Account Permissions - BlueCat Address Manager - 8.3.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.0

When you add a Windows server to Address Manager, you must ensure that the user account corresponding to the authentication credentials on the DDW server (or overridden on the Managed Windows server) has sufficient read permissions to import data in Read-Only mode and Read-Write permissions to deploy data in Read-Write mode. This will allow you to manage DNS and DHCP services running on domain controllers, member servers, and stand-alone servers.

DNS Requirements

  • To import DNS data from a domain controller, member server or stand-alone server, the user account must have read permissions to the DNS server and all child objects.
  • To deploy DNS data to a domain controller or member server, the user account must have read and write permissions to the DNS server and all child objects.
  • To deploy data to a stand-alone DNS server, you must be logged in as a member of the local Administrators group, or the local Administrator account.
    Attention: Members of the DNSAdmins group must have sufficient permissions to deploy DNS data to a domain controller, with the exception of the _msdcs zone and forest-wide replicated AD-integrated zones. You must grant full permissions to the DNSAdmins group in order to deploy these zones. For more information on Access Rights with Address Manager for Windows Server, refer to Knowledge Base article 3834 on BlueCat Customer Care.
Note: On Windows Server 2012 R2 and Windows Server 2008 R2 or earlier, User Account Control allows remote DNS administration by the Administrator account, but blocks it for members of the Administrators group.

To re-enable remote administration, refer to <http://support.microsoft.com/kb/951016>.

DHCP Requirements

  • To import data from a DHCP server, the user account must have sufficient privileges to read data on that server. Members of the DHCP Users group have sufficient permissions to import DHCP data from a domain controller, member server or stand-alone server.
  • To deploy data to a DHCP server, the user account must have sufficient privileges to read, write, and delete data on that server. Members of the DHCP Administrators group have sufficient permissions to deploy DHCP data to a domain controller, member server or standalone server.