Dynamic DNS is a feature that allows hosts to register their records in DNS, thus removing the need for administrators to manually create records.In addition, Secure Dynamic Update can be required for zones that are Active Directory-integrated (and should be required, per best practices), which allows only members of the Authenticated Users group to register records.When a DHCP server is added to the Dns Update Proxy group, its records aren't secured, meaning that other DHCP servers can update the records.In additon, hosts can change the records and then become the owner of the record.(The first update to a record that isn't a member of Dns Update Proxy becomes the owner.) This is very dangerous if a DHCP server is also a domain controller because it means that all the Active Directory records for that domain controller are written with no security and can therefore be overwritten by other hosts (although an additional setting, Open ACLOn Proxy Updates, helps prevent this by stopping records from being overwritten by any server that isn't a member of Dns Update Proxy group when set to a value of 0).There's a better solution, however, which also solves the issue of DHCP running on a domain controller.
You should specify a regular Active Directory user with no special privileges, but the password should be set to never expire (or you should have a really good process to update it periodically! You would then specify this configuration on all DHCP servers so that all DHCP servers use the same account to perform DNS updates.This means all DNS records registered by the DHCP servers would be owned by the specified account that is common to all DHCP servers.Those records have an ACL on them to stop registered records from being hijacked by other hosts.When DHCP is used to allocate IP addresses, the default configuration is shown below—which tells the DHCP server to register records in DNS on behalf of clients only if requested to do so by the client or if the client is unable to dynamically register (e.g., Windows NT 4.0).
What this means in practice is the following: This means the DHCP server computer account will own certain records in DNS, such as the PTR records and even some A records for older hosts.
(However, it's unlikely that you would have many NT 4.0 hosts in your environment.) This can cause the following two problems: For this reason, DHCP servers could be added to a group called Dns Update Proxy.