DHCP on a DC with Dynamic DNS

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

When W2K sp2 was out I was told at a TechNet breifing not to install DHCP on
the server due to problems with Dynamic DNS on the domain controller.
Currently Microsoft is at sp4.

Does anyone know if this problem has been resolved in these updates. Can
you run DHCP on a domain controller runing Dynamic DNS and not have any
problems. I really didn't investigate this when I heard it since I got it
at a TechNet briefing.

Thanks

Harrison Midkiff
 
As far as i know there's no technical problem with it, but there is a
security issue.
DHCP servers are member of the dnsupdateproxy nuiltin group. As such the
applied host records in (D)DNS are writable to the outside world. So when a
DC is also a DHCP server its own DNS record are nonsecure.

As far as i know this is not solved by SP4. Yes, i've read the SP4 readme
but forgive me for not remembering all the details.....

For detailed info see::
http://www.microsoft.com/windows200...ced/help/sag_DHCP_imp_InteroperabilityDNS.htm

excerpt:
Caution
a.. For Windows 2000, the use of secure dynamic updates can be compromised
by running a DHCP server on a domain controller when Windows 2000 DHCP
server is configured to perform registration of DNS records on behalf of its
clients. To avoid this issue, deploy DHCP servers and domain controllers on
separate computers. If you are not concerned about security of reverse
lookup (PTR) records, this precaution is only advisable if the DHCP server
is configured to perform registration of host (A) records on behalf of its
clients (which is not a default behavior).
Regards,
Ben Meijer
 
Harrison,

Sounds like it might be a god solution in your case.
I've solved the puzzle in my environment by placing DHCP services at my
Windows 2000 print-servers.

Keep in mind the advanced functionality of Microsoft's windows 2000 DHCP,
which isn't available in all third party DHCP servers (don't know about
Weird, altough the name should speak for itself....):
- DDNS registration on behalf of the clients (like non-DDNS clients and esp.
PTR records)
- easy integration with PXE boot / RIS

Good luck!
Ben Meijer
 
Currently running all this on a test server open to web for testing
firewalls
DNS, DHCP,TS,IIS5,Telnet,SQL,FTP,Mail , You get the drift.

I have had no problem with sp4 using DHCP on a DNS server, I am using third
part firewalls locked down tight but works well here

Regards
Don Grover
 
Back
Top