Submit a ticketCall us

ebook60.pngHow to be a Cisco® ASA ace

Our eBook, Thou Shalt Not Pass…I Think?! can help you overcome the challenges of monitoring and managing Cisco ASA firewalls. This eBook is a great read if you’ve been frustrated with monitoring firewalls, managing ACL configs, and troubleshooting VPN connections.

Get your free eBook.

Home > Success Center > Orion Platform > Required DNS Permissions to set up a High Availability Pool and access Microsoft DNS

Required DNS Permissions to set up a High Availability Pool and access Microsoft DNS

Updated November 9, 2017


This article describes the required DNS Permissions and steps to set up a High Availability Pool and access Microsoft DNS.


  • High Availability 2



FOE - DNS Server WMI Permissions: In order to update the virtual hostname record on Microsoft DNS servers.

HA 2.0 - needs to use a DNS Server Administrator account that is allowed to make changes on the DNS Server. With a standalone DNS server, this could be a Local Administrator configured for WMI access.


Administrators are by default configured to make DNS Server management tasks. Within the AD & DNS setup, this would be an account with full DACL with remote WMI management enabled.

Granting access to non-administrator account for HA 2.0 DNS Management

The following steps detail how to use a non-administrator account.

To configure DCOM Services

  1. Start dcomcnfg.
  2. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  3. Click the COM Security tab.
  4. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  5. In the Access permissions, group click  Edit Limits, add your account, and enable Local and Remote Access.
  6. In the Launch and Activation permissions, click Edit Default, add your account, and Allow all checkboxes.
  7. In the Launch And Activation permissions, click Edit Limits, add your account, and Allow all checkboxes.

To configure access to the WMI root\MicrosoftDNS Branch

One option is to add the User to the DNSAdmin group. Another possibility is to configure permissions to manage DNS using WMI for the newly created user:

  1. Start MMC console and add WMI Control Snapin.
  2. Right-click snapin and click Properties.
  3. In the Security tab, select root\MicrosoftDNS branch, and then click the Security button.
  4. Add your account, and Allow:
    • Execute Methods
    • Provider Write
    • Enable Account
    • Remote Enable
  5. Verify the new user you created has DNSAdmin rights on DNS Security tab.
  6. Start dnsmgmt.msc.
  7. Right-click Server/Service and view Properties.
  8. Click the Security tab.
  9. Add your account and allow Read/Write and Create/Delete all child object permissions.

Setup Virtual Hostname in HA 2.0

  1. Choose the virtual hostname for the pool. the hostname cannot contain a dot character and internationalized names are not supported by HA 2.0. Ensure that the virtual hostname is not already used on your network and fill the Virtual Host Name input box.
  2. In the next step of the create pool wizard, enter the User Name and Password that will be used to authenticate WMI connections to Microsoft DNS server. User Name could be entered in User Principal Name (user@domain) or Down-Level Logon Name (domain\user) format.


To test the connection to a DNS Server with specific credentials, use the wbemtest tool and connect to a machine using a namespace like: \\remote_hostname\root\MicrosoftDNS. 


1) Start -> Run -> wbemtest

2) Click Connect ...

3) In the Namespace, enter \\<ipaddress of DNS server>\root\MicrosoftDNS

4) Enter the username and password you are using to set up HA

5) Click Connect

6) Click on Query ...

7) Enter the following Query

SELECT Name FROM MicrosoftDNS_Zone

8) You should See the DNS Zones, similar to "MicrosoftDNS_Zone=<no key>" for each Zone

9) Double click one of the entries  to see the zone name at the bottom.


For additional information, see How to update multiple DNS servers when failover occurs.




Last modified