Proxy users are not used in DSfW.
The Services part of the Trusted Computed Base has the rights to read users’ supplemental credentials for authentication. A separate Kerberos process reads user passwords and performs the authentication. Another event handler in eDirectory creates the supplemental credentials for the user whenever the password is changed for that user.
However, the DNS Proxy User is closely associated with DSfW and can leverage the Common Proxy User.