Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Secure DHCP and DNS Services on Your DC

Sponsor

Most admins I talk to run DNS on their Domain Controllers, and most also run DHCP on one or more of them as well. The benefits of AD-Integrated Zones and the small footprint of DHCP allow you to run these services on your DC's with minimal impact on performance. The risk lies in the way DNS registrations are handled.

If the DC's computer account is not included in the DNSUpdateProxy group, all registrations in DNS are "owned" by the DC If the DC computer accounts are included, no ownership is assigned. This stands for DNS registrations performed by the DHCP and Netlogon services. It is possible to assign a user account to register all DHCP related DNS registrations. From a command prompt type:

netsh dhcp server set dnscredentials {username} {domainname} {password} n

et stop DHCPServer

net start DHCPServer

Now all DNS registrations triggered by the DHCP service will be performed with this user account instead of the DC's computer account.

For more information see:

Article ID: 242468 - How to Use the Netsh.exe Tool and Command-Line Switches





Published Wednesday, August 24, 2005 8:51 AM by rodney.buike

Comments

No Comments
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

 
 
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008