Need some advice on learning networking

**rthonpm** · 01-16-2022

You can have DHCP on a domain controller and it's very common in many environments as it is an infrastructure service. The only accounts which should have access to remote or interactive logins to any DC should be your Domain Admins, and in a multiple domain trust environment, your Enterprise Admins. NEVER grant a service account or any application account domain Admin rights, and if the vendor says they need it, tell them where to stuff it.

When configuring it on a DC, I'll also configure DHCP failover on a secondary DC, or secondary DNS server (I have a few customers with Server Essentials for their DC, which doesn't allow for additional domain controllers, so as a workaround I'll set up just a secondary DNS server to allow for network connectivity for DC reboots).
What is DHCP Failover? | Microsoft Docs

As much as Windows licenses cost and the miniscule resources needed for DHCP, why waste a server dedicated to it? In an enterprise environment with thousands of endpoints or subnets, it makes sense, but in the SMB market where you're dealing with a fairly flat network structure, you're bleeding your customers.

Sent from my BlackBerry using Tapatalk

**BillyCarpenter** · 01-16-2022

Originally Posted by rthonpm

As much as Windows licenses cost and the miniscule resources needed for DHCP, why waste a server dedicated to it? In an enterprise environment with thousands of endpoints or subnets, it makes sense, but in the SMB market where you're dealing with a fairly flat network structure, you're bleeding your customers.

Sent from my BlackBerry using Tapatalk

Here's the reason that I read about. It makes sense to me but take that with a grain of salt. I'll defer to your knowledge and experience.

What is the issue?

Installing additional services on your DC increases the attack surface, makes it difficult to manage and can lead to performance issues.

Issue #1. Manage DC with multiple roles

Domain Controllers with multiple roles installed are difficult to manage. This can often lead to instability and disruption of services.
For example, say you are having issues with DHCP or installed a security patch that requires a reboot. Rebooting a server with Active Directory Domain Services role on it could cause major disruption to your organization. This can affect authentication, replication, group policy, and DNS. Your users will not be able to access anything if DNS is down.
If you have multiple domain controllers and it’s properly configured then these issues can be avoided but why risk it?
If DHCP was installed on its own server you could reboot the DCHP server with no worries of effecting the services on the Domain Controller.

**rthonpm** · 01-16-2022

The number of times I've come across a DHCP related issue that required the reboot of a DHCP server is zero. The number of issues requiring a restart of the DHCP server service? Several.

I've run into more issues requiring a restart of a domain controller for AD issues than anything related to DHCP or DNS.

The article also conveniently ignores guidance from Microsoft going all the way back to Server 2003, when running DHCP on a DC was first supported: Using DNS servers with DHCP: Dynamic Host Configuration Protocol (DHCP) | Microsoft Docs

See the section Securing records when using the DnsUpdateProxy group on how to segment the DHCP server service from using the Network Service account of the DC and the changes required in DNS to make things work.

Sent from my BlackBerry using Tapatalk

**slimslob** · 01-16-2022

Originally Posted by rthonpm

The number of times I've come across a DHCP related issue that required the reboot of a DHCP server is zero. The number of issues requiring a restart of the DHCP server service? Several.

I've run into more issues requiring a restart of a domain controller for AD issues than anything related to DHCP or DNS.

The article also conveniently ignores guidance from Microsoft going all the way back to Server 2003, when running DHCP on a DC was first supported: Using DNS servers with DHCP: Dynamic Host Configuration Protocol (DHCP) | Microsoft Docs

See the section Securing records when using the DnsUpdateProxy group on how to segment the DHCP server service from using the Network Service account of the DC and the changes required in DNS to make things work.

Sent from my BlackBerry using Tapatalk

I got called out for a printer that some computer in one section at a major account could not print to. When I got there I quickly found out that the one that could not print were the one that had been turned off over night. I immediate checked to see if I was getting DHCP and found out it was down. Called the receptionist to contact their in house IT so I tell him what I found. She called me back to say he was too busy trying to determine which needed to be replaced, he had been working on it 5 hours already. She apparently also called the corporate IT is Portland Oregon because he called me about a minute later. I told him I thought that the DHCP was down. He said he would check it. Seconds later it was back up as he came in remotely and restarted the service.

**rthonpm** · 01-16-2022

Originally Posted by slimslob

I got called out for a printer that some computer in one section at a major account could not print to. When I got there I quickly found out that the one that could not print were the one that had been turned off over night. I immediate checked to see if I was getting DHCP and found out it was down. Called the receptionist to contact their in house IT so I tell him what I found. She called me back to say he was too busy trying to determine which needed to be replaced, he had been working on it 5 hours already. She apparently also called the corporate IT is Portland Oregon because he called me about a minute later. I told him I thought that the DHCP was down. He said he would check it. Seconds later it was back up as he came in remotely and restarted the service.

Exactly the kind of thing I've seen: restarting the service is a much more common resolution compared to the entire server.

Sent from my BlackBerry using Tapatalk

**BillyCarpenter** · 01-16-2022

Where to start.....

rthonpm was right. It would be senseless to set up 2 seperate DHCP servers. Waste of money and resources.

I did set up DHCP failover and it was an adventure. I configured a 2nd DHCP server on my secondary domain controller and then I enabled DHCP failover. It was a little bit of work, I cannot lie. lol

When I was done, I disabled my primary domain controller and went to a Windows 10 PC, and it was able to pull a DHCP address from my secondary DC.

This stuff is cool as shit and I love the idea of having a 2nd DHCP server....just in case.

PS - Thanks again, rthon.

**BillyCarpenter** · 01-16-2022

By the way, the 2nd DHCP Sever works hand-in-hand with the primary DHCP sever. It's really just replicated DHCP services on the 2nd controller. Another cool feature of DHCP Failover is Load Balancing. In a corporate setting it could be important to share the load of DHCP.

**tsbservice** · 01-16-2022

Originally Posted by BillyCarpenter

Where to start.....

rthonpm was right. It would be senseless to set up 2 seperate DHCP servers. Waste of money and resources.

I did set up DHCP failover and it was an adventure. I configured a 2nd DHCP server on my secondary domain controller and then I enabled DHCP failover. It was a little bit of work, I cannot lie. lol

When I was done, I disabled my primary domain controller and went to a Windows 10 PC, and it was able to pull a DHCP address from my secondary DC.

This stuff is cool as shit and I love the idea of having a 2nd DHCP server....just in case.

PS - Thanks again, rthon.

My understanding of networking is very limited but I would rely on experience and knowledge of rthonpm anytime.
His words weight nothing but gold.

**BillyCarpenter** · 01-16-2022

Originally Posted by tsbservice

My understanding of networking is very limited but I would rely on experience and knowledge of rthonpm anytime.
His words weight nothing but gold.

Amen. There's no bigger fan of rthon than me.

I've gone from knowing very little about Server 2019 to some more advanced configuration. At least it seems advanced to me. I wouldn't be anywhere close to where I am now if it wasn't for rthonpm.

Over the past year, most of my time has been spent on learning Cisco CCNA. This year, I plan to devote much more time to Server 2019. I don't understand why everyone isn't doing it.

**tsbservice** · 01-16-2022

Originally Posted by BillyCarpenter

...
This year, I plan to devote much more time to Server 2019. I don't understand why everyone isn't doing it.

Because too many ITs will leave no room for regular techs. I'm joking but it appears to me lately everyone wants to be an IT work remotely get high paid etc. And that said they even don't understand how much hard work, education and learning this stuff require. I know few real IT guys like rthonpm and they are way smarter than me...in fact they are way smarter than most people