Filter
Top Products
DNS Admins Group
By default the DNS Admins group has full control of all zones and records in a
Windows 2000 domain in which it is specified. In order for a user to be able to
enumerate zones in a specific Windows 2000 domain, the user (or a group the user
belongs to) must be enlisted in the DNS Admin group. At the same time it is
possible that a domain administrator(s) may not want to grant such a high level of
administration (full control) to all users listed in the DNS administrator group. The
typical case would be if a domain administrator wanted to grant full control for a
specific zone and read only control for other zones in the domain to a set of users.
Create the groups Zone1Admins, Zone2Admins, and so on for the zones 1,2, and
so on respectively. Then the ACL for zone N will contain a group ZoneNAdmins with
full control. At the same time all the groups Zone1Admins, Zone2Admins, and so
forth will be included in the DNS Admins group. The DNS Admins group should
have read permission only. Since a zone’s ACL always contains the DNS Admins
group, all users enlisted in the Zone1Admins, Zone2Admins, and so forth will have
read permission for all the zones in the Domain.
The DNS Admins group is configurable through the Active Directory Users and
Computers manager.
Reserving Names
The default configuration, where any authenticated user may create a new name in
a zone, may not be sufficient for some environments requiring a high level of
security. In such cases, the default ACL can be changed to allow creation of objects
in a zone only by certain groups or users. Per-name granularity of ACLs provides
another solution to this problem. An administrator may reserve a name in a zone
leaving the rest of the zone open for creation of the new objects by all authenticated
users. To do so an administrator needs to create a record for the reserved name
and set the appropriate list of groups or users in the ACL. Then only the users listed
in the ACL will be able to register another record under the reserved name.
Aging and Scavenging
With dynamic update, records are automatically added to the zone when computers
and domain controllers are added. However, in some cases, they are not
automatically deleted.
Having many stale resource records presents a few different problems. Stale
resource records take up space on the server, and a server might use a stale
resource record to answer a query. As a result, DNS server performance suffers.
To solve these problems, the Windows 2000 DNS server can scavenge stale
records; that is, it can search the database for records that have aged and delete
them. Administrators can control aging and scavenging by specifying the following:
• Which servers can scavenge zones
Windows 2000 White Paper 22