Article ID: 255134 - View products that this article applies to.
This article was previously published under Q255134
When a Windows 2000-based computer Dynamic Host Configuration Protocol (DHCP) Server service is installed on a domain controller, and it is configured to perform Dynamic Domain Name System (DDNS) update of the records on behalf of its clients in the DNS zones that are configured to enable only secure dynamic update, the DHCP Server may overwrite the records for which the DHCP Server did not have write permissions.
Standard DDNS is prone to name hijacking. To provide protection from name hijacking, you can configure DNS zones hosted on Windows 2000 DNS Servers for Secure Dynamic Updates. Note that this feature is only available on Active Directory-integrated zones.
By default, the Domain Controllers (DCs) group has full control of all DNS zones and records. Because the DHCP Server service runs under the domain controller's computer account, it has full control of all DNS zones and records. Because of this, the DHCP Server service has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other Windows 2000-based computers, including domain controllers).
To minimize the potential of name hijacking, Microsoft does not recommend that you install the DHCP Server service configured to perform DDNS update on a DC. Instead, install the DHCP Server service on a separate server, and not a domain controller.
Windows 2000 Service Pack 1 InformationTo overcome the name hijacking issue that is described in this article, Windows 2000 Service Pack 1 includes the following changes:
You can configure the DHCP Server service to impersonate an account to perform DNS registrations. The Netsh.exe tool can be used to configure the impersonation credentials. You must create a dedicated user account in Active Directory before you use the Netsh.exe tool to configure the DHCP Server service impersonation credentials of this account when DHCP Server service performs secure Dynamic DNS update. For information about how to create a user account in Active Directory, view the Active Directory user accounts, adding topic in Windows 2000 Help.
How to Use the Netsh.exe ToolNOTE: The Netsh.exe tool completes successfully only after you receive a "Command Successfully Completed" message.
How to Configure the DHCP Server Service to Impersonate an Account
Article ID: 255134 - Last Review: October 26, 2007 - Revision: 2.6