Members of the built-in DNSAdmins security principal in an Active Directory domain are granted following default permissions: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
In a large organization, there may be a need to delegate control of the DNS Zone Administration to regional or branch office network administration groups or to the SOC team, who may have to create honeypot DNS entries. This article outlines one possible way to configure the delegation.
For this illustration, the regional network administration team is assumed to be located in the APAC region and create their first Active Directory integrated DNS Zone called lazydog.com
In order to keep the default Active Directory permissions on the defaultNC or the DomainDNSZones partition intact and to delegate control of DNS Zone Administration, this procedure requires the creation of a custom application partition.