DNS server WMI permissions
The following section details the permissions required for IPAM users to monitor DNS servers.
Enable an account for WMI
A DNS server administrator account that can make changes on the DNS server is required to manage DNS servers. If you have a stand-alone DNS server, you can use a local administrator account configured for WMI access.
Administrator accounts are configured to make DNS server management tasks by default. For an AD and DNS setup, this is an account with full DACL (discretionary access control list) with remote WMI management enabled
Grant read-only access to non-administrator accounts for IPAM DNS monitoring
To poll the DNS server without an administrator account, you must add the user to the DNS Admin group. The account must have Read/Write permissions for DNS management so the account is able to write itself to the DNS server as a zone transfer server. Administrators can specify the rights of a user within their account settings to have just read only access to the DNS portion of IPAM.
Enable an account for WMI
Use the DNS Server Administrator account based on your network configuration.
- In Standalone DNS, administrators are configured to make DNS server management tasks by default.
- In a AD+DNS setup, use the account with full DACL to manage the DNS Server. The account must have remote WMI for management enabled.
The following steps detail how to use a non-administrator account.
To configure DCOM services
- Start
dcomcnfg
. - Expand Component Services\Computers, right-click My Computer, and select Properties.
- Click the COM Security tab.
- In the Access Permissions group:
- Click Edit Default, add your account, and select Enable Local Access and Remote Access.
- Click Edit Limits, add your account, and select Enable Local and Remote Access.
- In the Launch and Activation permissions:
- Click Edit Default, add your account, and select Allow all.
- Click Edit Limits, add your account, and select Allow all.
To configure access to the WMI branch
- Start the MMC console and add the WMI Control Snap-in.
- Right-click Snap-in and click Properties.
- In the Security tab, select MicrosoftDNS and CIMV2 branch, and then click Security.
- Add your account, and Allow Execute Methods, Enable Account, Remote Enable.
- On the DNS Security tab, verify that the new user you created has DNSAdmin rights.
- Start
dnsmgmt.msc
. - Right-click the server or service and view properties to confirm that all the options for the user are selected.
To test the connection to a DNS server with specific credentials, use the Windows Management Instrumentation Tester, wbemtest, and connect to a machine using namespace, such as: \\remote_hostname\root\MicrosoftDNS