2

Back story.
So we had a development engineer (who just happened to have access to a domain admin account) who set up a handful of DHCP servers on our domain. This caused headaches, as the new DHCP servers were authorized on our domain and made authoritative.

These servers are temporary and are being moved to another third-party site. We've cleaned up the headaches and worked out a timeline to unauthorize them before the move. My job is to unauthorize the servers when the time comes to move them and to clean up any leftovers.

One server has already been decommed (role removed and removed from domain). That means this has to be my order of operations (for the first server):
1. Remove DHCP serve role from rogue server.
2. Remove rogue server from our domain.
3. Unauthorize rogue server in DHCP mmc.
I would prefer to unauthorize the server before removing the role from it. I can do so with the other 2 servers that are moving at a later date. Moving on...

Another sys-admin was working this before me, she expressed concern that AD would sync AD information/objects with the DHCP servers. I'm not aware of AD syncing anything to a DHCP server, but this other sys-admin mentioning it has me (and my manager) worried. My manager wants to be completely sure that there is no AD data on the rogue servers once they are decommed and moved out, including any references to the domain account that the DHCP service was running under. It seems rebuilding the servers (to cleanly eliminate any security worries after moving them off-site) is not an option. I do not (yet) know which version of Windows Server they are running.

So the question(s):
What needs corrected or cleaned up with the order of operations?
Is there any AD data (including logs, though their location is usually pretty standard) that I need to clean up from the decommed DHCP servers?
Will there be any references to the domain account that the DHCP service ran under and where will I find those to clean them?

Thomas
  • 868
  • 4
  • 17
  • 35
  • 1
    Domain members that are not Domain Controllers do not hold any AD data. – joeqwerty Nov 05 '13 at 23:59
  • 1
    Your colleague has no idea what she is talking about. – MDMarra Nov 06 '13 at 00:09
  • And you should really read up on MS's implementation of DHCP, too. – mfinni Nov 06 '13 at 00:18
  • @joeqwerty That's what I thought, but she has been at this job a lot longer than I have been, so I gave her the benefit of the doubt, assuming she knew something I didn't know. – Thomas Nov 06 '13 at 05:15
  • @mfinni I definitely won't claim to know everything (at least not this time), but do I know my way around DHCP/AD/DNS fairly well. However, I've never had a rogue DHCP server thrown onto one of my domains before. (Users bringing their own wifi routers doesn't count.) I figure it's better to defer to the community here than to make assumptions and potentially cause more trouble. – Thomas Nov 06 '13 at 05:39

2 Answers2

5

What needs corrected or cleaned up with the order of operations?

Nothing

Is there any AD data (including logs, though their location is usually pretty standard) that I need to clean up from the decommed DHCP servers?

No. There's no AD data in the DHCP database, AD data is in the AD database.

Will there be any references to the domain account that the DHCP service ran under and where will I find those to clean them?

Typically, DHCP isn't run as a service account. If it was set up so, look at the damned servers and see what the DHCP Server service is running as.

You're definitely over-thinking this, FYI.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Thanks for the clear answer :) succinct and to the point. Yes, I overthink everything. But in this case it's better safe than sorry. FYI SOP at this company is to run DHCP in a limited 'service' account, I presume for security and I've been told for ensuring that manually added DNS entries have priority over DHCP entries - part of the trouble with these rogue servers is DHCP DNS names overwriting static DNS entries because they were running with full dom admin rights - at least, that's what they tell me. I've only been at this company for 3 weeks and some of their logic eludes me. – Thomas Nov 06 '13 at 05:28
-2

If the DHCP servers were added to the domain, then there will definitely be references to the domain after they have been removed from it. The only safe way to guarantee there is no AD data on the server is to wipe the disks and reinstall windows (though it may still be possible to get the data back with the use of data recovery software).

Foxocube
  • 314
  • 2
  • 11
  • 2
    Define "references to the domain." Please identify any should-be-secured data on a DHCP server, because I'm quite certain that there isn't any. Other than the logs showing IP addresses, which isn't something typically seen as OMG PII private DEFCON. – mfinni Nov 06 '13 at 00:02
  • 1
    This answer appears to be patently incorrect. If the DHCP server is not a Domain Controller then it will have no AD "data" on it. Can you clarify what you mean? – joeqwerty Nov 06 '13 at 00:03
  • 1
    Exactly what "AD Data" is going to be present on a DHCP member server? – MDMarra Nov 06 '13 at 00:03
  • If you ever logged in with a domain account, there will be multiple references to that account within all the logs. TBH if the server is going out to another client/site, it's probably best to wipe the server anyway, esp if they were set up haphazardly in the first place (you never know what time bombs the engineer left) – Foxocube Nov 06 '13 at 00:04
  • OK. Maybe you can clarify your answer to state that there may be user profile data related to domain users on the server. – joeqwerty Nov 06 '13 at 00:05
  • "references to the account" means the workstation, user, and domain account names will be in the logs. Yes. Transferring a computer (any computer) to a 3rd party should always be wiped, yes I'll agree with that. That has absolutely nothing to do with the fact that it was a DHCP server, and I would not ever call that "AD data", because it isn't. AD data is in the AD database, stored only on domain controllers. – mfinni Nov 06 '13 at 00:06
  • @mfinni good point, I was interpriting the question more as data /from/ AD – Foxocube Nov 06 '13 at 00:08
  • 2
    A user profile is generally not considered to be "AD Data." If this is what you're referring to, it's no different than any other domain member. The OP clearly believes that there is additional data above and beyond things like this that is specific to DHCP, which is not the case. – MDMarra Nov 06 '13 at 00:08
  • The OP has _been led to believe_ that there's additional data ;) I totally agree on wiping it being the better policy, however my understanding is that these machines were set up in the first place in order to pre-configure them before sending them out - wiping them would be undoing that. I still my suggest it to my manager. And don't ask me what the engineer was doing with a dom admin account in the first place >. – Thomas Nov 06 '13 at 05:19