Hi, This is for any DNS resource record! (when DHCP is installed on a DC and no user credentials are used)
A DC by default belongs to the computed group called ENTERPRISE DOMAIN CONTROLLERS. That same group has ALL THE POWER over ALL DNS records when AD Integrated zones are used. When DHCP is installed on a DC it "inherits" the power from the DC and thus the DHCP can do anything with any DNS record. As you may know the DNS records of the DCs (e.g. all kinds of service records) are very important for the functioning of AD Logically a member server DOES NOT belong to the computed group called ENTERPRISE DOMAIN CONTROLLERS. When DHCP is installed on a member server it "inherits" the power from the member server and thus the DHCP can't do much. It only has the power over those records it has registered on behalf of the clients. When DHCP is installed on a DC and to mitigate the risk that the DHCP SERVICE has power over DC records and other records that it does not own, DHCP can be configured to use an user account when doing registrations on behalf of the client computers (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) The following situations are also interesting: (1) Multiple DHCP servers at one location providing IP addresses and registering those addresses on behalf of those clients (2) Clients moving between different locations In both situations multiple DHCP servers need to be able to register/update the DNS record of the clients. If DHCP is installed on a DC there is no problem as DHCP inherits its rights through the DC role. If DHCP is installed on member servers the DHCP server that registers some record on behalf of the client automatically becomes the owner of that record (i.e. has permissions for that record to modify it!). If another DHCP needs (because of one of the situations mentioned above) to register/update the same record it is not allowed to do that and the record can therefore not be updated. A solution (not recommended!) for this is to make the DHCP server a member of the group DNSUpdateProxy. In this situation all DNS records registered by the DHCP server that is a member of that group are "owner-less", meaning that EVERYONE can update/register those records and become the owner! Imagine this one on a DC!!! -> DON'T DO THAT!!! Even on a member server I don't recommend that, in some situations it might be needed, although I can't think of one right now. If more than one DHCP server, regardless if it is installed on a DC or a member server, needs to update the same records, configure DHCP to use the credentials of some user account (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) If DHCP is installed on a DC, configure DHCP to use the credentials of some user account (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) I hope this helps you understand the situations Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, March 31, 2005 17:25 To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC Tom, Thank you for responding. Do you really mean "any record"? So it could just decide to delete the Domain Controllers OU? Or do you mean any record in DNS, which is where I would expect it to operate? I simply can't understand why (logically) a DC would not be the optimum place for this. A proxy agent (member server) is still going to have and require the requisite authority to update records so where is the security vulnerability? I didn't mention that this is happening on W2K3 server. Does this vulnerability still apply? Thanks RH ___________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Thursday, March 31, 2005 9:55 AM To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC You can install it on a DC but its not recommended. When you install a dhcp server on a DC it runs in the security context of the DC. Every DC has full control over all the zones and records in AD. So by proxy, so does the dhcp service running on a DC. This means it can delete or modify any record in AD,including those created by domain memebers and DC's. Thats a lot of power and potential for abuse and screw ups in dns and consquently, your AD forest. If you do run it on a DC, I think MS recommends you create a seperate dedicated account for the dhcp service to run under using netsh.exe Rocky Habeeb wrote: > People, > > Please consider helping me with this question. We are getting ready > to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 > Deploying DHCP" there is a section that states "If DHCP will perform > DNS dynamic updates, do not install it on a domain controller. > Instead, install DHCP on a member server. When DHCP is installed on a > DC and is configured to perform dynamic updates on behalf of clients > in DNS zones that are configured to allow only secure dynamic update, > specify a user account to update the DNS records." > > Well, this statement is ambiguous. Can it be installed on a DC (which > we would prefer to do for reasons of economy) or not? Is there a > problem with doing it? > > Thank you people in advance. > > RH > > _____________________________ > > Rocky Habeeb > Microsoft Systems Administrator > James W. Sewall Company > Old Town, Maine > Voice: 207.827.4456 Ext. 387 > Email: [EMAIL PROTECTED] > www.jws.com > _____________________________ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
