How do you guys prevent this from happening? We have multiple groups of people who have access to our DNS servers. We had someone on our team accidentally delete our root forward lookup zone, which even though it does have two sets of warning they still clicked it - which is wierd because this is our main AD zone (didn't think it would allow it). I am looking to find ways to prevent this in the future from happening again. We had an idea of using Secondary zones and pointing all the servers to it, making the changes on the primary, if something happens on the primary the root zone would still be cached on the secondary. However after pointing servers to it, we were not able to get clients register there dns on it since its basically a read only zone. On a linux box we are able to use it as a secondary zone and using bind push updates to the primary where it is downloaded again on the secondaries. Can this be done on a windows server 2003R2 server? Does it need to be done to accomplish my goals? I did not see permissions that are dedicated to removing the ability of deleting the root zone or else that is a viable option, leaving 1 master account with this ability only. I would like the admins to still delete or add host records for new servers added. Please let me know if I am way off :)

First, remove them as domain admin. I would tend to make those user in a separate group, and delegate some right in your zone. Just use the security tab, and delegate the needed right in your principale's zone.MCP | MCTS 70-236: Exchange Server 2007, Configuring Want to follow me ? | Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

Hello, without removing them from the admin groups NO way. Either teach the persons how to work or don't make them admin. Every setting you configure an admin can revert. And if someone deletes after all warnings the forward lookup zone, this i would call sabotage.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, without removing them from the admin groups NO way. Either teach the persons how to work or don't make them admin. Every setting you configure an admin can revert. And if someone deletes after all warnings the forward lookup zone, this i would call sabotage.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Rick Tan TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan TechNet Community Support