| Author |
Message |
Jason
Guest
|
 Posted:
Tue Feb 08, 2005 3:06 am Post subject:
Why I shouldn't put DHCP on DC |
|
|
If I follow the MS Article 255134 to configure the DHCP Server Service to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?
The info on the article is a bit misleading ( in my opinion ) since our DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )
Help is much appreciated .
Jason |
|
| Back to top |
|
 |
Herb Martin
Guest
|
| Posted:
Tue Feb 08, 2005 6:47 am Post subject:
Re: Why I shouldn't put DHCP on DC |
|
|
"Jason" <jasons@hotmail.com> wrote in message
news:O7tL1nVDFHA.2540@TK2MSFTNGP09.phx.gbl...
| Quote: | If I follow the MS Article 255134 to configure the DHCP Server Service to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?
The info on the article is a bit misleading ( in my opinion ) since our
DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )
|
For maximum security you should not put a DHCP
server on a DC-DNS server with Secure Dynamic Updates
(secure or there is no point in the following) WITH the
DHCP server in the "DNS Update Proxy" Group.
It gives extra privileges to the DHCP server (?) within
AD.
Without using this group, multiple DHCP servers will
fight over the ownership of secure update of records
(first one to register a record owns it.)
Win2003 added a separate account for this purpose which
can be configured on the DHCP servers.
--
Herb Martin
| Quote: | Help is much appreciated .
Jason
|
|
|
| Back to top |
|
|
Research Services
Guest
|
| Posted:
Tue Feb 22, 2005 2:21 am Post subject:
Re: Why I shouldn't put DHCP on DC |
|
|
Is there a KB article or documentation that details how to configure this
separate DHCP account on Windows 2003?
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eFPbrgZDFHA.3324@TK2MSFTNGP15.phx.gbl...
| Quote: | "Jason" <jasons@hotmail.com> wrote in message
news:O7tL1nVDFHA.2540@TK2MSFTNGP09.phx.gbl...
If I follow the MS Article 255134 to configure the DHCP Server Service to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?
The info on the article is a bit misleading ( in my opinion ) since our
DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )
For maximum security you should not put a DHCP
server on a DC-DNS server with Secure Dynamic Updates
(secure or there is no point in the following) WITH the
DHCP server in the "DNS Update Proxy" Group.
It gives extra privileges to the DHCP server (?) within
AD.
Without using this group, multiple DHCP servers will
fight over the ownership of secure update of records
(first one to register a record owns it.)
Win2003 added a separate account for this purpose which
can be configured on the DHCP servers.
--
Herb Martin
Help is much appreciated .
Jason
|
|
|
| Back to top |
|
|
Herb Martin
Guest
|
| Posted:
Tue Feb 22, 2005 5:09 am Post subject:
Re: Why I shouldn't put DHCP on DC |
|
|
"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uXfujLFGFHA.2608@TK2MSFTNGP10.phx.gbl...
| Quote: | Is there a KB article or documentation that details how to configure this
separate DHCP account on Windows 2003?
|
There must be but it is trivial and likely trivial to
find the article.... (key may be knowing they call this
"Credentials" in the help).
Open Help for Win2003 Server (Start -> Help) or use
DHCP server MMC and choose help, searching index
for [ dynamic update ] or "search" for:
[ dhcp dns update credentials ]
Or search Microsoft using Google:
[ site:microsoft.com dhcp dns update credentials ]
You can also use the "web wide MS collection" from
Google:
[ microsoft: dhcp dns update credentials ]
--
Herb Martin
| Quote: |
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eFPbrgZDFHA.3324@TK2MSFTNGP15.phx.gbl...
"Jason" <jasons@hotmail.com> wrote in message
news:O7tL1nVDFHA.2540@TK2MSFTNGP09.phx.gbl...
If I follow the MS Article 255134 to configure the DHCP Server Service
to
Impersonate an Account , should it be secure enough or there are other
additional concern on why I shouldn't put DHCP server ?
The info on the article is a bit misleading ( in my opinion ) since our
DCs
are W2K SP4 and the account impersonation is for SP1 ( only? )
For maximum security you should not put a DHCP
server on a DC-DNS server with Secure Dynamic Updates
(secure or there is no point in the following) WITH the
DHCP server in the "DNS Update Proxy" Group.
It gives extra privileges to the DHCP server (?) within
AD.
Without using this group, multiple DHCP servers will
fight over the ownership of secure update of records
(first one to register a record owns it.)
Win2003 added a separate account for this purpose which
can be configured on the DHCP servers.
--
Herb Martin
Help is much appreciated .
Jason
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in