_User. This is to provide login via a user account to the Member Server with Remote Desktop User Rights Assignment and the delegated DNS group(s).
Update the Member Server OU GPO with the following changes.
Create 'Restricted Groups' for Administrators and add AT_Server_Admin.
Create 'Restricted Groups' for Remote Desktop Users and add AT_Server_User.
Add both Remote Desktop Users and AT_Server_User to the 'Allow log on through Remote Desktop Service' User Rights Assignment.
Create a user account and add it to the AT_Server_User group.
Deploy the DNS delegation script (here) with Domain Admin rights on the Domain Controller.
After executing the script the delegation OU should be similar to the picture below with groups for both forward and reverse zones and 2 default MicrosoftDNS groups.
DNS Server Delegation
Members of AT_DNSServer_MicrosoftDNS_Manage are able to connect DNS and manage server settings but not create, delete or manage any existing zone.
Due to the issue of requiring administrative rights on Domain Controllers, not all settings can be managed. Setting for interface options, DNSSec or Trustpoints requires further rights, most other DNS configuration options are available.
All DNS Delegation groups require a minimum of READ to connect via the DNS snapin.
DNS Server permissions can be found under System, MicrosoftDNS in dsa.msc
DNS Zone Creation and Deletion
To create and delete zones open adsiedit and type 'dc=domaindnszones,dc=fqdn'.
Full control for AT_DNSZone_Manage is set against CN=MicrosoftDNS without inheritance.
DNS Zone Management
Finally, each zone is delegated to a named DNS zone group.
use adsiedit, connect to the 'default naming context' to browse to each zone to interrogate permissions.