DHCP on a DC

[CP]

I have worked on a fairly large 2000 network. 1 forest, 11
child domains and all child domains had DHCP on their DC's.

I have moved to a new company and am helping them put some
fault tolerance in the network to prepare for large
growth. I recently read that MS recommends that the DHCP
service should not exist on Windows 2000 DC's.

I understand the DNS hijacking issue with DDNS for non-W2k
clients (i.e. 95,98 and NT4). I guess my questions are as
follows:

1) If I have no legacy clients in my enviornment what is
my exposure?
2) When did this changed? I never read this caveat about
DHCP when we were deploying W2k in my old company? (Just
curious)
3) If I do not allow DDNS updates for "ALL" clients is
that enough to mitigate the security risk. In other words,
set it to only update DNS for clients that request it.
4) If the answer is to set DNS for "secure only" updates
and to disable DDNS updates in DHCP than what is the
ramification on the network? (i.e. to the clients, which
are all W2k or XP pro, to the 3 NT4 servers I have left in
the environment).

I would appreciate any and all comments.

Thank you in advance.

 

[Matjaz Ladava [MVP]]

You are probably refering to this article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[CP]

Yes.. That article and a few other readings.

I have never done this and in the large company I worked
for previously we had no issues with DHCP.

Any thoughts as to this issue and my questions?