Authorizing a DHCP server in a Child Domain requires Enterprise Admin rights (or a delegation)

Today I learnt that to authorize a DHCP server in a child domain you must be an Enterprise Admin or a Domain Admin in the forest root domain or have the rights delegated to you. I was always under the impression you only needed to be a Domain Admin (not necessarily of the forest root domain). 

The reason you need to have forest level rights is because authorization happens under CN=NetServices,CN=Services,CN=Configuration,DC=mydomain – which as you can see is the Configuration partition, which is replicated forest-wide, so to which you need forest level rights. Armed with this knowledge you can either assign permissions to this container directly or use the Active Directory Sites and Services MMC to delegate permissions. In case of the latter, note that you have to click the Active Directory Sites and Services node and select the View menu (or right click that node and select View) to then reach the Show Services Node option. 

show services

This exposes the Services Node, under which one can assign permissions on the NetServices node (similar to assigning permissions on the Configuration partition container) or delegate permissions. Of course, to do either of these you must be logged in with an account that has forest-level permissions.