Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > IP Address Manager (IPAM) > IPAM - Knowledgebase Articles > Grant non-domain administrator account rights for IPAM DNS Monitoring

Grant non-domain administrator account rights for IPAM DNS Monitoring

Table of contents


This article describes how to use a non-administrator account when you need to poll the DNS server without an administrator account. 

The user needs to be added to the DNSAdmin group. IPAM requires the account to have Read\Write permission for DNS management so that it can write itself to the DNS server as a zone transfer server. The account itself cannot be a domain administrator account in your environment, but the DNS admin is a must for the account within IPAM.

Permissions for the IPAM user within their Orion account settings can be specified if you wish to limit them to have a read only access to the DNS portion of IPAM. Unfortunately, this limitation is based on the user in Orion, and not by the account used to poll the DNS servers, so it is advisable to use a restricted service account for the DNS server and control user rights through IPAM itself.


IPAM 3.0 or later


Use a DNS server administrator (account allowed to make changes on the DNS server) based on your network configuration to enable the account for WMI.


In Standalone DNS, it might be a local administrator (which by default is pre-configured for remote WMI access). Administrators are by default configured to make DNS server management tasks.

In an AD+DNS setup, it should be the account who has full DACL to manage the DNS Server and additionally it has to have an enabled remote WMI for management according to the steps below.


To configure DCOM Services:

  1. Start dcomcnfg.
  2. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  3. Click COM Security Tab.
  4. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  5. In the Access permissions group, click Edit Limits, add your account, and enable Local and Remote Access.
  6. In the Launch and Activation Permissions, click Edit Defaultadd your account, and Allow all check boxes.
  7. In the Launch And Activation Permissions, click Edit Limits, add your account, and Allow all check boxes.


To configure access to the WMI Branch:

  1. Start the MMC console and add WMI Control Snap-in.
  2. Right-click snap-in and click Properties.
  3. In the Security tab, select MicrosoftDNS and CIMV2 branch, and then click the Security button.
  4. Add your account, and allow: Execute Methods, Enable Account, Remote Enable.
  5. Verify that the new user you created has DNSAdmin rights on DNS Security tab.
  6. Start dnsmgmt.msc.
  7. Right-click on Server/Service and view Properties to confirm that all the check boxes for the new user are checked.11-27-2012 10-21-06 am.png 

To test connection to a DNS Server with specific credentials, use the wbemtest tool and connect to a machine using a namespace like:

For additional information on WBEMTEST, see Unable to Add DNS Server to IPAM.

Last modified