Implementing the DNS Admins Role

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the DNS admins role.

To implement the one recommended instance of the DNS Admins role

1. Create a Universal Group called <Forest-Name> DNS Admins in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>).

   Note

   If Universal groups are not available, create a Global security group.

2. Grant the <Forest-Name> DNS Admins the following permissions:

   • Full control on CN=MicrosoftDNS, DC=ForestDnsZones, DC=<forest root domain>

3. Create one Global Group called <Domain-Name> DNS Admins in the Service Management OU for each domain (ou=Service Management, dc=<Forest Root Domain>).

4. In each domain and on ever NDNC used by DNS <domain>, grant the respective <Domain-Name> DNS Admins group the following permissions:

   • Full control on CN=MicrosoftDNS, CN=System, DC=<domain>

   • Full control on CN=MicrosoftDNS, DC=DomainDnsZones, DC=<domain>

5. Make the <Forest-Name> DNS Admins a member of the <Domain-Name> DNS Admins group from each domain.