The operation failed because: Active Directory Domain Services could not configure the computer account $ to the remote Active Directory Domain Controller account . "Access is denied".

           Error occurred during demotion of domain controller

Hello Friends! Hope You are doing well. I am back again with a new solution for this error. Recently I faced this issue while demoting one of our DC. I was thinking what could be the possible reason. Replication is all good and sysvol also in sync. I referred the MS article and it was asking to configure above permission in default domain controller policy. I will share that link here. But I did not follow that.

I was looking for a simple solution . I got that and it is very easy.

Steps:-

1) In error message it will show the other DC name where the current DC (to be demoted) unable to configure.

2) Now go to Active Directory sites and services and expand it until you find the Other server. On that server provide full control (properties->security->Add the DC to be demoted-> Provide full control) to the DC to be demoted.

3) Go to Domain Controllers OU in dsa.msc and find out the DC to be demoted . Then go to the object tab and uncheck the  protected from accidental deletion box.

Please share your feedback if it worked for you. See you soon with a new solution.

Grant permission to user account to create /delete/modify DNS entries in a specific dns zone

 Hello Friends, Hope everyone is doing well.

Let's start the topic.  My client approached me to create an user id and grant him permission on particular DNS resources records/ Particular zone to modify /create/delete dns records. But he came with below conditions.

1) We will not add user in domain admin group.

2) We will not add user in dnsadmin group.

4)User should have modify /create/delete rights only on a particular zone.

Below are the settings worked for me:-

1) Created an user in DC.

2) Grant read access on the dns server (Properties->Security) and grant special permission on the DNS zone (Write all properties, create all child objects and delete all child objects).

3) Grant all deny access on all other zones.

Please refer the screenshots below for better understanding

Read permission on DNS server

Special permission on zone Fruit.com (User will create/modify records only under this zone). I granted permission to user on blossom.com zone and denied permission on all other zones.

Deny permission on all other zones (Showing fruit.com as sample)

Please comment if you have any other doubts. If you get benefited then give me a thumbs up.

Take care and stay safe. See you soon in next blog.

DNS record modification using PowerShell remotely (Pssession)

 

Service acccount permission to remote powershell to dns server on windows server 2012

Hello Friends, Hope everyone is doing well.

Let's start the topic.  My client approached me to create an user id and grant him permission on particular DNS resources records/ Particular zone to modify /create/delete dns records through pssession. But he came with below conditions.

1) We will not add user in domain admin group.

2) We will not add user in dnsadmin group.

4)User should have modify /create/delete rights only on a particular zone.

It took lots of time to experiment and figure out what settings need to be done. I will share all the steps that you need to follow in-order to achieve this result. I will also share few screenshots for your understanding.

Steps:-

DC side

1) Create an user account in AD and add him in remote management users built-in group.

2) Grant read access on the dns server (Properties->Security) and grant special permission on the DNS zone (Write all properties, create all child objects and delete all child objects).

3) Grant all deny access on all other zones.

4)Provide full control on the root of wmi control. (PowerShell uses wmi control mechanism for remote execution)

Client/Member Server Side

1) Add the user in local Administrators group.

Bingo! You are good to go. Also just to clarify ,you can allow users to modify only specific DNS record/records by granting read-write permission to user only on those records exclusively. In this scenario you do not have to assign permission on the entire zone. But read only permission on dns server is necessary. Also grant all deny permission to user  on all the zones.

User dns_remote added in local administrators group in member server from where the PowerShell session need to be taken.

User added in Remote Management Users built-in group in DC

Full permission on the root of WMI control. Grant permission as it is in the screenshot.

Make sure this name space and sub namespace selected.

Error You will get if do not have permission on WMI Control

Read permission on DNS server

Special permission on zone Fruit.com (User will create/modify records only under this zone)

Deny permission on all other zones

Sample PowerShell command outputs

Windows PowerShell

Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Normal query

PS C:\Users\dns_remote> Get-DnsServerResourceRecord -ComputerName 192.168.198.137 -ZoneName fruit.com -RRType A

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

apple                     A          1          0                    01:00:00        10.101.3.18

Banana                    A          1          0                    01:00:00        10.101.3.20

Orange                    A          1          0                    01:00:00        10.101.3.19

PS C:\Users\dns_remote> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

banana                    A          1          0                    01:00:00        10.101.3.20

Querying through remote powershell session

PS C:\Windows\system32> Enter-PSSession  -ComputerName Blossom-DC-01 -Credential blossom\dns_remote

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

apple                     A          1          0                    01:00:00        10.101.3.18

Banana                    A          1          0                    01:00:00        10.101.3.20

Orange                    A          1          0                    01:00:00        10.101.3.19

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A -Name Banana

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

Banana                    A          1          0                    01:00:00        10.101.3.20

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

apple                     A          1          0                    01:00:00        10.101.3.18

Banana                    A          1          0                    01:00:00        10.101.3.20

Orange                    A          1          0                    01:00:00        10.101.3.19

Now will will change the IPV4 address of the A recorf banana.fruit.com

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj = Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A  -Name Banana

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj = $oldobj.Clone()

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj.RecordData.IPV4Address = [ipaddress]'10.101.3.25'

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $oldobj

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

Banana                    A          1          0                    01:00:00        10.101.3.20

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> $newobj

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

Banana                    A          1          0                    01:00:00        10.101.3.25

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Set-DnsServerResourceRecord -NewInputObject $newobj -OldInputObject $oldobj -ZoneName "fruit.com" -PassThru

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents> Get-DnsServerResourceRecord -ZoneName fruit.com -RRType A -Name Banana

HostName                  RecordType Type       Timestamp            TimeToLive      RecordData

--------                  ---------- ----       ---------            ----------      ----------

Banana                    A          1          0                    01:00:00        10.101.3.25

[Blossom-DC-01]: PS C:\Users\dns_remote\Documents>

Please comment if you have any other doubts. If you get benefited then give me a thumbs up.

Take care and stay safe. See you soon in next blog.