Hi, We have DHCP set up on our DC's using the default credentials for DDNS. I've been reviewing this as we are finding DHCP is not removing all records whose lease has expired. This has been made worst recently as we have had to set one of a DHCP scopes to have short lease time of 8 hours due to address shortages and high number of transient workers. The questions I have are:-
1. Do I need to add the servers to the DnsUpdateProxy and have the DDNS process use a different account other that the default? What would this achieve as surely DDNS running under the DC credentials we already have full permission to created/delete records?
2. I can understand why running DDNS under a DC's security privileges presents a increased risk and is not recommend, does using the DnsUpdateProxy group with a DC present any additional risk?
Thanks for any advice.