You cannot delegate DHCP administration or WINS administration on a per-server basis when the DHCP service and the WINS service run on domain controllers (887357)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Standard Edition
INTRODUCTIONYou cannot delegate Dynamic Host Configuration Protocol (DHCP) administration or Windows Internet Name Service (WINS) administration on a per-server basis when the DHCP service and the WINS service run on domain controllers.MORE INFORMATIONWhen the DHCP service is installed on a member server, the DHCP Administrators local group is created. When the DHCP service is installed on a domain controller, the DHCP Administrators local group becomes a domain local group. The DHCP Administrators domain local group is then replicated to all the domain controllers. This lets the members of this domain local group to have administrator rights for all DHCP services if the DHCP services run on a domain controller.
On a WINS server, the System Operators domain group and the Account Operators domain group have Read and Control rights to the Remote Procedure Call (RPC) service. These domain local groups have Read and Control rights on every domain controller even if the DHCP service or the WINS service does not run on the domain controllers. The System Operators domain group and the Account Operators domain group are very powerful. An account that has Read and Control rights on a domain controller always has the same right on all domain controllers. The only way that you can delegate administration for a WINS server or for a DHCP server is to deploy the WINS service or the DHCP service on a separate server.STATUS
This behavior is by design.
| Modification Type: | Major | Last Reviewed: | 12/22/2004 |
|---|
| Keywords: | kbnetwork kbwinservnetwork kbhowto KB887357 kbAudITPRO |
|---|
|