Hi there,

I have been reading that the DC's should not be used as DHCP servers due to security risks, sourcers;

http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
http://www.informit.com/articles/article.aspx?p=102617&seqNum=6

Is this still the case for 2008?

I have found this article which states regarding changing the account details from the local account to an alternative,

http://windowsitpro.com/article/articleid/45917/how-do-i-run-the-dhcp-service-on-a-domain-controller-dc-by-using-an-account-other-than-the-dcs-account.html

Any light to this matter would be greatly appreciated.

I have purchased 5 new servers, two were going to be DC's running AD/DNS/DHCP (1st DC having 80% of the scope) and the other three servers being members.

It seems much tidier to me to have them on the DC's, as they will just sit there and simply just carry out those roles. The member servers are going to be messed around with quite a bit.

Regards,

Gabi.

Hi Gabi,

Yes, it is true that there is an increased security risk when you use a domain controller as a DHCP server. The risk primarily has to do with the DHCP server's ability to update dynamic DNS records. This is still true with Windows Server 2008.

Here is a detailed technet article about how it all works:

http://technet.microsoft.com/en-us/library/cc787034.aspx

Even though the article is based off of Windows 2K3 I believe it still applies to Windows 2K8. Here is a quote from that article:

"When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).

It is necessary to configure a dedicated user account and configure the DHCP server with the account credentials under the following circumstances:

1. A domain controller is configured to function as a DHCP server.
2. The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
3. The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.

Once you have created a dedicated user account, you can configure DHCP servers with the user account credentials by using the DHCP console or by using the Netsh DHCP context command server set dnscredentials."

You can use your DC as a DCHP server, but you should either turn off the DHCP server's ability to update DNS on behalf of its clients or configure a separate dedicated user account to perform this function.

Ed

Ed,

Thanks ever so much for replying back so quickly :)

In this instance, what would you do, change the user account or use alternative servers?

What's the downside to " off the DHCP server's ability to update DNS on behalf of its clients"?

Thanks very much,

G

Hi Gabi,

There are many factors involved in this decision. The main purpose in having a DHCP server updating DNS on behalf of its clients has to do with older clients which do not support dynamic DNS. There can be performance benefits of having a DHCP server updating DNS even if you do not have older clients, but they could only be realized by trying it and monitoring the network.

DHCP generally tends to use very minimal resources relative to the service it provides. I understand wanting to keep all the primary networking services consolidated to the 2 domain controllers so you can mess around with the other 3 member servers, but I don't think moving the DHCP services will interfere too heavily on those member servers.

You have to look at all factors involved and prioritize their importance. How large is your network? How many clients will the DHCP servers have to serve? How important is security? How secure is the perimeter of your network? Are you concerned with attacks coming from the inside?

Sorry for not giving you a more direct answer, but there are many possible solutions and any one of them could be the best for your scenario. My overall suggestion would be to consider how important the security risk is and then make your initial decision based upon that and then monitor and tweak the network as necessary.

Ed