4

For a small Active Directory managed network (say 30-50 DHCP clients) should I have a domain controller (and then somehow another one as a failover) hand out IPs via DHCP or should I just let my router do it?

Just an update, fyi: We have two brand-new machines running as AD, DNS, etc. servers so we've got a nice setup going there. Just wondering if it makes sense to check the "DHCP" box on one or both of them as well, and turn it off in our router.

Matt Rogish
  • 1,512
  • 6
  • 25
  • 41

4 Answers4

10

I'd hand out IP addresses with the Windows DHCP server. It's nicer than any router's DHCP server I've ever seen (as far as the management interface and displaying statistics). Perhaps I've grown soft w/ my age, but I prefer the GUI management in Windwos for DHCP Servers.

Having a secondary domain controller (also assigned the "Global Catalog" role) is a great cheap insurance policy. If you're not going to store any data on it then it doesn't have to have a "set the world on fire" disk subsystem or hardware redundancy. It's just really, really nice in a disaster scenario to have a second copy of AD around.

I'd have both DC's run DNS and "point" clients at both. You can configure both with either "root hints" or "forwarders" to your ISP's DNS servers-- your choice.

As far as a secondary DHCP server goes I'm fairly "down" on the behaviour of Microsoft DHCP Server when you have two overlapping DHCP servers. The behaviour becomes nondeterministic since they don't coordinate their activities (i.e. a client will get a lease from the first one that responds). My solution is to make sure that the DHCP database is backed-up each day and, in the event of failure, I'll manually roll the DHCP backup onto the secondary node and bring DHCP up there. Running 8+ day DHCP leases helps with this, too.

Perhaps I'm not paranoid enough, but in environments the size you're talking about w/ properly spec'd server computer hardware (UPS, redundant power supplies, RAID) I just don't "lose" server computers all that frequently enough to be worried sick about DHCP failover.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Also by running DHCP on the Windows box you can have the DHCP server register the IP address in DNS for clients that don't support it (i.e. non-Windows boxes). With regard to DHCP allocation on multiple servers, MS best practice is to split the scope 80/20 - see http://technet.microsoft.com/en-us/library/cc780311%28WS.10%29.aspx – Joel Mansford Jul 21 '09 at 09:57
  • 1
    @Joel: DHCP behaviour with the "split scope" is non-deterministic with respect to which server the client computer obtains a lease from. That's my issue with it as a failover strategy. I don't like to add anything non-deterministic to my networks if I can help it (Ethernet non-withstanding). – Evan Anderson Jul 21 '09 at 11:51
  • Evan: What if AD1 has DHCP from a certain range, say x.50-100 and AD2 has another range, x.101-150 – Matt Rogish Jul 21 '09 at 14:12
  • @Matt: The first server computer that responds to a client request issue the lease in that circumstance. There's no guarantee that it will operate in a predictable manner. That's why I have issue with such a configuration. – Evan Anderson Jul 21 '09 at 19:11
3

It is always good practice to have (even for a small network), to have a main dc and a fail over dc.

For example:

Primary Box:

  • DNS
  • main DC
  • Other services

Secondary Box:

  • DHCP
  • backup DC
  • Other services

With a setup like this you have room for scalability and more control over your environment. This is similar to what I have implemented for my network.

Also it can be good practice to have a gateway server (connected to your router), that has an external network separate to your internal network. This way internet traffic can be properly controlled and fire walled.

Qwerty
  • 1,504
  • 2
  • 15
  • 24
  • I'd strongly suggest you run DNS on the second box too. If the first one is down you have no DNS, which means you effectively have no AD. – ThatGraemeGuy Jul 21 '09 at 04:38
1

Just FYI, you can run DHCP on a box that is not a DC, and you don't need Active Directory to use DHCP. But with 30-50 clients, I would recommend an AD setup assuming they are all Windows machines.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
1

I'll second running the Windows DHCP server rather than the router. Then the DHCP server will update DNS records for you for clients that won't do it on their own. Granted Win2000 and up do, but maybe that would help for Macs or Linux(?).

CC.
  • 1,196
  • 1
  • 10
  • 22