Alternate DNSAdmin permissions for SolarWinds IPAM

Support will definitely tell you it is needed as that is on the IPAM admin guide.  The best they will provide is below.

https://support.solarwinds.com/SuccessCenter/s/article/Grant-non-domain-administrator-account-rights-for-IPAM-DNS-Monitoring?language=en_US

However, what you describing makes sense.  You might want to share if this has worked on your end or not.

For those interested, I haven't been able to test in our own environment yet, but support has gotten back to me that they have been able to get SolarWinds IPAM to manage DNS without using the DNSAdmin group. Essentially boils down to, grant permissions in DCOM and WMI, and provide delegated rights to the account for DNS. 

I'll still be testing to verify the exact steps needed, and see if the zone transfer permissions is automatically updated by SW still or not. 

This is a snippet from their email: 

"Hi, finally I did some tests and on the test environment and I didn't need user with DNS Admin rights (my user was only in Domain Users group), but the user must have:

• configured permissions for WMI MicrosoftDNS and CIMV2 branch - in details user should have permissions for \\remote_hostname\root\MicrosoftDNS WMI namespace - it can be tested for any user account with webemtest (https://support.solarwinds.com/SuccessCenter/s/article/Testing-WMI-Connectivity?language=en_US)
• I've needed to add the user in dnsmgmt.msc to server security permissions
  
  Basically this configuration is the "To configure access to the WMI Branch" part from the https://support.solarwinds.com/SuccessCenter/s/article/Grant-non-domain-administrator-account-rights-for-IPAM-DNS-Monitoring?language=en_US
  
  So, PowerUser is needed to perform operations like add/remove/edit DNS records, rest is connectivity to WMI MicrosoftDNS namespace

"

Same document I was referring to.  In any case, kindly keep us posted. 

Key difference is "provide delegated rights to the account for DNS". The article you linked says that "The user needs to be added to the DNSAdmin group", which SolarWinds and I have tested and found not to be true.

The way I delegated rights to the account was by creating a group in AD, adding the account to the group, then adding the group under DNS>Right click DNS Server>Properties>Security>Add...>add the group, then giving it all permissions minus Full Control. In this case, SolarWinds was still able to add itself into the list of servers allowed to perform zone transfers for each zone.

I believe that the group could be restricted further and still be able to manage DNS with SolarWinds IPAM, however I'm no longer investigating SolarWinds IPAM as an solution. It's also likely that you could use SolarWinds to just monitor DNS, by granting the account read-only rights and manually applying permissions to allow the SolarWinds server to perform zone transfers, or granting it modify rights, allow it to add itself to list of servers allowed to perform zone transfers, then remove modify rights and leave read-only in place. 

Additionally, as I already highlighted in the original post, the permissions in this article are also needed to be applied on the DNS server, or else it would throw an "access is denied" error. 

Hope this helps others on their journey. If anyone has a better or more secure way, it'd be interesting to know what it is :) 

I see.  You can provide a feedback on that article.  However, if you worked with support, they should address that internally.