Kurt, Id keep the DHCP off the DC, two eggs, one basket, not a good choice make.
I will differ on the exchange delegation since that is not an area of expertise. I will advise you that you can give permissions to any service via subinacl.exe by adding ACE to the DACL of the service. You can also set the auditing on the service to track that they are using there privileges as needed. I would be extra careful giving anyone access to the DC or DNS, or there is a good chance that they will blow up your AD. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 9:56 PM To: NT System Admin Issues Subject: Granting rights to services on a DC, etc. All, I'm having political issues with our AU office, and am being called on to grant rights to services on the servers. The individual in question has installed the adminpak, so he's got the tools he needs, I think. However, I have some questions: 1) I've added him to the DHCP Administrators group - the DHCP service is on the DC, or rather, what will become the DC when I promote it. What happens to that group when I promo the machine? Will he still be able to enter reservations, etc., only for that DC? 2) Is there a decent document on delegation of account/mailbox/DL/Contact creation for Exchange? Or is it as simple as delegating the AD OU? 3) From discussion a while back, I remember that delegating DNS administration seems to require separate domains - that there is no good way to delegate AD-integrated DNS in a single-domain environment. Is this more or less correct? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
