No. it should definintely NOT be a EA or DA. using the dncp gui or netsh will take care and give the appropriate rights to the account. it should just be a regular user but dedicated to dhcp service
Tim Foster wrote: > Slightly off-topic...but I am trying to clarify the user account > required to authorize a DHCP server. Does this need to be an > Enterprise Admin, or a Domain Admin? > > Regards, > > Tim > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de > Almeida Pinto > Sent: Thursday, March 31, 2005 11:13 AM > To: [email protected] > Subject: RE: [ActiveDir] DHCP on a DC > > Hi, > > This is for any DNS resource record! (when DHCP is installed on a DC > and no > user credentials are used) > > A DC by default belongs to the computed group called ENTERPRISE DOMAIN > CONTROLLERS. That same group has ALL THE POWER over ALL DNS records > when AD > Integrated zones are used. When DHCP is installed on a DC it > "inherits" the > power from the DC and thus the DHCP can do anything with any DNS > record. As > you may know the DNS records of the DCs (e.g. all kinds of service > records) > are very important for the functioning of AD > > Logically a member server DOES NOT belong to the computed group called > ENTERPRISE DOMAIN CONTROLLERS. When DHCP is installed on a member > server it > "inherits" the power from the member server and thus the DHCP can't do > much. > It only has the power over those records it has registered on behalf > of the > clients. > > When DHCP is installed on a DC and to mitigate the risk that the DHCP > SERVICE has power over DC records and other records that it does not > own, > DHCP can be configured to use an user account when doing registrations > on > behalf of the client computers > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in > W2K use > NETSH and in W2K3 use NETSH or the DHCP GUI) > > The following situations are also interesting: > (1) Multiple DHCP servers at one location providing IP addresses and > registering those addresses on behalf of those clients > (2) Clients moving between different locations > > In both situations multiple DHCP servers need to be able to > register/update > the DNS record of the clients. If DHCP is installed on a DC there is > no problem as DHCP inherits its rights through the DC role. If DHCP is > installed on member servers the DHCP server that registers some record > on > behalf of the client automatically becomes the owner of that record > (i.e. > has permissions for that record to modify it!). If another DHCP needs > (because of one of the situations mentioned above) to register/update > the > same record it is not allowed to do that and the record can therefore > not be > updated. A solution (not recommended!) for this is to make the DHCP > server a > member of the group DNSUpdateProxy. In this situation all DNS records > registered by the DHCP server that is a member of that group are > "owner-less", meaning that EVERYONE can update/register those records > and > become the owner! Imagine this one on a DC!!! -> DON'T DO THAT!!! > Even on a member server I don't recommend that, in some situations it > might > be needed, although I can't think of one right now. > > If more than one DHCP server, regardless if it is installed on a DC > or a member server, needs to update the same records, configure DHCP > to use the > credentials of some user account > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in > W2K use > NETSH and in W2K3 use NETSH or the DHCP GUI) > If DHCP is installed on a DC, configure DHCP to use the credentials of > some > user account > (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in > W2K use > NETSH and in W2K3 use NETSH or the DHCP GUI) > > I hope this helps you understand the situations > > Cheers > Jorge > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb > Sent: Thursday, March 31, 2005 17:25 > To: [email protected] > Subject: RE: [ActiveDir] DHCP on a DC > > Tom, > > Thank you for responding. Do you really mean "any record"? So it > could just decide to delete the Domain Controllers OU? Or do you > mean any record > in DNS, which is where I would expect it to operate? I simply can't > understand why (logically) a DC would not be the optimum place for > this. A > proxy agent (member server) is still going to have and require the > requisite > authority to update records so where is the security vulnerability? I > didn't mention that this is happening on W2K3 server. Does this > vulnerability still apply? > > Thanks > > RH > ___________________________________________ > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom > Sent: Thursday, March 31, 2005 9:55 AM > To: [email protected] > Subject: RE: [ActiveDir] DHCP on a DC > > > You can install it on a DC but its not recommended. > When you install a dhcp server on a DC it runs in the security context > of > the DC. Every DC has full control over all the zones and records in > AD. So > by proxy, so does the dhcp service running on a DC. This means it can > delete > or modify any record in AD,including those created by domain memebers > and > DC's. > > Thats a lot of power and potential for abuse and screw ups in dns and > consquently, your AD forest. > If you do run it on a DC, I think MS recommends you create a seperate > dedicated account for the dhcp service to run under using netsh.exe > > > > Rocky Habeeb wrote: >> People, >> >> Please consider helping me with this question. We are getting ready >> to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 >> Deploying DHCP" there is a section that states "If DHCP will perform >> DNS dynamic updates, do not install it on a domain controller. >> Instead, install DHCP on a member server. When DHCP is installed on >> a > >> DC and is configured to perform dynamic updates on behalf of clients >> in DNS zones that are configured to allow only secure dynamic update, >> specify a user account to update the DNS records." >> >> Well, this statement is ambiguous. Can it be installed on a DC >> (which > >> we would prefer to do for reasons of economy) or not? Is there a >> problem with doing it? >> >> Thank you people in advance. >> >> RH >> >> _____________________________ >> >> Rocky Habeeb >> Microsoft Systems Administrator >> James W. Sewall Company >> Old Town, Maine >> Voice: 207.827.4456 Ext. 387 >> Email: [EMAIL PROTECTED] >> www.jws.com >> _____________________________ >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
