Best Practices

Best Practices

• Do not install a domain controller as a DHCP server.

  If you install DHCP on a domain controller, ensure that the DHCP server computer account is never added to the DNSUpdateProxy group. Membership in this group prevents the DHCP server from taking ownership of DNS resource records registered by the DHCP server (including SRV resource records) if the DNS service is installed on a domain controller.

• Do not use DHCP-assigned addresses for servers.

  It is preferable to assign static IP addresses to servers and critical workstations to ensure they cannot receive incorrect TCP/IP configuration information from a rogue DHCP server.

• Monitor membership in the DNSUpdateProxy group.

  Unless you are performing computer upgrades or maintaining multiple DHCP servers on the network, the DNSUpdateProxy group should not have any members. Membership in the DNSUpdateProxy group prevents a DHCP server from taking ownership of the resource records it registers with DNS.

• Monitor membership in the DHCP Administrators group.

  Members of the DHCP Administrators group can modify DHCP configuration. Also watch membership in the local Administrators group, the Domain Admins group, and the Enterprise Admins group because these groups have permissions to allow management of the DHCP server.

• Enable DHCP auditing.

  DHCP auditing allows you to track which devices are assigned DHCP addresses and to troubleshoot address conflicts when BAD_ADDRESS entries appear in the DHCP database.

• Do not change the default behavior for DNS registration.

  The default behavior for DHCP is that the DHCP server owns the PTR resource records and the DHCP client owns the A resource records. Do not change this behavior unless you require that the DHCP server owns all DNS resource records.