Alternate DNSAdmin permissions for SolarWinds IPAM

I have been investigating the use of SolarWinds IPAM for our DDI management tool, however have been struggling to find a least privilege solution to get the application to talk to Windows DNS without using the built-in DNSAdmin AD group. Although we would like to be able to manage DNS to an extent with SolarWinds IPAM, DNSAdmin grants too much power.

I have found an article referencing that SolarWinds uses the DNS zone transfer mechanism in order to import DNS information into it's database. This is where it appears to be that DNSAdmin is needed, as SolarWinds will automatically switch the zone transfer permissions to "Allow zone transfers: Only to the following servers" then add itself to the list of servers. I suspect that we could get away with manually applying that permission, and also grant permissions in this article for WMI and DCOM. It'll take a while before we are able to test this theory though, and will report back on the result when we do. 

Has anyone else tried something like the above with much success? Would like to see if anyone has been able to get it working without DNSAdmin. I have queried SolarWinds support but they haven't given me much confidence in their answer that DNSAdmin is required, or given information about any testing that they've done. 

Edit: Note that we will be giving the account that is managing DNS delegated rights to read/modify/delete records in DNS, so it'll still have permissions, just not full control

Parents
  • For those interested, I haven't been able to test in our own environment yet, but support has gotten back to me that they have been able to get SolarWinds IPAM to manage DNS without using the DNSAdmin group. Essentially boils down to, grant permissions in DCOM and WMI, and provide delegated rights to the account for DNS. 

    I'll still be testing to verify the exact steps needed, and see if the zone transfer permissions is automatically updated by SW still or not. 

    This is a snippet from their email: 

    "Hi, finally I did some tests and on the test environment and I didn't need user with DNS Admin rights (my user was only in Domain Users group), but the user must have:

    "

  • Same document I was referring to.  In any case, kindly keep us posted. 

  • Key difference is "provide delegated rights to the account for DNS". The article you linked says that "The user needs to be added to the DNSAdmin group", which SolarWinds and I have tested and found not to be true.

    The way I delegated rights to the account was by creating a group in AD, adding the account to the group, then adding the group under DNS>Right click DNS Server>Properties>Security>Add...>add the group, then giving it all permissions minus Full Control. In this case, SolarWinds was still able to add itself into the list of servers allowed to perform zone transfers for each zone.

    I believe that the group could be restricted further and still be able to manage DNS with SolarWinds IPAM, however I'm no longer investigating SolarWinds IPAM as an solution. It's also likely that you could use SolarWinds to just monitor DNS, by granting the account read-only rights and manually applying permissions to allow the SolarWinds server to perform zone transfers, or granting it modify rights, allow it to add itself to list of servers allowed to perform zone transfers, then remove modify rights and leave read-only in place. 

    Additionally, as I already highlighted in the original post, the permissions in this article are also needed to be applied on the DNS server, or else it would throw an "access is denied" error. 

    Hope this helps others on their journey. If anyone has a better or more secure way, it'd be interesting to know what it is :) 

  • I see.  You can provide a feedback on that article.  However, if you worked with support, they should address that internally.

Reply Children
No Data