A. Windows 2000 introduces support for Dynamic DNS which allows
clients to update/create DNS records. This is most commonly done via DHCP but
introduces a potential problem where clients may incorrectly change DNS entries
and "hijack" the record.
The solution is to use secure dynamic update but this is only available on
Active Directory-integrated zones so must be running on a domain controller.
With secure dynamic update the domain controllers group has full control over
the zones but the problem is if DHCP is also installed on a domain controller
the DHCP server service runs under the domain controller computer account and
this has full control over the DNS zone even if secure update is configured.
The above situation would allow earlier DHCP clients or deliberate hacking
code to overwrite DNS records of a legitimate computer and hijack its name.
The solution to this is to not have DHCP installed on a domain controller and
this is what Microsoft suggest.
End of Article
Register
