You can install it on a DC but its not recommended. When you install a dhcp server on a DC it runs in the security context of the DC. Every DC has full control over all the zones and records in AD. So by proxy, so does the dhcp service running on a DC. This means it can delete or modify any record in AD,including those created by domain memebers and DC's.
Thats a lot of power and potential for abuse and screw ups in dns and consquently, your AD forest. If you do run it on a DC, I think MS recommends you create a seperate dedicated account for the dhcp service to run under using netsh.exe Rocky Habeeb wrote: > People, > > Please consider helping me with this question. We are getting ready > to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 > Deploying DHCP" there is a section that states "If DHCP will perform > DNS dynamic updates, do not install it on a domain controller. > Instead, install DHCP on a member server. When DHCP is installed on > a DC and is configured to perform dynamic updates on behalf of > clients in DNS zones that are configured to allow only secure dynamic > update, specify a user account to update the DNS records." > > Well, this statement is ambiguous. Can it be installed on a DC > (which we would prefer to do for reasons of economy) or not? Is > there a problem with doing it? > > Thank you people in advance. > > RH > > _____________________________ > > Rocky Habeeb > Microsoft Systems Administrator > James W. Sewall Company > Old Town, Maine > Voice: 207.827.4456 Ext. 387 > Email: [EMAIL PROTECTED] > www.jws.com > _____________________________ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
