Concerning the group called ENTERPRISE DOMAIN CONTROLLERS (each DC in a forest belongs to this group). So imagine this. You have child domains and some guy is admin of that child domain. He does not have enterprise admins memberships. Because he is a admin of that child domain he can logon locally to the DC impersonate the SYSTEM of the DC and because by impersonating the DC he gets the membership of the computed group ENTERPRISE DOMAIN CONTROLLERS.... party on! he can do very bad things. This is another topic, I know, but if you don't trust that child domain admin? -> ANOTHER FOREST! Concerning the ENTERPRISE DOMAIN CONTROLLERS group see http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330 ##### SID: S-1-5-9 Name: Enterprise Domain Controllers Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system. #####
Concerning the DHCP service and the user account see "http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/ proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta n dard/proddocs/en-us/sag_DHCP_imp_InteroperabilityDNS.asp" Configuring a user account can be done in the following way: * For W2K3: Use the DHCP MMC, right the DHCP server name, select the advanced tab and configure the "DNS dynamic updates registration credentials" * For W2K: the GUI does not provide the same ability as the GUI in W2K3 but it can be configured through typing the following commands: NETSH DHCP SERVER \\<servername> SET DNSCREDENTIALS <UserName> <Domain> <Password> --> press enter (see also http://support.microsoft.com/?kbid=255134) Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 3/31/2005 6:53 PM Subject: RE: [ActiveDir] DHCP on a DC Gentlemen, As I understand this, Jorge is not exactly correct (far be it from me to even intimate that, but I've got to get my head around this and I need to challenge). These records cannot become "ownerless". The always have an owner, do they not? In this case, the records are allowed to be updated in the case of DHCP failover, and then only if a lease renewal is requested, again "my" understanding. Is this correct or not? Isn't the real problem here the fact that records need to be updated at all? >SOME< authority has to be able to do that. I see no reason why a DC isn't the logical authority. What difference does it make where DNS accepts an authority to modify records, either with a Netsh created account or with a DC account. The records are getting changed. The records need to get changed. Jorge says "A DC by default belongs to the computed (sic) group called ENTERPRISE DOMAIN CONTROLLERS." When I look in my forest root ADUC and in DCs, I only see the two DCs in my forest root. I don't see the DCs in my sub-domain, the domain in question. You're not telling me that there is an inherited membership in EDC are you? Finally, just tell me, as the Roaming Gnome says after plugging an American electrical device into a foreign country's electrical network, "Am I going to die?" if I run DHCP on my DCs (and use the Netsh created account). Thanks in advance. RH ____________________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Noah Eiger Sent: Thursday, March 31, 2005 11:34 AM To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC Jorge - will running DHCP under the credentials of a user account prevent the ownership issue you discussed below? (I think the answer is "yes" since it would then be the same owner throughout the domain.) -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, March 31, 2005 8:13 AM To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC Hi, This is for any DNS resource record! (when DHCP is installed on a DC and no user credentials are used) A DC by default belongs to the computed group called ENTERPRISE DOMAIN CONTROLLERS. That same group has ALL THE POWER over ALL DNS records when AD Integrated zones are used. When DHCP is installed on a DC it "inherits" the power from the DC and thus the DHCP can do anything with any DNS record. As you may know the DNS records of the DCs (e.g. all kinds of service records) are very important for the functioning of AD Logically a member server DOES NOT belong to the computed group called ENTERPRISE DOMAIN CONTROLLERS. When DHCP is installed on a member server it "inherits" the power from the member server and thus the DHCP can't do much. It only has the power over those records it has registered on behalf of the clients. When DHCP is installed on a DC and to mitigate the risk that the DHCP SERVICE has power over DC records and other records that it does not own, DHCP can be configured to use an user account when doing registrations on behalf of the client computers (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) The following situations are also interesting: (1) Multiple DHCP servers at one location providing IP addresses and registering those addresses on behalf of those clients (2) Clients moving between different locations In both situations multiple DHCP servers need to be able to register/update the DNS record of the clients. If DHCP is installed on a DC there is no problem as DHCP inherits its rights through the DC role. If DHCP is installed on member servers the DHCP server that registers some record on behalf of the client automatically becomes the owner of that record (i.e. has permissions for that record to modify it!). If another DHCP needs (because of one of the situations mentioned above) to register/update the same record it is not allowed to do that and the record can therefore not be updated. A solution (not recommended!) for this is to make the DHCP server a member of the group DNSUpdateProxy. In this situation all DNS records registered by the DHCP server that is a member of that group are "owner-less", meaning that EVERYONE can update/register those records and become the owner! Imagine this one on a DC!!! -> DON'T DO THAT!!! Even on a member server I don't recommend that, in some situations it might be needed, although I can't think of one right now. If more than one DHCP server, regardless if it is installed on a DC or a member server, needs to update the same records, configure DHCP to use the credentials of some user account (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) If DHCP is installed on a DC, configure DHCP to use the credentials of some user account (http://support.microsoft.com/default.aspx?scid=kb;en-us;255134) (in W2K use NETSH and in W2K3 use NETSH or the DHCP GUI) I hope this helps you understand the situations Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, March 31, 2005 17:25 To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC Tom, Thank you for responding. Do you really mean "any record"? So it could just decide to delete the Domain Controllers OU? Or do you mean any record in DNS, which is where I would expect it to operate? I simply can't understand why (logically) a DC would not be the optimum place for this. A proxy agent (member server) is still going to have and require the requisite authority to update records so where is the security vulnerability? I didn't mention that this is happening on W2K3 server. Does this vulnerability still apply? Thanks RH ___________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Thursday, March 31, 2005 9:55 AM To: [email protected] Subject: RE: [ActiveDir] DHCP on a DC You can install it on a DC but its not recommended. When you install a dhcp server on a DC it runs in the security context of the DC. Every DC has full control over all the zones and records in AD. So by proxy, so does the dhcp service running on a DC. This means it can delete or modify any record in AD,including those created by domain memebers and DC's. Thats a lot of power and potential for abuse and screw ups in dns and consquently, your AD forest. If you do run it on a DC, I think MS recommends you create a seperate dedicated account for the dhcp service to run under using netsh.exe Rocky Habeeb wrote: > People, > > Please consider helping me with this question. We are getting ready > to switch to DHCP. Reading a document from MSDN entitled "Chapter 2 > Deploying DHCP" there is a section that states "If DHCP will perform > DNS dynamic updates, do not install it on a domain controller. > Instead, install DHCP on a member server. When DHCP is installed on a > DC and is configured to perform dynamic updates on behalf of clients > in DNS zones that are configured to allow only secure dynamic update, > specify a user account to update the DNS records." > > Well, this statement is ambiguous. Can it be installed on a DC (which > we would prefer to do for reasons of economy) or not? Is there a > problem with doing it? > > Thank you people in advance. > > RH > > _____________________________ > > Rocky Habeeb > Microsoft Systems Administrator > James W. Sewall Company > Old Town, Maine > Voice: 207.827.4456 Ext. 387 > Email: [EMAIL PROTECTED] > www.jws.com > _____________________________ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
