Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later

Windows Server 2008 R2 DNS Servers can only be managed by computers running Windows Server 2008 or later

View products that this article applies to.

Symptoms

Attempting to connect to a Windows Server 2008 R2 DNS Server using the Windows 2000 or Windows Sever 2003 version of DNS Manager snap-in, DNSMGMT.MSC fails with the error:

“Access is denied. Would you like to add it anyway” (YES | NO) 


Clicking “Yes” displays the DNS Management snap-in but a red ball appears adjacent to W2K8 R2 DNS Sever in the left-hand pane of DNSMGT.MSC. The right-hand pane of DNS Manager displays the following text: 

Access is Denied
You do not have permission to access this DNS Server.
To retry the connection, either press F5 or Refresh on the Action menu. 


Attempting to administer a W2K8 R2 DNS Server using the Windows 2000 or Windows Server 2003 version of DNSCMD.EXE fails with the one of two errors illustrated here by the “DNSCMD <servername> /info command depending on whether the remote computer is referenced by IP address, single label hostname or fully qualified hostname:

>dnscmd <IP address of W2K8 R2 DNS Server> /info>

Info query failed
 status = 5 (0x00000005)

Command failed: ERROR_ACCESS_DENIED 5 (00000005)
 
>dnscmd <single label hostname> /info>

Info query failed
status = 1722 (0x000006ba)
Command failed:  RPC_S_SERVER_UNAVAILABLE     1722  (000006ba)

>dnscmd <full qualified hostname of DNS Server> /info)

Info query failed
Status = 5 (0x00000005)

Command failed: ERROR_ACCESS_DENIED     5  (00000005)

 
A network trace of a DNS Manager tool run from a pre-Windows 2008 computer attempting to administer a Windows Server 2008 R2 DNS Server shows the DNS the following conversation:

 DNSP: R_DnssrvComplexOperation2 Request …..
 MSRPC:c/o Fault: Call=0x1, Context = 0x0, Status = 0x5 Cancels = 0X0 with status 0x00000005


DnssrvComplexOperation2 is one of about 10 possible requests that could be generated by DNSMGMT.MSC and DNSCMD.EXE. The RPC fault with status 0x5 does not uniquely define this scenario but the response that you’ll see on the wire for this scenario



↑ Back to the top

Cause

1. RPC Integrity required by Windows Server 2008 R2 DNS Servers are not supported by the versions of DNSMGMT.MSC or DNSCMD.EXE that run on Windows 2000, Windows XP and Windows Server 2003 computers.

2. RPC over Named Pipes communication favored by pre-W2K8 DNS admin tools when referencing remote DNS Servers by their single label host names is disabled on Windows Server 2008 R2 DNS Servers

↑ Back to the top

Resolution

For the most secure and seamless experience, W2K8 R2 DNS Servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE listed in the table located in the "More Information" section of this article. If compatible client operating systems are not immediately available, consider the following workarounds:

· Administer Windows 2008 R2 DNS Servers directly from the console
OR

· Administer Windows 2008 R2 DNS Servers via Remote Desktop / Terminal Services.
OR 

· Temporarily disable RPC Integrity by executing the following command within an admin-privileged CMD prompt from the console of each Windows Server 2008 R2 DNS Server that you want to manage from a down-level operating system. 

>dnscmd /config /RpcAuthLevel 0 


Warning: Microsoft recommends that you (1.) administer Windows Server 2008 R2 DNS Servers exclusively from computers that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC and DNSCMD.EXE and (2.) not enable RPC over named pipes. 

↑ Back to the top

More Information

Windows Server 2008 R2 DNS Servers require that DNS management tools perform RPC integrity and to avoid sniffing and “man-in-the-middle” attacks while performing DNS administrative tasks. Windows Server 2008 and Windows Server 2008 R2 DNSMGT.MSC and DNSCMD.EXE support RPC Integrity and request RPC Privacy to interoperate with W2K8 R2 DNS Servers.

 The table below lists the client and server operating systems that can execute W2K8 or newer versions of DNSMGMT.MSC and DNSCMD.EXE needed to administer W2K8 R2 DNS Servers:



 DNSMGMT.MSC DNSCMD.EXE Comment
    
Windows 2000 Workstation NNW2K DNS admin tools are installed by the Windows 2000 adminpack + support tools
Windows 2000 Server NN 
Windows XP NNW2K3 DNS admin tools are installed by the W2K3 adminpack + support tools
Windows Server 2003 NN 
Windows Vista YYWindows Server 2008 DNS admin tools are available in the Microsoft Remote Server Administration Tools for Windows Vista
Windows Server 2008 yYWindows Server 2008 DNS admin tools are installed by the "Features" node of Server Manager or with the install of corresponding server role
Windows 7 client YYWindows Server 2008 R2 DNS admin tools are installed by the Remote Server Administration Tools for Windows 7
Windows Server 2008 R2 yYWindows Server 2008 R2 DNS admin tools are installed by the
"Features" node of Server Manager or with the install of corresponding server role

DNS security enhancements do not prevent Windows Server 2008, or Server 2008 R2 versions of DNSMGMT.MSC and DNSCMD.EXE from administering remote Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 computers and Windows 2000 DNS Servers. 


RPC over Named Pipes was disabled on Windows Server 2008 R2 DNS Servers because it is inherently less secure.

 
NETSH interoperability is not impacted by this security change.

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2027440
Revision : 2
Created on : 4/9/2020
Published on : 4/9/2020
Exists online : False
Views : 1301