+ Reply to Thread
Results 1 to 21 of 21
  1. Senior Member
    Join Date
    Jun 2007
    Location
    Atlanta, GA
    Posts
    212

    Certifications
    MCSE 2003, MCSA 2003, A+, Network+, Security+, MCTS Windows 7
    #1

    Default DHCP on Domain Controller?

    I remember reading some where there Microsoft recommends against using a domain controller as a DHCP server. But I'm having trouble figuring out why or even finding where Microsoft states this.

    I did find this:

    http://support.microsoft.com/kb/255134

    But it appears this only applies to Windows 2000 domain controllers.


    Does any one know if this is true and if so, why?
    Reply With Quote Quote  

  2. SS -->
  3. Questionably Benevolent Moderator Slowhand's Avatar
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    5,073
    Blog Entries
    1

    Certifications
    A+, Linux+, Server+, Security+, MCSA 2003, MCSA 2008, MCSA 2012, CCNA(expired), ITIL Foundation v3 (2011), VCP5-DCV, VCA-Cloud, VCA-DCV, VCA-WM
    #2
    I remember it being mentioned during one of my networking classes, that Windows 2000 had some problem with having DHCP on the DC, but I've never seen any issues with Server 2003. I couldn't tell you if Microsoft has any recommendations against it, but I've always used the DC for DNS and DHCP, as a standard, in networks that have only one or two servers. Of course, if you have an SBS server, it'll want to do everything, (whether it's recommended or not).

    -------------------------------------------------------
    ITHumidor.net - "Futuaris nisi irrisus ridebis"
    -------------------------------------------------------

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #3
    Go to the line starting with: "When the DHCP Server service is installed on a domain controller..."

    http://technet.microsoft.com/en-us/l.../cc787034.aspx
    Reply With Quote Quote  

  5. Senior Member Diminutive's Avatar
    Join Date
    Sep 2008
    Posts
    100

    Certifications
    MCSE 2003 & NT4, MCTS: Vista, MCDBA, CCNA, Moon Master
    #4
    Help has;

    "For server performance, note that DHCP is disk-intensive and purchase hardware with optimal disk performance characteristics.
    DHCP causes frequent and intensive activity on server hard disks. To provide the best performance, consider RAID solutions when purchasing hardware for your server computer that improves disk access time.
    "

    in DHCP Best Practices.
    WIP: Win2008 MCITP Upgrade
    Reply With Quote Quote  

  6. Questionably Benevolent Moderator Slowhand's Avatar
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    5,073
    Blog Entries
    1

    Certifications
    A+, Linux+, Server+, Security+, MCSA 2003, MCSA 2008, MCSA 2012, CCNA(expired), ITIL Foundation v3 (2011), VCP5-DCV, VCA-Cloud, VCA-DCV, VCA-WM
    #5
    Quote Originally Posted by TechNet
    When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).
    So it looks like there are security considerations from what dynamik pointed out, as well as the performance considerations that Diminutive mentioned. Not "problems" persay, but things to be aware of and watch out for as you plan and deploy a network. (Mmmmh, refresher-reading of things I knew back in 2004. )

    -------------------------------------------------------
    ITHumidor.net - "Futuaris nisi irrisus ridebis"
    -------------------------------------------------------

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    Reply With Quote Quote  

  7. Senior Member Tyrant1919's Avatar
    Join Date
    Jan 2008
    Location
    Marysville, CA
    Posts
    516

    Certifications
    A+, Net+, Svr+, Sec+, CCNA, MCSE:S, MCITP:EA, 236
    #6
    DHCP and DNS are on our DCs. Works like a charm... so far...!
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #7
    It'll work fine; it's just not a best practice. Of course, these things are always open to interpretation, and it really depends on your needs, resources, and desired level of security.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2007
    Posts
    218

    Certifications
    A+, MCP 70-270,70-290 Network+,Associates in Computer Network Systems
    #8
    Quote Originally Posted by Tyrant1919
    DHCP and DNS are on our DCs. Works like a charm... so far...!
    Guilty as charged...
    Reply With Quote Quote  

  10. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #9
    I love the "DHCP is disk intensive crap", that's hilarious.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    May 2007
    Posts
    218

    Certifications
    A+, MCP 70-270,70-290 Network+,Associates in Computer Network Systems
    #10
    Quote Originally Posted by astorrs
    I love the "DHCP is disk intensive crap", that's hilarious.
    I guess at an enterprise level maybe?
    Reply With Quote Quote  

  12. wibble! bertieb's Avatar
    Join Date
    Jun 2007
    Location
    Up and down the UK
    Posts
    1,029

    Certifications
    MCSE:CP&I, SI, MCITPx2, MCSAx2, MCTSx7, VCP6/5/4/3(DCV), EMCISA, Sec+, ITILv3F, legacy MS
    #11
    Quote Originally Posted by astorrs
    I love the "DHCP is disk intensive crap", that's hilarious.
    It hammers the disks more than an heavily utilised SQL Server, honest.....

