Hi

Got a strange one. It seems that Reverse Lookup up zones can be found in 3 locations in AD:

 

 

 

You have two ways to do this. You can do via Set-ADACL on my site http://bsonposh.com/archives/289 if you use this you will need to get the default ACL from the schema and then apply it to the container.

or in this case the easiest way is to use dsacls.exe
dsacls.exe /resetDefaultDACL

you can wrap that in foreach.

Thanks Brandon

FYI dsacls /resetDefaultDACL is only available for ADAM

dsacls /N /S does the same thing. I am going to use a FOR command with an input file to run through them all.

Thanks for your help

 

that is catagorically untrue. I have used resetDefaultDACL for years.

btw... if this 2003 I would move all your DNS zones to app partitions and remove them from the systems container. You will get more control over replication (including to other domains) and your not shipping your dns crap to DCs that do not need it (unless all your DCs are DNS servers.)

Thanks for that but all our DCs are DNS servers.

Regarding /resetDefaultDACL - have a look at this post http://www.fixya.com/support/t26213-corrupted_object_in_ad

I tried to use it and it is not recognised. It is not even displayed when running  dsacls /?

 

I ran this in 2008 and 2003... both worked for me.

I know Dmitri so I sent him an email to clarify this.

Ok Spoke to Dmitri and here is the whole story in one post :) Summarized for brievity

Marsh1977 Posts: I want like to reset some objects to default ACL

BS (Thinks): I know I have done this before using dsacls. Let me look at the help (on 2k8). OH! there it is /resetDefaultDACL. Lets try it. Worked (on 2k8!) Post the answer.

BS (replies): try dsacls.exe /resetDefaultDACL

Marsh1977 (replies): FYI dsacls /resetDefaultDACL is only available for ADAM... dsacls /N /S does the same thing.

BS (thinks): That has to be wrong (resetDefaultDACL)... I literally JUST used it and I know I have used this functionality a dozens of times in the past couple of years.

BS (replies): that is catagorically untrue. I have used resetDefaultDACL for years. (side note) move your zones.

Marsh1977: have a look at this post http://www.fixya.com/support/t26213-corrupted_object_in_ad

BS (reads/thinks): Hey.. I know Dmitri and he is likely the writer of dsacls... let me ask him. It is QUIET often that MS says not supported when it works.

BS replies: I will talk to Dmitri.

BS (emails back and forth Dmitri): Concensus is that while dsacls in 2k3 might have worked (depending on build,) it was not ment to. I most likely used /S in the past and just thought it was /resetDefaultDACL because they effectively do the same thing. resetDefaultDACL does it on Server and /S does it on client (not user /N is needed. I think it is implied with /S.)