Bug #13237

ERROR_ACCESS_DENIED when deleting DNS A record (dns_dnscmd plugin)

Added by Dmitry Sakun over 6 years ago. Updated about 4 years ago.

Target version:
Bugzilla link:
Fixed in Releases:
Found in Releases:


Record creation works just fine but when you try to delete the host you will get access denied and HTTP 404 back from the smart proxy.

dnscmd.exe /RecordDelete A /f

Command failed: ERROR_ACCESS_DENIED 5 0x5

It looks like it's necessary to include RRData (e.g. IP address in this case) when deleting A record.

Syntax: dnscmd ServerName /recorddelete ZoneName NodeName RRType RRData[/f]

Quick hint to fix it:
< cmd = "/RecordDelete #{zone} #{fqdn}. A /f"

cmd = "/RecordDelete #{zone} #{fqdn}. A #{ip} /f"

DNS service is running on W2k12R2

Associated revisions

Revision 67c1cc83 (diff)
Added by Alex Fisher almost 6 years ago

fixes #13237 - Use RRData option when deleting DNS records

To be able to delete dns records with `dnscmd` without specifying
the `RRData` option, the account needs `Full Control` privileges on the

`Full Control` allows the account to do much more besides
adding/removing records and this represents a security risk.

Instead of trying to delete all records with a single dnscmd, use
`dnscmd /EnumRecords` and then delete each record individually. In most
cases, I'd expect `/EnumRecords` to only return a single record anyway
(but I have tested it with many).

There is one side-effect of specifying the IP address when deleting an A
record. If the matching PTR also exists on the same DNS server, I
believe it gets automatically deleted too. This hasn't caused any
issues in testing.

Signed-off-by: Alexander Fisher <>


#1 Updated by Alex Fisher over 6 years ago

I've hit this too.

I don't think the fix is quite as trivial as suggested though.
From what I can see, the foreman smart-proxy API for deleting DNS A records doesn't support the IP address being sent as well as the fqdn.

I don't think it should be too hard to use dnscmd /EnumRecords to build a list, (of most likely 1), specific entries that need to be deleted though. I'll try hacking on a patch...

Meanwhile, does anybody know why the current solution isn't working for some of us? All dnscmd documentation I've come across certainly suggests that specifying the RRData field is optional.

#2 Updated by The Foreman Bot over 6 years ago

  • Status changed from New to Ready For Testing
  • Pull request added

#3 Updated by Dmitri Dolguikh over 6 years ago

Would be helpful to see the contents of event log when this error is reported...

#4 Updated by Alex Fisher about 6 years ago

It's been a while, but I've finally been able to get some time with a domain admin to investigate this further. Even after much fiddling we weren't able to get anything useful logged, but we did discover the following...

The only way to delete records (without specifying the RRData option) was to (temporarily) give the service account user 'Full Control' privileges on the zone. No other combination of privileges worked, (including ticking everything other than 'full control'). This might be acceptable to some, but I won't be allowed to run with the account configured this way (eg it can delete the whole zone in a single click). Some organisations might be prepared to grant the user these elevated privileges, but I imagine many won't.

#5 Updated by Alex Fisher almost 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Dominic Cleal almost 6 years ago

  • Assignee set to Alex Fisher
  • Legacy Backlogs Release (now unused) set to 189

Also available in: Atom PDF