Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > IP Address Manager (IPAM) > Grant non-domain administrator account rights for IPAM DNS Monitoring

Grant non-domain administrator account rights for IPAM DNS Monitoring

Table of contents

Overview

This article describes how to use a non-administrator account when you need to poll the DNS server without an administrator account. 

The user needs to be added to the DNSAdmin group. IPAM requires the account to have Read\Write permission for DNS management so that it can write itself to the DNS server as a zone transfer server. The account itself cannot be a domain administrator account in your environment, but the DNS admin is a must for the account within IPAM.

Permissions for the IPAM user within their Orion account settings can be specified if you wish to limit them to have a read only access to the DNS portion of IPAM. Unfortunately, this limitation is based on the user in Orion, and not by the account used to poll the DNS servers, so it is advisable to use a restricted service account for the DNS server and control user rights through IPAM itself.

Environment

IPAM 3.0 or later

Steps

Use a DNS server administrator (account allowed to make changes on the DNS server) based on your network configuration to enable the account for WMI.

 

In Standalone DNS, it might be a local administrator (which by default is pre-configured for remote WMI access). Administrators are by default configured to make DNS server management tasks.

In an AD+DNS setup, it should be the account who has full DACL to manage the DNS Server and additionally it has to have an enabled remote WMI for management according to the steps below.

 

To configure DCOM Services:

  1. Start dcomcnfg.
  2. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  3. Click COM Security Tab.
  4. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  5. In the Access permissions group, click Edit Limits, add your account, and enable Local and Remote Access.
  6. In the Launch and Activation Permissions, click Edit Defaultadd your account, and Allow all check boxes.
  7. In the Launch And Activation Permissions, click Edit Limits, add your account, and Allow all check boxes.

 

To configure access to the WMI Branch:

  1. Start the MMC console and add WMI Control Snap-in.
  2. Right-click snap-in and click Properties.
  3. In the Security tab, select MicrosoftDNS and CIMV2 branch, and then click the Security button.
  4. Add your account, and allow: Execute Methods, Enable Account, Remote Enable.
  5. Verify that the new user you created has DNSAdmin rights on DNS Security tab.
  6. Start dnsmgmt.msc.
  7. Right-click on Server/Service and view Properties to confirm that all the check boxes for the new user are checked.11-27-2012 10-21-06 am.png 

To test connection to a DNS Server with specific credentials, use the wbemtest tool and connect to a machine using a namespace like:
\\remote_hostname\root\MicrosoftDNS
Last modified
18:45, 13 Jul 2017

Tags

Classifications

Public