I believe the issue is that a simple DHCP request, properly formed of course, could allow a rogue machine to hijack DNS entries for any machine on the network. It revolves around the ACLs placed on DNS entries and the rights necessary to allow the DHCP servers to update them.
Roger -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 25, 2003 9:45 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] What Services/Server's can be > combined with Activ e Directory. > > > would any one care to give a little more insight in to this > issue of name hijacking > > i take the point of how in principal an full control over the > dns zones and data is potentially insecure, am i right to say > that the risk mainfests itself only when the computer account > of the domain controller is compromised ??, presumably by > getting its password ? > > or are there techniques (unknown to me) of "hijacking > services" running in privileged security contexts ? > > notwithstanding, it would seem to me a very common "remote > site" configuration for the networking services to be one a > single host > > GT > > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 25, 2003 12:35 PM > Subject: RE: [ActiveDir] What Services/Server's can be > combined with Activ e Directory. > > > > You are correct, but realistically a DDNS setup requires > DNS and DCs > > to coexist, I'd expect that to be the much more likely scenario. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > > Sent: Monday, March 24, 2003 10:34 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] What Services/Server's can be > combined with > > > Active Directory. > > > > > > > > > Missy, > > > > > > Doesn't this only apply when a DNS is also present on the DC? > > > Combining the DNS and DHCP services can cause a security issue as > > > you noted. But, if I combine DC services and DNS services, the > > > compromise is not possible. Also, if I combine DHCP and DC > > > functionality, I'm still secure - true? > > > > > > Good to have you here! > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > Microsoft MVP - Active Directory > > > Associate Expert > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Missy > > > Koslosky > > > Sent: Monday, March 24, 2003 9:18 PM > > > To: [EMAIL PROTECTED] > > > > > > Glenn, > > > > > > I'd want to keep DHCP off my DC's to avoid name hijacking. See > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134 > > > > > > Hope all is well with you! > > > > > > Missy Koslosky > > > ----- Original Message ----- > > > From: "Glenn Corbett" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Saturday, March 22, 2003 5:33 PM > > > Subject: Re: [ActiveDir] What Services/Server's can be > combined with > > > Active Directory. > > > > > > > > > John, > > > > > > The reason why you havent really been able to find a > source, is that > > > the answer is "it depends". > > > > > > Depending on the size of your sites, the amount of data, > number of > > > clients, other applications using DC services etc, you can really > > > have a single server that does DC, GC, DNS, WINS, DHCP, FP. I > > > really wouldn't worry about putting DHCP on a server by > itself, the > > > load is so small. Out of all of the infrastructure > services, DCHP is > > > probably the smallest load. Client machines get a dhcp > address when > > > they start, and IIRC there are two requests during the > lifetime of > > > the IP address (one halfway though, and one at the end of the > > > lease). So for a 2 week lease timeout, you have essentially > > > 3 requests to a DHCP server which is nothing to really > worry about. > > > > > > I recently did some AD design work where small sites (up > to about 30 > > > uers) had a single server (Dual PIII 2+Ghz) ran all the functions > > > listed previously, plus Exchange with no real trouble. > For larger > > > sites, my suggestion would be one "infrastructure server" > (DC, GC, > > > WINS, DHCP, DNS), and "application server(s)" (File > Print, Exchange > > > etc). > > > > > > As long as you design your AD site topology correctly (so that > > > replication is optimised, and GC placement is relevant for your > > > clients), AD can pretty much co-exist with most things, its a > > > question of network bandwidth and load on the server. Other > > > Databases (like Exchange, SQL, Oracle) are really the main > > > applications you need to be careful with when putting on the same > > > server as AD, because they can cramp each others style > (Exchange and > > > SQL on the same box for example is very touchy). > > > > > > If you are thinking or layering other applications onto an AD DC, > > > just have a read of the requirements. In a lot of cases > MS "force" > > > you down a particular path. For example, SUS (System Update > > > Services), and MOM (Microsoft Ops Manager) wont run on > DC's, so you > > > are forced to put in an additional server to run these. > > > > > > so, as for your original question *grin*, I would have one server > > > that does the "infrastructure" stuff, and another server for FP. > > > > > > Glenn > > > > > > > > > ----- Original Message ----- > > > From: "John Strongosky" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Saturday, March 22, 2003 11:27 AM > > > Subject: [ActiveDir] What Services/Server's can be combined with > > > Active Directory. > > > > > > > > > > In our planning group we are having a discussion on what > > > > server's/services do we need to combine or can combine > for our AD > > > > deployment. I have looked thru allot of Technote's there is not > > > > one definitive answer. Can anyone point me to a source or > > > answer this for me. > > > > > > > > We are thinking of combing: DC,dns and gc's on a > server, file and > > > > print > > > and > > > > dhcp on another in our sites or DC, dns, gc on a > server, file and > > > > print on > > > a > > > > server and dhcp by itself. > > > > > > > > > > > > john > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
