DNS on Firewall vs server

We have inherited a client that has a Windows 2012 Server as a domain controller.   We noticed that DNS and DHCP are running on the firewall, not the server.  We know that is not a recommended solution, but they have been running for six months with no issues.  Apparently, they were having connectivity issues before they made the change.

What is the potential drawback to keeping things the way they are?  Will Active Directory not function properly?  Also, is it a relatively simple process to move the roles back to the server?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaSr IT Support EngineerCommented:
Running DHCP and DNS off the firewall certainly is not the way to run an AD domain
If DHCP is run from the Server you can add options to also update DNS for the AD computers and other devices.
The most likely cause for connection issues before is that Forwarders were not configured in the Server DNS

Moving things back is simple

The only draw back is if the server is down, there is no internet access.
Jian An LimSolutions ArchitectCommented:
there is a thread in regards to this

There are SBS environment (small business) put DHCP, DNS on Domain controller. but it do not really make it a best practice.

Putting on DC is easier because usually windows admin have access to all of them.
but since it is put on firewall (assuming there are no resource constraint), i will leave it there..
it really do not bother me that much, until you need to use advance DHCP stuff, or pinpoint/split DNS stuff. (this usually your use case to use windows servers)
Craig BeckCommented:
If you don't run DNS on the DCs you probably  won't have (the correct) SRV records.  That will affect all kinds of services.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

btanExec ConsultantCommented:
It is good as ann in one device to manage from operational stand point - taking the security concern out of context in recommendation not to run unnecessary service or single team without role segregation in compliance and hardening. But I see the key is more of availability impact

- e.g. if the firewall goes down or any problem occurs, the entire LAN will affected, as the machines cannot get IP Address. Your internal LAN can still be available if the DHCP and DNS works on separate device even like from some Cisco Switch. Firewall nowadays is subjected to all the sort of attack (esp perimeter ones with DDoS, web scrapping, internet based attack etc) and its availability (even to have HA has not 100% assurance) is really "thin". We do want to avoid single pt of failure.
Benjamin Van DitmarsSr Network EngineerCommented:
On DC you need the DNS service for basic functionality, dhcp you also wanna run. dont forget to authorize the new dhcp server. else it wont work. let youre firewall do that it's made for :)
btanExec ConsultantCommented:
in fact, I see FW can still function what it is e..g opening port to forward it to the respective service like in this case to the DHCP and DNS server to be deployed separately. Most of the time, the FW still remain as the default gateway out into external network. It is also common for organisation to decentralise DHCP (esp if there is remote office) and centralised DNS server (work closely with the central AD). So the FW is more of the traffic controller and sanction cum direct traffic as required.

Having all in one (sorry for typo in prev post) should be avoided as all here have advocate separate those service out from FW. Can leverage the Server Core to configure a dedicated role in another server doing DNS and DHCP with lesser hassle and reduced attack surface too, if AD DC team do not want to reconfigure to assume those additional roles.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jspazianoctoAuthor Commented:
Thanks to all for great advice.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.