DHCP on Domain Controller?

I remember reading some where there Microsoft recommends against using a domain controller as a DHCP server. But I'm having trouble figuring out why or even finding where Microsoft states this.

I did find this:

http://support.microsoft.com/kb/255134

But it appears this only applies to Windows 2000 domain controllers.


Does any one know if this is true and if so, why?

Comments

  • SlowhandSlowhand Questionably Benevolent Bay Area, CaliforniaPosts: 5,161Mod Mod
    I remember it being mentioned during one of my networking classes, that Windows 2000 had some problem with having DHCP on the DC, but I've never seen any issues with Server 2003. I couldn't tell you if Microsoft has any recommendations against it, but I've always used the DC for DNS and DHCP, as a standard, in networks that have only one or two servers. Of course, if you have an SBS server, it'll want to do everything, (whether it's recommended or not). icon_lol.gif

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • dynamikdynamik Posts: 12,314Banned
    Go to the line starting with: "When the DHCP Server service is installed on a domain controller..."

    http://technet.microsoft.com/en-us/library/cc787034.aspx
  • DiminutiveDiminutive Posts: 102Member
    Help has;

    "For server performance, note that DHCP is disk-intensive and purchase hardware with optimal disk performance characteristics.
    DHCP causes frequent and intensive activity on server hard disks. To provide the best performance, consider RAID solutions when purchasing hardware for your server computer that improves disk access time.
    "

    in DHCP Best Practices.
    WIP: Win2008 MCITP Upgrade
  • SlowhandSlowhand Questionably Benevolent Bay Area, CaliforniaPosts: 5,161Mod Mod
    Technet wrote:
    When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).
    So it looks like there are security considerations from what dynamik pointed out, as well as the performance considerations that Diminutive mentioned. Not "problems" persay, but things to be aware of and watch out for as you plan and deploy a network. (Mmmmh, refresher-reading of things I knew back in 2004. icon_lol.gif )

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • Tyrant1919Tyrant1919 Posts: 515Member
    DHCP and DNS are on our DCs. Works like a charm... so far...!
    I <3 DNS
  • dynamikdynamik Posts: 12,314Banned
    It'll work fine; it's just not a best practice. Of course, these things are always open to interpretation, and it really depends on your needs, resources, and desired level of security.
  • bjaxxbjaxx Posts: 217Member
    Tyrant1919 wrote:
    DHCP and DNS are on our DCs. Works like a charm... so far...!

    Guilty as charged...
    "You have to hate to lose more than you love to win"
  • astorrsastorrs Posts: 3,139Member
    I love the "DHCP is disk intensive crap", that's hilarious.
  • bjaxxbjaxx Posts: 217Member
    astorrs wrote:
    I love the "DHCP is disk intensive crap", that's hilarious.

    I guess at an enterprise level maybe?
    "You have to hate to lose more than you love to win"
  • bertiebbertieb Posts: 1,031Member
    astorrs wrote:
    I love the "DHCP is disk intensive crap", that's hilarious.

    It hammers the disks more than an heavily utilised SQL Server, honest..... icon_lol.gif

    Has anyone on here had issues with Disk I/O on any DHCP server? Just curious...
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • jbaellojbaello Posts: 1,192Member
    astorrs wrote:
    I love the "DHCP is disk intensive crap", that's hilarious.

    A ridicule without clarification is futile! Ofcourse I'm joking :P

    I'm thinking the same on how it will be disk intensive, since it's database will not be accessed heavily given that clients will only contact DHCP on given situations, such as DHCP lease is expiring, or the client needs obtain it's IP address when being rebooted, I know there is so much more to it, just trying to play this things on my head.
  • TechnowizTechnowiz Posts: 211Member
    Don't really think performance is an issue in our environment. The security issue seems the same as in the link I referenced so I guess it still applies on server 2003 although I'm a bit confused about the issue there. DHCP running on the DC computer account has more authority over DNS records than it would otherwise have. But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.
  • royalroyal Posts: 3,353Member
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • astorrsastorrs Posts: 3,139Member
    royal wrote:
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL icon_lol.gif

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?
  • dynamikdynamik Posts: 12,314Banned
    Technowiz wrote:
    But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.

    Read up on the dnsupdateproxy group. They talk about it in the Technet link I posted earlier.
  • bertiebbertieb Posts: 1,031Member
    astorrs wrote:
    royal wrote:
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL icon_lol.gif

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?

    Plenty, thx. Just as expected then :)
    The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln
  • jbaellojbaello Posts: 1,192Member
    astorrs wrote:
    royal wrote:
    Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.
    LOL icon_lol.gif

    I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

    Nuff said?

    Your a God!!!

    Where's your partner in crime? icon_twisted.gif
  • SlowhandSlowhand Questionably Benevolent Bay Area, CaliforniaPosts: 5,161Mod Mod
    We also have to remember that some of these best-practices were written in the old days when disks spun at 5400 RPM. It was a simpler time, when Google was just a search engine and Norah Jones roamed the earth. How far we've come. . . icon_lol.gif

    Free Microsoft Training: Microsoft Virtual Academy
    Free PowerShell Resources: Top 50 PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • mr2nutmr2nut Posts: 269Member
    We supply to mainly small companies and them having to pay for 2 Servers due to a rule that it's only 'bad practise' doesn't warrent 2 Servers for small struggling companies. We have always put DHCP and DNS on one domain controller and simply backed up the system state and the and the system32\dhcp folder via offsite backup for redundancy, as well as obviously providing RAID5. If the user didn't opt for RAID we would always suggest a secondary DC.

    p.s. We normally enable DHCP on Vigor routers instead of the Server too but if they insist on the cheap netgear their ISP provides, then it all goes on one
  • dixieadmindixieadmin Posts: 1Registered Users ■□□□□□□□□□
    astorrs wrote: »
    I love the "DHCP is disk intensive crap", that's hilarious.

    I know this thread is over 3 years old but I nearly started crying after reading your comment. Thanks for the Laugh. My side hurts.
Sign In or Register to comment.