Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
hi,
i read somewhere that it was not wise to run dhcp on a Domain controller running DNS with dynamic updates. but it didnt exactly explain why!! can anyone pls throw more light on it? my company is planning to move to a new server and so i wanted to know if we would have to decide on a dhcp server or if we could just run dhcp on the server which wll also be the DC. thanks in advance.
I run DHCP on DCs. I don't think you should have a problem. I can't think of a reason to be concerned about it.
I'd curious their reason for such a statement if you can find it.
0 
I also run dhcp on my DC. Never had a problem. If you find that there is a reason not to put them both on the same box please let me know because I am planning a migration soon and I will take that into account. Thanks.
0
me too, i belive if you had 10,000 users logging in at the same time, and 200 dc's replicating with each other, then you might have some bandwidth bottle necks.
but once again;
the real world never quite measures up to the microsoft examples in the cert tests. (which is where this statement got it's start.)
0
The reason not to run DHCP with dyanmic updates is because it compromises the security of the infrastructure. This is because of the likely use of the DNSUpdateProxy group, any server that is a member of this group does not (can not) take ownership of the DNS entries that it makes.
0
I found this on a google search "what is DNSUpdateProxy" _ I dont know if this will help I coppied it without the autors permission but it seems to answer the question-which is way over my head by the wy
EdYes, you DON'T want your DCs to be added to the DNSupdateProxy group, even
if they run DHCP services. Only "Stand alone" (i.e. normal member servers)
should be added to the group. I would sincerely suggest that you remove
your DCs from the group as you're currently rather unprotected => you could
just as well have configured dynamic DNS without the "allow only secure
updates" option... as any client/user can easily erase or hijack the DC
host-records potentially causing a full outage of your domain/forest.It might have been an MS recommendation 4 years ago, when they didn't know
the product themselves - but you'll not hear that recommedation today.Have a look what permissions Authenticated Users have in Advanced View - may
not be Full Control afterall, but at least write access to most of the
attributes of the record.
-----Original Message-----
From: Jef Kazimer [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 5. November 2003 20:15
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
