Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DHCP and DNS on Second DC
- Thread starter maxod
- Start date
This really depends on your needs. Firstly, my answers assume these DCs are both on the same site.
There's no need to make the second DC a DHCP server unless you wanted to have two DHCP servers in the site for redundancy purposes. Make sure if you do this, you give each server a different set of IP addresses for the scope.
DNS on the other hand depends on how you have set up your original DC. Do you have any AD integrated zones? If so, it makes sense to install the DNS service on the second DC since the DNS zones are replicated through normal AD replication so there won't be any overhead on doing so and it gives you a redundant DNS server if the other DC goes down.
If you're zones are all standard zones, then setting this server up as another DNS server is again really up to you, but if you wanted to, just install the DNS service and configure the server to pull secondary zones of all your DNS namespaces from the primary DC, again for redundancy purposes.
If these two DCs are in different sites, then I would suggest setting up both services to serve your other site as explained above.
Cheers, Antony
There's no need to make the second DC a DHCP server unless you wanted to have two DHCP servers in the site for redundancy purposes. Make sure if you do this, you give each server a different set of IP addresses for the scope.
DNS on the other hand depends on how you have set up your original DC. Do you have any AD integrated zones? If so, it makes sense to install the DNS service on the second DC since the DNS zones are replicated through normal AD replication so there won't be any overhead on doing so and it gives you a redundant DNS server if the other DC goes down.
If you're zones are all standard zones, then setting this server up as another DNS server is again really up to you, but if you wanted to, just install the DNS service and configure the server to pull secondary zones of all your DNS namespaces from the primary DC, again for redundancy purposes.
If these two DCs are in different sites, then I would suggest setting up both services to serve your other site as explained above.
Cheers, Antony
GonzarTheGreat
MIS
FYI: It is recommended you put DHCP on a machine other than a domain controller.
burro111,
I am sorry, but there is nothing in the Microsoft training that says you should not run dhcp on a DC.
Microsoft trainng for test 70-216 says the only requirement for the service is hardware fast enough to handle the disk I/O that DHCP can cause when you have alot of clients.
It says that the first DHCP server must be on an AD controler or member server for authorization to work properly.(pg 155, Windows 2000 Netowrk Infrastructure Administration, Microsoft Pub.)
Have a nice day Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
I am sorry, but there is nothing in the Microsoft training that says you should not run dhcp on a DC.
Microsoft trainng for test 70-216 says the only requirement for the service is hardware fast enough to handle the disk I/O that DHCP can cause when you have alot of clients.
It says that the first DHCP server must be on an AD controler or member server for authorization to work properly.(pg 155, Windows 2000 Netowrk Infrastructure Administration, Microsoft Pub.)
Have a nice day Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
- Thread starter
- #5
GonzarTheGreat
MIS
Doomhamur,
"Installation of DNS will extend the Active Directory schema to include the DNSUpdateProxy group. This is a very powerful group that allows objects to be created that has no security. When this occurs, any authenticated user can take ownership of those objects created in this manner.
Client records A and PTR are updated in DNS during the DHCP process in Windows 2000. When both clients and servers are Windows 2000, then secure dynamic updates can be completed using a default installation. When other clients need to be supported, then secure dynamic updates cannot be used unless the DHCP Server is added to the DNSUpdateProxy group. This allows the DHCP server to perform dynamic updates for these legacy clients.
Special consideration must be taken if the DHCP service is running on a Domain Controller Server. In this case, addition the DHCP server to the DNSUpdateProxy group will allow any user or computer full control of the DNS records corresponding to the Domain Controller."
Basically, if you install DHCP on a domain controller and add the server to the DNSUpdateProxy group (most organizations have atleast a few non-Win2k machines and still want to enjoy the benefit of dynamic updates), the DC's DNS records _are not protected_. You can optionally manually change the permissions on the DC's DNS records to give the DC exlcusive control/ownership, though its much easier to simply avoid installing DHCP on a DNS server from a security perspective.
But otherwise Doomhamur, according to the official Microsoft training to obtain your cert, you are correct. This is also an example of why I don't put much weight in just MCSE.
"Installation of DNS will extend the Active Directory schema to include the DNSUpdateProxy group. This is a very powerful group that allows objects to be created that has no security. When this occurs, any authenticated user can take ownership of those objects created in this manner.
Client records A and PTR are updated in DNS during the DHCP process in Windows 2000. When both clients and servers are Windows 2000, then secure dynamic updates can be completed using a default installation. When other clients need to be supported, then secure dynamic updates cannot be used unless the DHCP Server is added to the DNSUpdateProxy group. This allows the DHCP server to perform dynamic updates for these legacy clients.
Special consideration must be taken if the DHCP service is running on a Domain Controller Server. In this case, addition the DHCP server to the DNSUpdateProxy group will allow any user or computer full control of the DNS records corresponding to the Domain Controller."
Basically, if you install DHCP on a domain controller and add the server to the DNSUpdateProxy group (most organizations have atleast a few non-Win2k machines and still want to enjoy the benefit of dynamic updates), the DC's DNS records _are not protected_. You can optionally manually change the permissions on the DC's DNS records to give the DC exlcusive control/ownership, though its much easier to simply avoid installing DHCP on a DNS server from a security perspective.
But otherwise Doomhamur, according to the official Microsoft training to obtain your cert, you are correct. This is also an example of why I don't put much weight in just MCSE.
Hey, don't blame MCSE certification about this.
Take the security course, and you will find about subject there too!
But, reading what you are saying, doesn't look like how should be.
Issue 1. Old clients and their behaviour with DNS registration
- if you are setting "Enable Updates For DNS Clients That Do Not Support Dynamic Update" check box for a DHCP scope then those clients will benefit also of dynamic DNS updates. Their records will be written by the DHCP! And there is no need to make the DHCP server member of the DNSUpdateProxy. The owner of those records will be DHCP server. The problem will appear when the computer is upgraded. Then the W2k client will not be able to change the records where the DHCP server is the owner.
To overcome this, was coming the idea of DNSUPdateProxy group. If DHCP is memeber of this it will not take the ownership of the records.
And just in this case, it is strongly recomended to not have DHCP on a DC server. But again, nobody will force you to put your DHCP in DNSUpdateProxy. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k
Take the security course, and you will find about subject there too!
But, reading what you are saying, doesn't look like how should be.
Issue 1. Old clients and their behaviour with DNS registration
- if you are setting "Enable Updates For DNS Clients That Do Not Support Dynamic Update" check box for a DHCP scope then those clients will benefit also of dynamic DNS updates. Their records will be written by the DHCP! And there is no need to make the DHCP server member of the DNSUpdateProxy. The owner of those records will be DHCP server. The problem will appear when the computer is upgraded. Then the W2k client will not be able to change the records where the DHCP server is the owner.
To overcome this, was coming the idea of DNSUPdateProxy group. If DHCP is memeber of this it will not take the ownership of the records.
And just in this case, it is strongly recomended to not have DHCP on a DC server. But again, nobody will force you to put your DHCP in DNSUpdateProxy. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, soon MCSE2k
- Status
Similar threads
