none
DSACLS Assistance RRS feed

  • Question

  • Hi there,

    I've been directed here from another forum post: https://social.technet.microsoft.com/Forums/windowsserver/en-US/35ac1c36-0d7e-455d-aa61-545e91116acc/dns-permission-problem?forum=winserverDS

    I've made the mistake of changing the security permissions on a DNS server Forward Lookup Zone to Deny everyone. Now the zone is inaccessible\hidden from the DNS Server GUI, from DNSCMD, and adsiedit.msc. Would anyone know what approach I should take to reset the permissions on the Primary Forward Lookup Zone file to allow everyone Read permissions?

    More specifically what caused my problem was I opened the DNS Server Manager and under "DNS>SERVER>FORWARD LOOKUP ZONES" I created two primary zones. One called Google.ca and the other Youtube.com. I selected properties on each Primary Zone mentioned above and selected Security -> Everyone --> Deny. Now the two zones Youtube.com & Google.ca no longer show up. I am unable to recreate these Primary Zones as I get an error message that reads:

    "The Zone Cannot be created. The Zone has no start of authority. (SOA) Record."

    Even though these two Primary forward zone files are not visible, I am pretty confident they are still there. I just have denied myself access to viewing or changing them. I would like to reset the permission on these two primary zones to remove the deny permission i accidentally set. This DNS server is working properly otherwise and it is also acting as a Domain Controller. Therefore, I don't want to do anything too harsh. I would just like to undo what I did.


    I suspect I might need to use DSACLS but i'm not sure how to proceed and I certainly don't want to experiment on a production server without some reassurance.

    Thanks for your time,


    • Moved by Bill_Stewart Friday, July 7, 2017 6:12 PM This is not "help me fix what I broke" forum
    Wednesday, May 10, 2017 10:12 PM

All replies

  • You need to post in a different forum.  This is not  a scripting issue. 

    Post in the Windows forum for your version of Windows.

    Here is where to start: https://social.technet.microsoft.com/Forums/ie/en-US/home?forum=winserveripamdhcpdns


    \_(ツ)_/

    Wednesday, May 10, 2017 10:23 PM
  • I realize my expectations were too high posting in this section. However since I have denied myself access to changing the security permissions of a primary DNS zone file through the use of ADSI, DNSCMD & the DNS Server GUI that leaves only one option. To either user DACLS or Powershell to script a permission change to the zone files I inadvertently messed up. Anyway, I don't feel comfortable myself using my own custom script to make changes to a production server because if I mess up the script I may just make the problem worse. Anyway, thanks for your time and reply. I'll attempt to find other resources.
    Thursday, May 11, 2017 2:45 PM