Sorry, i misread your question. i thought you were asking about which account to use to run the dhcp service under. my apologies
Kern, Tom wrote: > No. it should definintely NOT be a EA or DA. > using the dncp gui or netsh will take care and give the appropriate > rights to the account. it should just be a regular user but dedicated > to dhcp service > > > Tim Foster wrote: >> Slightly off-topic...but I am trying to clarify the user account >> required to authorize a DHCP server. Does this need to be an >> Enterprise Admin, or a Domain Admin? >> >> Regards, >> >> Tim >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de >> Almeida Pinto Sent: Thursday, March 31, 2005 11:13 AM >> To: [email protected] >> Subject: RE: [ActiveDir] DHCP on a DC >> >> Hi, >> >> This is for any DNS resource record! (when DHCP is installed on a DC >> and no user credentials are used) >> >> A DC by default belongs to the computed group called ENTERPRISE >> DOMAIN CONTROLLERS. That same group has ALL THE POWER over ALL DNS >> records when AD Integrated zones are used. When DHCP is installed on >> a DC it "inherits" the power from the DC and thus the DHCP can do >> anything with any DNS record. As you may know the DNS records of the >> DCs (e.g. all kinds of service records) are very important for the >> functioning of AD >> >> Logically a member server DOES NOT belong to the computed group >> called ENTERPRISE DOMAIN CONTROLLERS. When DHCP is installed on a >> member server it "inherits" the power from the member server and >> thus the DHCP can't do much. It only has the power over those >> records it has registered on behalf of the clients. >> >> When DHCP is installed on a DC and to mitigate the risk that the DHCP >> SERVICE has power over DC records and other records that it does not >> own, DHCP can be configured to use an user account when doing >> registrations on behalf of the client computers >> (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in >> W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) >> >> The following situations are also interesting: >> (1) Multiple DHCP servers at one location providing IP addresses and >> registering those addresses on behalf of those clients >> (2) Clients moving between different locations >> >> In both situations multiple DHCP servers need to be able to >> register/update the DNS record of the clients. If DHCP is installed >> on a DC there is no problem as DHCP inherits its rights through the >> DC role. If DHCP is installed on member servers the DHCP server that >> registers some record on behalf of the client automatically becomes >> the owner of that record (i.e. has permissions for that record to >> modify it!). If another DHCP needs (because of one of the situations >> mentioned above) to register/update the same record it is not >> allowed to do that and the record can therefore not be updated. A >> solution (not recommended!) for this is to make the DHCP server a >> member of the group DNSUpdateProxy. In this situation all DNS >> records registered by the DHCP server that is a member of that group >> are "owner-less", meaning that EVERYONE can update/register those >> records and become the owner! Imagine this one on a DC!!! -> DON'T >> DO THAT!!! Even on a member server I don't recommend that, in some >> situations it might be needed, although I can't think of one right >> now. >> >> If more than one DHCP server, regardless if it is installed on a DC >> or a member server, needs to update the same records, configure DHCP >> to use the credentials of some user account >> (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in >> W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) >> If DHCP is installed on a DC, configure DHCP to use the credentials >> of some user account >> (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in >> W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) >> >> I hope this helps you understand the situations >> >> Cheers >> Jorge >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb >> Sent: Thursday, March 31, 2005 17:25 >> To: [email protected] >> Subject: RE: [ActiveDir] DHCP on a DC >> >> Tom, >> >> Thank you for responding. Do you really mean "any record"? So it >> could just decide to delete the Domain Controllers OU? Or do you >> mean any record in DNS, which is where I would expect it to operate? >> I simply can't understand why (logically) a DC would not be the >> optimum place for this. A proxy agent (member server) is still going >> to have and require the requisite authority to update records so >> where is the security vulnerability? I didn't mention that this is >> happening on W2K3 server. Does this vulnerability still apply? >> >> Thanks >> >> RH >> ___________________________________________ >> >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom >> Sent: Thursday, March 31, 2005 9:55 AM >> To: [email protected] >> Subject: RE: [ActiveDir] DHCP on a DC >> >> >> You can install it on a DC but its not recommended. >> When you install a dhcp server on a DC it runs in the security >> context of the DC. Every DC has full control over all the zones and >> records in AD. So by proxy, so does the dhcp service running on a >> DC. This means it can delete or modify any record in AD,including >> those created by domain memebers and DC's. >> >> Thats a lot of power and potential for abuse and screw ups in dns >> and consquently, your AD forest. If you do run it on a DC, I think >> MS recommends you create a seperate dedicated account for the dhcp >> service to run under using netsh.exe >> >> >> >> Rocky Habeeb wrote: >>> People, >>> >>> Please consider helping me with this question. We are getting ready >>> to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 >>> Deploying DHCP" there is a section that states "If DHCP will perform >>> DNS dynamic updates, do not install it on a domain controller. >>> Instead, install DHCP on a member server. When DHCP is installed on >>> a >> >>> DC and is configured to perform dynamic updates on behalf of clients >>> in DNS zones that are configured to allow only secure dynamic >>> update, specify a user account to update the DNS records." >>> >>> Well, this statement is ambiguous. Can it be installed on a DC >>> (which >> >>> we would prefer to do for reasons of economy) or not? Is there a >>> problem with doing it? >>> >>> Thank you people in advance. >>> >>> RH >>> >>> _____________________________ >>> >>> Rocky Habeeb >>> Microsoft Systems Administrator >>> James W. Sewall Company >>> Old Town, Maine >>> Voice: 207.827.4456 Ext. 387 >>> Email: [EMAIL PROTECTED] >>> www.jws.com >>> _____________________________ >>> >>> >>> List info : http://www.activedir.org/List.aspx >>> List FAQ : http://www.activedir.org/ListFAQ.aspx >>> List archive: >>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) only. It may contain proprietary material, confidential >> information and/or be subject to legal privilege. It should not be >> copied, disclosed to, retained or used by, any other party. If you >> are not an intended recipient then please promptly delete this >> e-mail and any attachment and all copies and inform the sender. >> Thank you. >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
