DHCP on Domain Controller?

Technowiz

I remember reading some where there Microsoft recommends against using a domain controller as a DHCP server. But I'm having trouble figuring out why or even finding where Microsoft states this.

I did find this:

http://support.microsoft.com/kb/255134

But it appears this only applies to Windows 2000 domain controllers.


Does any one know if this is true and if so, why?

Slowhand

I remember it being mentioned during one of my networking classes, that Windows 2000 had some problem with having DHCP on the DC, but I've never seen any issues with Server 2003. I couldn't tell you if Microsoft has any recommendations against it, but I've always used the DC for DNS and DHCP, as a standard, in networks that have only one or two servers. Of course, if you have an SBS server, it'll want to do everything, (whether it's recommended or not).

dynamik

Go to the line starting with: "When the DHCP Server service is installed on a domain controller..."

http://technet.microsoft.com/en-us/library/cc787034.aspx

Diminutive

Help has;

"For server performance, note that DHCP is disk-intensive and purchase hardware with optimal disk performance characteristics.
DHCP causes frequent and intensive activity on server hard disks. To provide the best performance, consider RAID solutions when purchasing hardware for your server computer that improves disk access time.
"

in DHCP Best Practices.

Slowhand

TechNet wrote:

When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).

So it looks like there are security considerations from what dynamik pointed out, as well as the performance considerations that Diminutive mentioned. Not "problems" persay, but things to be aware of and watch out for as you plan and deploy a network. (Mmmmh, refresher-reading of things I knew back in 2004. )

Tyrant1919

DHCP and DNS are on our DCs. Works like a charm... so far...!

dynamik

It'll work fine; it's just not a best practice. Of course, these things are always open to interpretation, and it really depends on your needs, resources, and desired level of security.

bjaxx

Tyrant1919 wrote:

DHCP and DNS are on our DCs. Works like a charm... so far...!

Guilty as charged...

astorrs

I love the "DHCP is disk intensive crap", that's hilarious.

bjaxx

astorrs wrote:

I love the "DHCP is disk intensive crap", that's hilarious.

I guess at an enterprise level maybe?

bertieb

astorrs wrote:

I love the "DHCP is disk intensive crap", that's hilarious.

It hammers the disks more than an heavily utilised SQL Server, honest.....

Has anyone on here had issues with Disk I/O on any DHCP server? Just curious...

jbaello

astorrs wrote:

I love the "DHCP is disk intensive crap", that's hilarious.

A ridicule without clarification is futile! Ofcourse I'm joking :P

I'm thinking the same on how it will be disk intensive, since it's database will not be accessed heavily given that clients will only contact DHCP on given situations, such as DHCP lease is expiring, or the client needs obtain it's IP address when being rebooted, I know there is so much more to it, just trying to play this things on my head.

Technowiz

Don't really think performance is an issue in our environment. The security issue seems the same as in the link I referenced so I guess it still applies on server 2003 although I'm a bit confused about the issue there. DHCP running on the DC computer account has more authority over DNS records than it would otherwise have. But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.

royal

Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.

astorrs

royal wrote:

Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.

LOL

I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

Nuff said?

dynamik

Technowiz wrote:

But I'm not clear on how that could be exploited without compromising the DC itself and if that happens the game is over any way.

Read up on the dnsupdateproxy group. They talk about it in the Technet link I posted earlier.

bertieb

astorrs wrote:

royal wrote:

Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.

LOL

I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

Nuff said?

Plenty, thx. Just as expected then

jbaello

astorrs wrote:

royal wrote:

Make sure you calculate IOPS required for your DHCP database, then create a LUN with the amount of disks needed to satisfy your IOPS requirements, place the DHCP database on this new LUN, and run jetstress on it to see how your DHCP database will perform under load.

LOL

I just jumped on our DHCP server, we've had 12,087 leases issued in the last 12 hours and the monitoring tool shows an average disk transfer to the DHCP LUN (it's clustered) of 0.013 bytes/sec over the same time period.

Nuff said?

Your a God!!!

Where's your partner in crime?

Slowhand

We also have to remember that some of these best-practices were written in the old days when disks spun at 5400 RPM. It was a simpler time, when Google was just a search engine and Norah Jones roamed the earth. How far we've come. . .

mr2nut

We supply to mainly small companies and them having to pay for 2 Servers due to a rule that it's only 'bad practise' doesn't warrent 2 Servers for small struggling companies. We have always put DHCP and DNS on one domain controller and simply backed up the system state and the and the system32\dhcp folder via offsite backup for redundancy, as well as obviously providing RAID5. If the user didn't opt for RAID we would always suggest a secondary DC.

p.s. We normally enable DHCP on Vigor routers instead of the Server too but if they insist on the cheap netgear their ISP provides, then it all goes on one

dixieadmin

astorrs wrote: »

I love the "DHCP is disk intensive crap", that's hilarious.

I know this thread is over 3 years old but I nearly started crying after reading your comment. Thanks for the Laugh. My side hurts.