Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Required DNS Permissions to set up a High Availability Pool and access Microsoft DNS

Required DNS Permissions to set up a High Availability Pool and access Microsoft DNS

Updated November 9, 2017


This article describes the required DNS Permissions and steps to set up a High Availability Pool and access Microsoft DNS.


  • Orion High Availability v 2.0



HA 2.0 - needs to use a DNS Server Administrator account that is allowed to make changes to the DNS Server. With a standalone DNS server, this could be a Local Administrator configured for WMI access.


Administrators are by default configured to make DNS Server management tasks. Within the AD and DNS setup, this would be an account with full DACL with remote WMI management enabled.

Granting access to non-administrator account for HA 2.0 DNS Management

The following steps detail how to use a non-administrator account.

To configure DCOM Services

  1. Log in to the server where DNS Services are running.
  2. Start dcomcnfg.
  3. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  4. Click the COM Security tab.
  5. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  6. In the Access permissions, group click  Edit Limits, add your account, and enable Local and Remote Access.
  7. In the Launch and Activation permissions, click Edit Default, add your account, and Allow all checkboxes.
  8. In the Launch and Activation permissions, click Edit Limits, add your account, and Allow all checkboxes.

To configure access to the WMI root\MicrosoftDNS Branch

One option is to add the User to the DNSAdmin group. Another possibility is to configure permissions to manage DNS using WMI for the newly created user:

  1. Log in to the server where DNS Services are running.
  2. Start MMC console and add WMI Control Snapin.
  3. Right-click snapin and click Properties.
  4. In the Security tab, select root\MicrosoftDNS branch, and then click the Security button.
  5. Add your account, and Allow:
    • Execute Methods
    • Provider Write
    • Enable Account
    • Remote Enable
  6. Verify the new user you created has DNSAdmin rights on DNS Security tab.
  7. Start dnsmgmt.msc.
  8. Right-click Server/Service and view Properties.
  9. Click the Security tab.
  10. Add your account and allow Read/Write and Create/Delete all child object permissions.

Setup Virtual Hostname in HA 2.0

  1. Choose the virtual hostname for the pool. the hostname cannot contain a dot character and internationalized names are not supported by HA 2.0. Ensure that the virtual hostname is not already used on your network and fill the Virtual Host Name input box.
  2. In the next step of the create pool wizard, enter the User Name and Password that will be used to authenticate WMI connections to Microsoft DNS server. User Name could be entered in User Principal Name (user@domain) or Down-Level Logon Name (domain\user) format.


To test the connection to a DNS Server with specific credentials, use the wbemtest tool on the Orion server and connect to a machine using a namespace like: \\remote_hostname\root\MicrosoftDNS. 


  1. Start -> Run -> wbemtest
  2. Click Connect ...
  3. In the Namespace, enter \\<ipaddress of DNS server>\root\MicrosoftDNS
  4. Enter the username and password you are using to set up HA
  5. Click Connect
  6. Click on Query ...
  7. Enter the following Query

    SELECT Name FROM MicrosoftDNS_Zone
  8. You should See the DNS Zones, similar to "MicrosoftDNS_Zone=<no key>" for each Zone
  9. Double click one of the entries  to see the zone name at the bottom.

For additional information, see How to update multiple DNS servers when failover occurs.




Last modified