A. Windows 2000 introduces support for Dynamic DNS which allows clients to update/create DNS records. This is most commonly done via DHCP but introduces a potential problem where clients may incorrectly change DNS entries and "hijack" the record.
The solution is to use secure dynamic update but this is only available on Active Directory-integrated zones so must be running on a domain controller. With secure dynamic update the domain controllers group has full control over the zones but the problem is if DHCP is also installed on a domain controller the DHCP server service runs under the domain controller computer account and this has full control over the DNS zone even if secure update is configured.
The above situation would allow earlier DHCP clients or deliberate hacking code to overwrite DNS records of a legitimate computer and hijack its name.
The solution to this is to not have DHCP installed on a domain controller and this is what Microsoft suggest.