DNSUpdate Task - Granting Necessary Permission For The User Account

DNSUpdate Task - Granting Necessary Permission For The User Account

Summary

This Knowledgebase article provides information about how to grant specific permissions to the user account under which the DNSUpdate task is being run.

More Information

Neverfail recommends creating a dedicated service account to be used for the DNSupdate task. Once configured in the Neverfail Management Client, these permissions will be encrypted.
When it is not possible to create a dedicated service account than any other account with the necessary permission can be used for the DNSupdate task.

Procedure

To grant specific permissions to the user account that runs DNSUpdate task please follow the steps below:

      i. Create a dedicated domain username that will be used only for the DNSUpdate process. This doesn't need to be a domain administrator but a domain user account.
      ii. Add the following necessary permissions:

            a. Membership in the BUILTIN\Distributed COM Users group.
            b. Membership in the DNSAdmins group (domain wide) OR equivalent via ACLs on the DNS server/zones

            Note: These steps should be performed on all the Microsoft DNS servers that will need to have records updated (zone refreshed) during a Switchover or a Failover.
            

            c. Remote Enable permissions for the ROOT\MicrosoftDNS WMI namespace. Follow the steps below to do this:
                  1. Go to Start > Run and type wmimgmt.msc, then click OK.
                  2. Right-click on WMI Control (Local) and select Properties.
                  3. Select the Security tab.
                  4. Expand ROOT, and select MicrosoftDNS.
                  5. Click on the Security button at the bottom right of the window. This action edits the security settings for the Root\MicrosoftDNS WMI namespace.

                        
                 
                  6. Click Advanced.
                  7. Add the designated DNSUpdate user to the list, and select Allow for at least the Remote Enable permission.
                        
                  8. Click OK (on all windows opened previously) to save the new permissions.

Additional Recommendation for Windows Server 2022

In environments using Windows Server 2022 DNS, some customers may experience issues where DNSupdate.exe cannot update static A-records, despite all the standard permissions being in place. This can be due to stricter ownership or record-level ACL protections.

To ensure compatibility:

  • Use DNS Manager > View > Advanced to inspect the Security tab on the A-record(s) being updated.
  • Confirm whether the record is:
    • Owned by SYSTEM or another account, and
    • Does not explicitly grant your DNSupdate account Full Control

We recommend either:

  • Changing ownership of the record to the DNSupdate account

OR

  • Explicitly granting that account Full Control on the individual record’s ACL
This step may be necessary only on some deployments of Windows Server 2022, particularly when zones are Active Directory-integrated and secured with enhanced permissions. 

Applies To

All versions.
KBID-2500