https://blogs.technet.microsoft.com/stdqry/2012/04/03/dhcp-server-in-dcs-and-dns-registrations/ https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
This is what we've done with DHCP on DC. Have a user "DHCP_user" in Protected User group, DNSUpdateProxy group. Use this for alternate credentials. Note that first article says: "A common error is to think that the DHCP Server service running in a DC will use its service account security context to register records in DNS if no alternate credentials are configured, and then there is security risk. In fact, this is not the behavior of the DHCP Server in a DC. If the DHCP Server service detects that it is running in a domain controller, and no alternate credentials for DNS registrations have been configured, then it decides to not do any registrations for DHCP clients and logs event DHCP/1056." It also starts with: "One common deployment scenario for the DHCP Server service is to have it installed in domain controllers. When this scenario is used it is necessary to define the alternate credentials to be used by DHCP when doing DNS registrations on behalf of the DHCP clients." If you can separate them with no downside, go for it. However, running DHCP on a DC appears to be accounted for and can be addressed by above. -- Mark From: "Heaton, Joseph@Wildlife" <[email protected]> To: 'NT System Admin Issues Discussion list' <[email protected]> Date: 11/29/2017 02:49 PM Subject: [NTSysADM] DHCP role Sent by: "[email protected]" <listsadmin Is it still best practice to have DHCP NOT on a DC? I?ve been reading a bunch of stuff, but everything I?m reading refers to Server 2003 or older. Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: 916-323-1284
