That's what we're doing as well. Not sure why, but our service account is member of DNSUpdateProxy, but also a member of DNSAdmins. Anyone have an idea why that group? I didn't set this up initially, I'm just trying to get things in best practices, and address a current issue I'm working through, of replacing a DC, that happens to be our main DHCP server. My thoughts at the moment, are to add a new DC, with only DC roles. Then, DCpromo the old DC (with DHCP), then migrate DHCP to a new server, that is only a member server, not a DC.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Mark Gottschalk Sent: Wednesday, November 29, 2017 6:21 PM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] DHCP role https://blogs.technet.microsoft.com/stdqry/2012/04/03/dhcp-server-in-dcs-and-dns-registrations/ https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx This is what we've done with DHCP on DC. Have a user "DHCP_user" in Protected User group, DNSUpdateProxy group. Use this for alternate credentials. Note that first article says: "A common error is to think that the DHCP Server service running in a DC will use its service account security context to register records in DNS if no alternate credentials are configured, and then there is security risk. In fact, this is not the behavior of the DHCP Server in a DC. If the DHCP Server service detects that it is running in a domain controller, and no alternate credentials for DNS registrations have been configured, then it decides to not do any registrations for DHCP clients and logs event DHCP/1056." It also starts with: "One common deployment scenario for the DHCP Server service is to have it installed in domain controllers. When this scenario is used it is necessary to define the alternate credentials to be used by DHCP when doing DNS registrations on behalf of the DHCP clients." If you can separate them with no downside, go for it. However, running DHCP on a DC appears to be accounted for and can be addressed by above. -- Mark From: "Heaton, Joseph@Wildlife" <joseph.hea...@wildlife.ca.gov<mailto:joseph.hea...@wildlife.ca.gov>> To: 'NT System Admin Issues Discussion list' <ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>> Date: 11/29/2017 02:49 PM Subject: [NTSysADM] DHCP role Sent by: "listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>" <listsadmin ________________________________ Is it still best practice to have DHCP NOT on a DC? I've been reading a bunch of stuff, but everything I'm reading refers to Server 2003 or older. Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: 916-323-1284
