13.6. Delegating Control of a Zone

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface

  1. Open the DNS Management snap-in.

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

  3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.

  4. Click on the name of the zone.

  5. Right-click on the zone and select Properties.

  6. Click on the Security tab.

  7. Click the Add button.

  8. Use the Object Picker to locate the user or group to which you want to delegate control.

  9. Under Permissions, check the Full Control box.

  10. Click OK.

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]
 <UserOrGroup>:GA;;

Using VBScript

' This code grants full control for the specified user or group over
' an AD-Integrated zone.
' ------ SCRIPT CONFIGURATION ------
strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- set objZone = GetObject("LDAP://" & strZoneDN) '############################ ' Constants '############################ ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial