Modify Security for a Directory-Integrated Zone

Applies To: Windows Server 2008

You can manage the discretionary access control list (DACL) on the Domain Name System (DNS) zones that are stored in Active Directory Domain Services (AD DS). Use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.

You can use this procedure to modify security for an Active Directory–integrated zone using the DNS Manager snap-in.

Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To modify security for an Active Directory–integrated zone

  1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, click the applicable zone. Expand DNS, expand applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones), and then click applicable zone

  3. On the Action menu, click Properties.

  4. On the General tab, verify that the zone type is Active Directory-integrated.

  5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.

Additional considerations

  • Secure dynamic updates are supported only for zones that are stored in AD DS.