    Has anyone on here had issues with Disk I/O on any DHCP server? Just curious...
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jul 2007
    Posts
    1,198
    #12
    Quote Originally Posted by astorrs
    I love the "DHCP is disk intensive crap", that's hilarious.
    A ridicule without clarification is futile! Ofcourse I'm joking :P

    I'm thinking the same on how it will be disk intensive, since it's database will not be accessed heavily given that clients will only contact DHCP on given situations, such as DHCP lease is expiring, or the client needs obtain it's IP address when being rebooted, I know there is so much more to it, just trying to play this things on my head.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jun 2007
    Location
    Atlanta, GA
    Posts
    212

    Certifications
    MCSE 2003, MCSA 2003, A+, Network+, Security+, MCTS Windows 7
    #13
    Don't really think performance is an issue in our environment. The security issue seems the same as in the link I referenced so I guess it still applies on server 2003 although I'm a bit confused about the issue there. DHCP running on the DC computer account has more authority over DNS records than it would otherwise have. But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.
    Reply With Quote Quote  

  15. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #14
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    Reply With Quote Quote  

  16. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #15
    Quote Originally Posted by royal
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #16
    Quote Originally Posted by Technowiz
    But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.
    Read up on the dnsupdateproxy group. They talk about it in the Technet link I posted earlier.
    Reply With Quote Quote  

  18. wibble! bertieb's Avatar
    Join Date
    Jun 2007
    Location
    Up and down the UK
    Posts
    1,029

    Certifications
    MCSE:CP&I, SI, MCITPx2, MCSAx2, MCTSx7, VCP6/5/4/3(DCV), EMCISA, Sec+, ITILv3F, legacy MS
    #17
    Quote Originally Posted by astorrs
    Quote Originally Posted by royal
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?
    Plenty, thx. Just as expected then
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jul 2007
    Posts
    1,198
    #18
    Quote Originally Posted by astorrs
    Quote Originally Posted by royal
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?
    Your a God!!!

    Where's your partner in crime?
    Reply With Quote Quote  

  20. Questionably Benevolent Moderator Slowhand's Avatar
    Join Date
    Oct 2005
    Location
    Bay Area, CA
    Posts
    5,073
    Blog Entries
    1

    Certifications
    A+, Linux+, Server+, Security+, MCSA 2003, MCSA 2008, MCSA 2012, CCNA(expired), ITIL Foundation v3 (2011), VCP5-DCV, VCA-Cloud, VCA-DCV, VCA-WM
    #19
    We also have to remember that some of these best-practices were written in the old days when disks spun at 5400 RPM. It was a simpler time, when Google was just a search engine and Norah Jones roamed the earth. How far we've come. . .

    -------------------------------------------------------
    ITHumidor.net - "Futuaris nisi irrisus ridebis"
    -------------------------------------------------------

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Feb 2008
    Location
    West Yorkshire, UK
    Posts
    269

    Certifications
    A+, N+, 70-270, 70-290, 70-291, 70-293, 70-294, 70-298. MCSE 2003! 70-620
    #20
    We supply to mainly small companies and them having to pay for 2 Servers due to a rule that it's only 'bad practise' doesn't warrent 2 Servers for small struggling companies. We have always put DHCP and DNS on one domain controller and simply backed up the system state and the and the system32\dhcp folder via offsite backup for redundancy, as well as obviously providing RAID5. If the user didn't opt for RAID we would always suggest a secondary DC.

    p.s. We normally enable DHCP on Vigor routers instead of the Server too but if they insist on the cheap netgear their ISP provides, then it all goes on one
    Reply With Quote Quote  

  22. Junior Member Registered Member
    Join Date
    Mar 2012
    Posts
    1
    #21

    Default Lol

    Quote Originally Posted by astorrs View Post
    I love the "DHCP is disk intensive crap", that's hilarious.
    I know this thread is over 3 years old but I nearly started crying after reading your comment. Thanks for the Laugh. My side hurts.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks