Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DHCP on Multiple domains

Posted on 2010-01-08
22
Medium Priority
?
1,511 Views
Last Modified: 2012-05-08
Hi All

I have recently joined a new place and found that they are NOT running DHCP .
Around 600 users, yes I know :-).

I've decided to setup DHCP.

We have 5 domains 3 of which is on a separate subnet BUT 2 of them is sharing a subnet.
We also running exchange 2007 and all domain controllers are Windows Server 2008.

Whats the best way of going about this with regards to the 2 domains that is sharing a subnet?
What should I take into consideration?
What are the risks?

please let me know should you need additional information.


Your assistance is greatly appreciated.

regards
Eugene
0
Comment
Question by:eugene20022002
  • 8
  • 6
  • 4
  • +2
22 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 26208393
There is no risk or consideration at all, the client asks for an IP before it "knows" if it is connected to a domain or not.

so you can only put one DHCP server to server this shared subnet irrespectively if it is hosting one or 10 domains

Hope it helps
0
 
LVL 5

Expert Comment

by:Asr
ID: 26208400
what do you mean not runing dhcp. Do you mean firewall stand for it. or what?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26208424
The only think you need to make sure is that there is a DHCP Helper service configured on the router/switch that is routing traffic for the second subnet.

There are no real risks.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 26208430
@Asr > Perhaps you should think about monitoring a different zone?
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208449
@Akhater: Are you sure there is no risk? Its going to be a Windows DHCP server not unix or linux. So it will be in AD. Also Each of the 2 domains has their own DCs with AD intergrated DNS. If I setup a new DHCP server i will need to give client in the subnet a specific primary and dns server ? Does it matter which? I dont think it does tho.

@Asr:  Not running DHCP meaning they using static IP addresses for clients. not sure Y tho but they are.


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26208459
You have a couple of options, you could either setup seperate scopes for each subnet on a single DHCP server and let the DHCP Helper service sort out the rest for you.

Or if there are already seperate servers in the subnets simply install the DHCP Service/Role (depending on which version of Windows) and they will then issue their own IP addresses.
This takes the complication of the DHCP Helper service away.
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208467
@Demazter > I dont think I need to configure a helper service because i dont want broadcast traffic to cross any routers. I also wont need to because Both domains is using the same subnet range. If they both were on separate subnet I would simply create 2 dhcp servers seeing that a dhcp server doesnt take up much resources.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26208530

As long as all DNS servers on that single subnet can resolve names for both domains there's little problem. Clients need to find their own domains, it doesn't matter where the DNS servers live, as long as they can provided the necessary answers.

The only other issue is Dynamic Updates. If DHCP updates DNS you may run into problems. Are there trusts between the domains? Or would you prefer clients update DNS directly (not via DHCP)?

Chris
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208580
yes there is trust between the domains and I would like DNS to be automatically updated by DHCP because there is sooo much static records, old records that I want to avoid that from happening.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26208584

Okay, well it should work. You will need to configure DHCP with specific credentials to update. And you will need to grant that account permission on the zone in the remote domain (otherwise the update will fail).

Do note that clients can update without the help of DHCP, that doesn't mean manually maintaining records, that would be no fun :) Just something to consider, that's all.

Chris
0
 
LVL 49

Expert Comment

by:Akhater
ID: 26208587
don't worry about the trust or anything the integration between DHCP and AD is just for DHCP server between each others, any DHCP server in a subnet will server any client on this subnet irrespectively if he is joined to a domain or not and to which domain it is joined to.

If you want ONE DHCP server to handle all the subnets then you will need to configure a relay agent or ip helper for each subnet but I don't think that's your question
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208613
@Akhater > I dont want just one DHCP server and especially dont want DHCP broadcasts to cross routers. Its there essentially to split the broadcast domains. Anyway one DHCP per subnet is what Im aiming for.

@Chris > What permissions would this account need in order to do the DNS updates.
 How can the clients update automatically without DHCP and what method would you use in this situation?
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 160 total points
ID: 26208621
Clients can update their own records in the DNS you don't need DHCP to do that.

DHCP can do that for clients that cannot update DNS themselves like windows 95/98 for example
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26208632

> What permissions would this account need in order to do the DNS updates.

Nothing more than a standard user account. You'll be manually setting the rights in needs on the DNS Zone (Create Child Objects). It really needs very little.

> How can the clients update automatically without DHCP and what method would you
> use in this situation?

Nothing, the functionality is built in. They lookup the SOA, then send an update request there. If they use a DNS server on Domain A, but are a member of Domain B they will request the SOA for Domain B, then send the update there directly, bypassing the normal DNS server they use.

Essentially, it'll work without you doing more than unticking the box telling DHCP to update (in the DHCP server console).

Chris
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208633
If the clients IP address change, will the A and PTR records automatically be updated in DNS without DHCP? Because at the moment its not and the clients are set to register in dns in the tcpip settings
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 160 total points
ID: 26208638
well you need to enable "automatic updates" and the DNS zone that's all what is required
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26208650

> If the clients IP address change, will the A and PTR records automatically be updated
> in DNS without DHCP?

Yes, provided they have permission to do so (if records exist that they do not have permission to modify the update will fail) and provided DHCP has *not* been set to do it for them (because that prevents the client from performing the update).

Akhater is right about the need to enable Dynamic Update in the DNS zone.

Chris
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208814
Thanks guys. I have Dynamic updates enabled (secure)
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26208821

If updates are failing it would be a good idea to see what has permission on the record in DNS. If DHCP is updating, DHCP, or the credentials set in DHCP, need rights over the record. If the client is updating then the client does.

If neither has rights the update will fail, and you'd have to remove the record. Or, if you use Scavenging, wait until it becomes stale and is automatically removed.

Chris
0
 
LVL 7

Author Comment

by:eugene20022002
ID: 26208950
So to sum it all up:

  • Basically go ahead with the deploying of the DHCP server.
  • Use any of the DNS servers on the subnet( Seeing that it is AD intergrated) for both the server and clients.
  • Use DHCP to automatically update the records in DNS.
  • DHCP clients wont have problems finding domain controllers etc and will look at the SOA of the domain they belong to?? Not 100% about this just clarify for me please?
  • Make sure dynamic updates is enabled. (It is on all zones)
What else am I missing?

Does that all seem alright?

Thanks again guys for your help.
Will award points soon.

Last question, off topic.
How do I get points without buying them? If I am an expert and the points I gain from answering, Can I use that to ask myself?

Thanks again
Eugene



0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 340 total points
ID: 26208993

> and will look at the SOA of the domain they belong to??

They'll only need that if they're updating DNS directly, not via DHCP.

They'll need to be able to resolve host names and service records for the "other" domain via the DNS servers they use. If a trust is in place that kind of name resolution is already likely to be functional.

You can test that:

nslookup -q=srv _gc._tcp.domain.com

Should give you a list of Global Catalog servers for domain.com.

You're not really missing anything other than testing to make sure. It's quite a simple system really :)

> How do I get points without buying them? If I am an expert and the
> points I gain from answering, Can I use that to ask myself?

If you gain expert status you get unlimited points with which you can ask questions. Expert points are used for little more than ranking / status / self-satisfaction.

To earn expert status you will need to earn a total of 10000 points, and 3000 points a month to maintain that. Check the Help pages under Answering Questions for more details.

Chris
0
 
LVL 7

Author Closing Comment

by:eugene20022002
ID: 31674474
Thanks Guys
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question