I had a discussion in the Newsgroups lately about DHCP and the DNSUpdateProxy-Group which is used to write unsecured DNS-Entries to a DNS-Zone which only allows secure updates. That's propably not the correct definition, but it describes pretty much what that does. Using DHCP on Windows 2000 Server (with SP2 and above) or even better - on Windows Server 2003 - you are able to define accounts which should be used for registering the DNS-Records by the DHCP-Server. You should use this technique, there are almost no reasons to put the DHCP-Server in the DNSUpdateProxy-Group anymore.
Issues which were solved by the DNSUpdateProxy-Group in the past were clustering and overlapping scopes. E.g. if you put a DHCP-Cluster on a Cluster, and it's running on Node1 it'll write the Record it registers (usually PTR-Records for W2k+ and A + PTR-Records for downlevel clients) to the DNS-Zone and allows updates only to the computer account of Node1. Now if the cluster resource fails over to Node2, and a client receives an IP which was already existed before Node2 is not able to update the DNS-Records because only Node1 is supposed to update that record. Putting the computer accounts of Node1 and Node2 into the DNSUpdateProxy Group will modify the way the DHCP-Server is writing the records - it allows "Authenticated Users" to update the record - which is the same as if you were putting the record in there without security. I just don't like that. With Windows 2000 SP2 and above you are able to change the credentials under which the DHCP-Service is running, and the service will use those credentials to write the records. Using Windows Server 2003 DHCP allows you to keep the service running with it's default credentials and configure the account he's supposed to use for registering records in the properties of the DHCP-Server.
Now if you use the same account on all Servers who are serving the same zone - you are set and you don't need the DNSUpdateProxy-Group. You are even able to "Partition DHCP and DNS-Updates" across your company and subnets.
And I also believe in applying an account the least priviledges needed, so I'm pretty sure that you'll just need the rights for creating/deleting and updating DNSNode-Object in only the zone where the DHCP-Server writes the records for that account. Haven't tested that yet - when I did I'll write this together more properly and post it to my website. If you want to test, look at -> this thread (and let me know of your test).
To be kind of complete (without writing more and bugging your RSS-Reader) the only reason for using the DNSUpdateProxy-Group might be if you are in a migration szenario - however there are other solutions as well. If you are interested let me know (there's a feedback option on this blog if you haven't realized yet - not just the contact link ;-) ).