Why I shouldn't put DHCP on DC

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

If I follow the MS Article 255134 to configure the DHCP Server Service to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?

The info on the article is a bit misleading ( in my opinion ) since our DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )

Help is much appreciated .

Jason
 
Jason said:
If I follow the MS Article 255134 to configure the DHCP Server Service to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?

The info on the article is a bit misleading ( in my opinion ) since our DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )
Click to expand...


For maximum security you should not put a DHCP
server on a DC-DNS server with Secure Dynamic Updates
(secure or there is no point in the following) WITH the
DHCP server in the "DNS Update Proxy" Group.

It gives extra privileges to the DHCP server (?) within
AD.

Without using this group, multiple DHCP servers will
fight over the ownership of secure update of records
(first one to register a record owns it.)

Win2003 added a separate account for this purpose which
can be configured on the DHCP servers.
 
Is there a KB article or documentation that details how to configure this
separate DHCP account on Windows 2003?
 
Research Services said:
Is there a KB article or documentation that details how to configure this
separate DHCP account on Windows 2003?
Click to expand...

There must be but it is trivial and likely trivial to
find the article.... (key may be knowing they call this
"Credentials" in the help).

Open Help for Win2003 Server (Start -> Help) or use
DHCP server MMC and choose help, searching index
for [ dynamic update ] or "search" for:

[ dhcp dns update credentials ]


Or search Microsoft using Google:

[ site:microsoft.com dhcp dns update credentials ]

You can also use the "web wide MS collection" from
Google:

[ microsoft: dhcp dns update credentials ]
 
Back
Top