I agree the workaround is a bit of a kludge. The main point is that it is a "best practice" for DNS clients to register their own A records. By not allowing DHCP to do the registrations you remove the security issue altogether.
---------- Original Message ---------------------------------- From: Roger Seielstad <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 14 Mar 2003 11:29:04 -0500 That's still a stretch at best, but it does make a viable option in smaller envrionments. -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 10:51 AM > To: [EMAIL PROTECTED] > Subject: RE: RE: [ActiveDir] DC role > > > It is ok to run DHCP server on a DC as long as the DNS client > performs the A record registration. The "name stealing" > issue comes into play only if DHCP is configured to register > A records on behalf of clients. Even then, there is a > workaround to the issue (post SP1), as described in the article below. > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134- > > Tony > > --------- Original Message ---------------------------------- > From: Roger Seielstad <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Fri, 14 Mar 2003 10:25:59 -0500 > > Actually, you're supposed to keep DHCP off of Active > Directory DC's - there's a fairly major security hole with > them being colocated. > > -------------------------------------------------------------- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Friday, March 14, 2003 10:17 AM > > To: [EMAIL PROTECTED] > > Subject: RE: RE: [ActiveDir] DC role > > > > > > > > Actually, microsoft recommends DNS DC's along with DHCP where > > needed. DNS is a general acceptance on DC's from all of the > > people I have spoke with. I do not understand the risk with > > security as if you used DNS integrated. Performance is > > always a risk, but DC's tend to need memory more than network. > > > > -Jon > > > > -----Original Message----- > > From: Brahim Bouchaiba [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 04, 2003 8:47 AM > > To: [EMAIL PROTECTED] > > Subject: Re: RE: [ActiveDir] DC role > > > > > > > > Thanks Greg. > > > > > > [EMAIL PROTECTED] writes: > > >If you have no other resources you have to do what you have to do > > >Brahim. > > > > > >However, if you do in fact have other resources - it is > > advisable not > > >to put DNS, DHCP, WINS on a DC - - not only are you going to > > be facing > > >certain security issues - - but you will also hamper performance > > > > > > > > Brahim Bouchaiba > > Network administrator > > Information technology > > 617-7359720 > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > Visit our website at http://www.ubswarburg.com > > > > This message contains confidential information and is intended only > > for the individual named. If you are not the named addressee you > > should not disseminate, distribute or copy this e-mail. Please > > notify the sender immediately by e-mail if you have received this > > e-mail by mistake and delete this e-mail from your system. > > > > E-mail transmission cannot be guaranteed to be secure or error-free > > as information could be intercepted, corrupted, lost, destroyed, > > arrive late or incomplete, or contain viruses. The sender > therefore > > does not accept liability for any errors or omissions in > the contents > > of this message which arise as a result of e-mail transmission. If > > verification is required please request a hard-copy version. This > > message is provided for informational purposes and should not be > > construed as a solicitation or offer to buy or sell any > securities or > > related financial instruments. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
