DHCP on a DC... good or bad?

[gshaw]

Just thinking if we can save on a few servers this summer. We've got DHCP sitting on a separate server (well 2 actually, split scope) but was wondering if I could put the role on the DCs? The officialy guidance suggests it's not recommended but might be out of date?

[EduTech]

We used to have DHCP Sitting on the Domain Controller, But since external services have come in the sum DHCP was put on it's own 2008 Box (Virtualised)

 

James.

[sparkeh]

The issue is that when DHCP is installed on a DC, the DCHP service inherits the permissions of a Domain Controller which could, potentially, be a security risk.

Best practice is to configure a user for the service instead.

[ZeroHour]

We use clustered DHCP services here and the nodes are not DC's but tbh I dont think its that bad to have DHCP on a DC.

[featured_spectre]

We have had NO issues with the DHCP being on the DC.

[ricki]

Hi

 

We have our dhcp on a domain controller and ours works ok.

 

Richard

[glennda]

We have it here, split scope across two dc's to enable some sort of fai lover protection if one dc decides not to play ball.

[sparkeh]

The issue isn't whether it works or not, clearly having DHCP on a DC 'works' but rather that MS *used* to recommend to put it on a non DC (in server 2000 days) and the most recent advice I can find is if you run DHCP on a DC you should configure a user for the service rather than letting it run with DC privileges.

[localzuk]

We've been running DHCP on a DC since this network was first installed in 2003 and we've never had an issue.

[powdarrmonkey]

Walking along a cliff edge 'works', but that doesn't mean it's safe or best practice. Edited May 12, 2010 by powdarrmonkey

[localzuk]

Walking along a cliff edge 'works', but that doesn't mean it's safe or best practice.

 

When schools get the millions of pounds of funding that is afforded to those who can stick to 'best practice' for everything, I'll be sure to change it.

[powdarrmonkey]

When schools get the millions of pounds of funding that is afforded to those who can stick to 'best practice' for everything, I'll be sure to change it.

 

Right, because changing the account that the service runs under to something unique is soooo costly.

[localzuk]

Right, because changing the account that the service runs under to something unique is soooo costly.

 

Sorry what? I simply stated that this school has been running DHCP on a DC. Did I say it was running as domain admin, or system or anything other than its own dedicated account? Your reply indicated that our running the service at all on a DC was poor - which the only outcome of would be to put it on its own server. As we don't have the capacity to stick it on other servers, that'd mean buying more servers... Hence cost.

 

Or were you just trying to bait me, like an increasing number of users on here appear to be doing lately?

Edited May 12, 2010 by localzuk

[powdarrmonkey]

In general terms, the number of people saying "it works for me" is irritating. It's probably true to say that most of these are running DHCP under a highly privileged account, because that's what happens by default. Hence, "it works for me" is not necessarily a safe recommendation.

 

If you already operate a healthy best practice/cost balance, I don't understand why you're so insulted. You should be proud to be in such a position. Meanwhile, there are many, many administrators who don't follow the parts of best practice that don't actually cost anything.

[gshaw]

Thanks for the replies, looks like it's as I suspected, do-able but better to leave it as it is for now (running on dedicated servers) I think. Bring on VMWare!

[powdarrmonkey]

Neither DCs nor DHCP are heavy services, you could comfortably reduce your footprint by virtualising them in pairs (one metal server hosts a virtual DC and a virtual DHCP instance).

[K.C.Leblanc]

I do this, doesn't seem to present any issues.

 

For some reason one of them seams to grab more clients then the other one. But if I disable the keen one the other one will pick up the slack without issue.

 

EDIT: Our's are both VMs, although we have a rule setup to stop them being on the same physical box.

[User3204]

Oops, I didn't realise this was a bad thing.. I know what I'm going to be doing the rest of the week...

 

Does anyone know if I need to have the DHCP server on the same domain as the DC ? I'm just wondering if I can use one DHCP server for both my domains.

[MatthewL]

We used to run it on our DC for one site but moved it to our firewall like every other side. TBH you hardly notice it running.

[SimpleSi]

When we are all running GCHQs server farm, then worrying about the security of the DHCP Server running with high privliges might be an issue but lets not fight about such things here please

 

regards

 

Simon

PS I cant spell sekuritie so don't listen to me

[Michael]

I have always installed DHCP Server on a single DC or on both DCs for added redundancy. DHCP Server is incredibly light on resources (even within large networks).

 

I would only be concerned if a server was incredibly overloaded, in which case introducing member servers as print/file/application servers would be the way forward.

 

Keeping AD, DNS and DHCP Server together would be recommended in the majority of situations.