Microsoft KB Archive/816908

= No Dynamic Domain Name System Update Proxy Credentials Are Defined on a Domain Controller with DHCP Installed =

PSS ID Number: 816908

Article Last Modified on 12/19/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Small Business Server 2003, Premium Edition
 * Microsoft Windows Small Business Server 2003, Standard Edition

-





SUMMARY
If all the following conditions exist, domain controller (DC) credentials may overwrite any other credentials:
 * The DHCP Server service is installed on a DC.
 * The DHCP Server service is configured to perform Dynamic Domain Name System updates of the records on behalf of its clients.
 * No Dynamic Domain Name System update proxy credentials are defined.

This makes name hijacking possible if DHCP is configured to register A records for down-level clients. In Windows Server 2003, you can specify whether to use to use DC credentials by using the   registry key.

To minimize the potential of name hijacking, Microsoft does not recommend that you install the DHCP Server service configured to perform Dynamic Domain Name System update on a DC. Instead, install the DHCP Server service on a separate server that is not a DC.



Microsoft Windows 2000 Behavior
If DHCP server is configured to perform Dynamic Domain Name System update on behalf of its clients:
 * DHCP server is configured with an impersonation account. If impersonation succeeds, it will use this account for all the Dynamic Domain Name System registrations on behalf of all clients. If impersonation fails, it will log an error in the Event log and not try any registration. This is like Microsoft Windows NT 4.0.
 * DHCP server is not configured with an impersonation account. It will try Dynamic Domain Name System update on behalf of its clients by using DC credentials that can potentially overwrite registrations that already exist if DHCP and DNS are on the same DC.

For additional information about installing DHCP in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

255134 Installing Dynamic Host Configuration Protocol (DHCP) and Domain Name

Windows Server 2003 Behavior
If DHCP server is configured to perform Dynamic Domain Name System update on behalf of its clients:
 * DHCP server is configured with an impersonation account. If impersonation succeeds, it will use this account for all the Dynamic Domain Name System registrations on behalf of all clients. If impersonation fails, it logs an error in the Event log, and not try any registration.
 * DHCP server is not configured with an impersonation account. If the DHCP server is running on a DC and   is set to 0x1 perform dynamic registration of the DNS records by using DC credentials. Otherwise, log an error in the Event log and do not try any Dynamic Domain Name System registration on behalf of clients. If the DHCP server is not running on a DC, it will perform dynamic registration of the DNS records without any impersonation.

Specify DC Credentials
To specify whether to use to use DC credentials, set the   registry key. The   key has 2 REG_DWORD values.   is set to 0x1 under the following registry key:

 

ValueName: DnsRegistrationUseDcCredentials

Value Type: REG_DWORD
 * Value: 0x1: Perform dynamic registration of the DNS records by using DC credentials.
 * Value: 0x0: Log an error in the Event log and do not try any Dynamic Domain Name System registration on behalf of clients.

Note You must restart the DHCP service after you modify this value.

Keywords: kbinfo KB816908

Technology: kbSBServ2003Pre kbSBServ2003Search kbSBServ2003St kbSBServSearch kbWinServ2003Data kbWinServ2003Data64bit kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinServ2003Web

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.