You can have DHCP on a domain controller and it's very common in many environments as it is an infrastructure service. The only accounts which should have access to remote or interactive logins to any DC should be your Domain Admins, and in a multiple domain trust environment, your Enterprise Admins. NEVER grant a service account or any application account domain Admin rights, and if the vendor says they need it, tell them where to stuff it.
When configuring it on a DC, I'll also configure DHCP failover on a secondary DC, or secondary DNS server (I have a few customers with Server Essentials for their DC, which doesn't allow for additional domain controllers, so as a workaround I'll set up just a secondary DNS server to allow for network connectivity for DC reboots).
What is DHCP Failover? | Microsoft Docs
As much as Windows licenses cost and the miniscule resources needed for DHCP, why waste a server dedicated to it? In an enterprise environment with thousands of endpoints or subnets, it makes sense, but in the SMB market where you're dealing with a fairly flat network structure, you're bleeding your customers.
Sent from my BlackBerry using Tapatalk
Bookmarks