No. I only meant dns records. sorry(of course, its running as localsystem on a DC which is never a good idea if you can avoid it and i'm sure this can be exploited in ways i don't know about...)
A dc would not be the logical place because of the inherent power of dc's. A dhcp server running on a dc would inherit that power- the abilty to delete any record in dns(among many many other things). this could occur due to a misconfiguration or someone hijacking the dhcp service and going haywire on your forest. you don't want to open up that kind of hole. it wouldn't be able to do such damage on a member server as memeber servers only have power over themseleves locally and not the whole forest(unless they were trusted for delegation, which is not the default unlike dc's) to be on the safe side, if you have to install dhcp on a dc, make sure you run the dhcp service under a dediacted account. as i said, you do this using the netsh.exe command shell. this "issue" still exists in win2k3(and do NOT use the dnsupdateproxy group as that is insecure by nature. i hope i'm clear and this helps... Rocky Habeeb wrote: > Tom, > > Thank you for responding. Do you really mean "any record"? So it > could just decide to delete the Domain Controllers OU? Or do you > mean any record in DNS, which is where I would expect it to operate? > I simply can't understand why (logically) a DC would not be the > optimum place for this. A proxy agent (member server) is still going > to have and require the requisite authority to update records so > where is the security vulnerability? I didn't mention that this is > happening on W2K3 server. Does this vulnerability still apply? > > Thanks > > RH > ___________________________________________ > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom > Sent: Thursday, March 31, 2005 9:55 AM > To: [email protected] > Subject: RE: [ActiveDir] DHCP on a DC > > > You can install it on a DC but its not recommended. > When you install a dhcp server on a DC it runs in the security > context of the DC. Every DC has full control over all the zones and > records in AD. So by proxy, so does the dhcp service running on a DC. > This means it can delete or modify any record in AD,including those > created by domain memebers and DC's. > > Thats a lot of power and potential for abuse and screw ups in dns and > consquently, your AD forest. > If you do run it on a DC, I think MS recommends you create a seperate > dedicated account for the dhcp service to run under using netsh.exe > > > > Rocky Habeeb wrote: >> People, >> >> Please consider helping me with this question. We are getting ready >> to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 >> Deploying DHCP" there is a section that states "If DHCP will perform >> DNS dynamic updates, do not install it on a domain controller. >> Instead, install DHCP on a member server. When DHCP is installed on >> a DC and is configured to perform dynamic updates on behalf of >> clients in DNS zones that are configured to allow only secure dynamic >> update, specify a user account to update the DNS records." >> >> Well, this statement is ambiguous. Can it be installed on a DC >> (which we would prefer to do for reasons of economy) or not? Is >> there a problem with doing it? >> >> Thank you people in advance. >> >> RH >> >> _____________________________ >> >> Rocky Habeeb >> Microsoft Systems Administrator >> James W. Sewall Company >> Old Town, Maine >> Voice: 207.827.4456 Ext. 387 >> Email: [EMAIL PROTECTED] >> www.jws.com >> _____________________________ >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
