Being an MS MVP involves answering questions. I don’t receive many of them, but this happens sometimes. The latest one was quite interesting. After reading my article about delegating administration of DNS one of my readers discovers that he cannot implement my solution in his environment. You see, he has got Windows XP workstation for administrators but windows Server 2008 R2 DNS servers. This configuration leads to either “access denied”, this:
or other errors error while trying to connect from XP DNS console to W2K8R2 DNS server.
I hadn’t ever encounter such a problem, seems like I pass it and others similar due to my habit to use new MS Windows versions from early beta stage. So, at first I thought that it can be some misconfiguration at me reader’s network, but a simple experiment showed me that I had been wrong: my freshly installed XP box wouldn’t connect to any R2 DNS servers in my network, while connecting to any 2003 was not a problem at all. To cut long story short, I have finally found a KB article at support.microsoft.com which describes the problem. Here you got it: Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later.
The cause of the problem is in the fact that 2008 R2 uses more secure means of RPC communication by default. The solutions, proposed by the article are simple enough: you can either
1) manage your DNS Server locally (from console or through terminal services)
2) or reduce security level by entering the command dnscmd /config /RpcAuthLevel 0 on each server which you want to manage from Windows XP workstation.
The first method is self-explanatory: don’t get what you want at the expense of your security. The second method is less straightforward in terms of consequences. Obviously enough it makes your DNS servers less secure. What you can do to reduce impact? That’s easy:
use this only for one server: let AD or other means to replicate changes
isolate this server as much as you can. Let only your administrators’ workstations to access it via RPC (and other necessary hosts, of course, if any)
And the last option, which I like the best: upgrade your workstations to Windows 7. Get the most out of your environment =)