You receive a "The record cannot be deleted" error message when you try delete a record from a DNS zone (837335)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition

SUMMARY

When you try to delete a record from a DNS zone, you may receive an error message. This issue may occur if security permissions for the DnsAdmins security group are not automatically added to the newly created Active Directory Integrated zones. This article describes workarounds that you can use.

SYMPTOMS

As member of the DnsAdmins security group, you may not be able to delete zone information on a DNS server. If you try to delete a record, you may receive the following error message:
The record cannot be deleted Access Denied

CAUSE

This issue may occur if either of the following conditions is true:
  • The domain is upgraded to Windows Server 2003, and you have Active Directory Integrated zones that were created by using Windows 2000.
  • Security permissions for the DnsAdmins security group are not automatically added on the newly created Active Directory Integrated zones.

WORKAROUND

To work around this issue, manually add the DnsAdmins security group to the zone access control list (ACL) and grant Full Control.

To do so, use one of the following methods to assign Full Control to DnsAdmins security group.

Method 1: Use the Dsacls.exe tool to assign Full Control permissions to the DNSAdmins group

Note Install the Dsacls.exe tool (Dsacls.exe) from the \Support\Tools folder on the Windows Server 2003 media.
  1. Log on to your computer as administrator.
  2. Click Start, click Run, type cmd, and then click OK.
  3. Type the following command, and then press ENTER:

    dsacls "\\servername\CN=MicrosoftDNS, CN=System, DC=domain, dc=com" /G DNSADMINS:GA / I:T

Method 2: Use Active Directory Service Interfaces (ADSI) Editor to assign Full Control permissions to the DNSAdmins group

  1. Log on to your computer as administrator.
  2. Click Start, click Run, type adsiedit.msc, and then click OK.
  3. Expand Domain NC.

    This node contains a folder that begins with "DC=" and reflects the correct domain name, such as "DC=exampledomain DC=net".
  4. Expand CN=System, and then click CN=MicrosoftDNS.
  5. In the right pane, right-click the folder where you want to change the permissions, and then click Properties.
  6. In the DomainComponent properties dialog box, click the Security tab.
  7. In the DnsAdmins Permissions list, click to select the Full Control check box for the Allow column, and then click OK two times.
  8. On the File menu, click Exit.

Method 3: Use DNS to assign Full Control permissions to the DnsAdmins group

  1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
  2. In the console tree, click the applicable zone.
  3. On the Action menu, click Properties.
  4. In the Properties dialog box for the zone, click Security, and then click Add.
  5. In the Select Users, Computers, or Groups dialog box, type DnsAdmins, and then click OK in the Enter the object names to select text box.
  6. In the Permissions list for DnsAdmins, click to select the Full Control check box for the Allow column.
  7. Click Advanced, click DnsAdmins, and then click Edit.
  8. In the Apply onto drop-down menu, click to select This object and all child objects.
  9. Click OK three times.
  10. On the File menu, click Exit.
Modification Type:MinorLast Reviewed:7/14/2004
Keywords:kbwinservds kbActiveDirectory kbprb KB837335 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.