You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.

Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

To modify security for a directory-integrated zone
  1. Open DNS Manager.

  2. In the console tree, click the applicable zone.


    • DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone

  3. On the Action menu, click Properties.

  4. On the General tab, verify that the zone type is Active Directory-integrated.

  5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • Secure dynamic updates are supported only for zones that are stored in AD DS.

  • The security settings determine who can administer the zone, but they do not affect dynamic updates to the zone. To apply security settings for dynamic updates, see "Additional references."

Additional references