Don't do it. Step away from the keyboard.
A DHCP Administrator on a DC is a domain admin. An Exchange Administrator on a DC is a domain admin. You can delegate sub-domains in DNS, but that is easily over-ridden. A domain is -a- administrative boundary. So is a forest. Except for name-resolution, and some minor security separation, you should consider them the same. If creation of a separate forest is not an option, your best bet is to make them a child domain. Virtualize if necessary (standard warnings about virtualizing a DC apply), but don't mix functions and privileges... Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 9:56 PM To: NT System Admin Issues Subject: Granting rights to services on a DC, etc. All, I'm having political issues with our AU office, and am being called on to grant rights to services on the servers. The individual in question has installed the adminpak, so he's got the tools he needs, I think. However, I have some questions: 1) I've added him to the DHCP Administrators group - the DHCP service is on the DC, or rather, what will become the DC when I promote it. What happens to that group when I promo the machine? Will he still be able to enter reservations, etc., only for that DC? 2) Is there a decent document on delegation of account/mailbox/DL/Contact creation for Exchange? Or is it as simple as delegating the AD OU? 3) From discussion a while back, I remember that delegating DNS administration seems to require separate domains - that there is no good way to delegate AD-integrated DNS in a single-domain environment. Is this more or less correct? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
