A client was trying to use DNS as a content filter. She wanted to stop students from accessing Facebook but got complaints from administrators who needed access. She created a new forward lookup zone for Facebook.com, set an IP (local server) and then used the Zone security tab to allow access. I was called in when the Zone corrupted and no one could access Facebook.com. If I try to look at the zone properties, a red circle with a white dash appears and a message: “Zone not loaded by DNS server.” If I try to delete: “The Zone cannot be deleted. Access was denied.”
If I use ADSIEdit to try and get access rights via: Domain -> DC -> System -> MicrosoftDNS, I see two folders; one for in_addra_arpa, and another for Root DNS Servers. and what looks like a text file for DC=Facebook.com. When I attempt to get the object properties, I get: “An invalid directory pathname was passed”. If I try to delete this object I get: “The folder or one of it’s children has one or more property sheets up. Please close before continuing with this action.”
The current configuration is a single DNS server for this AD domain. I have assigned full control permissions to the DnsAdmins group. There are no errors in Event Viewer and I get no errors when I run:
DCDiag /TEST:DNS
I tried creating a host file for Facebook but doesn’t work. Client can get to the site by using the IP. How do I get to this object that doesn’t seem to exist but is still stopping access to Facebook.com?