AD, DHCP, DNS

I am setting up a small business network.  DNS and AD is being managed on Win Server 2016.  Should I have Windows Server manage DHCP as well?  I was thinking about having a sonic wall fw manage DHCP, VPN.  

If I want remote users to connect to the vpn authenticating with domain credentials, does this sound right? Any suggestions on Network Topology?
tike55Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Hi tike55,
It is always recommended to have activedirectory integrated DHCP( on the server).
IP for VPN clients will be served by the Sonicwall firewall which will be a different range in new models.
https://www.experts-exchange.com/questions/26199432/Switching-DHCP-from-domain-controller-to-the-Router.html
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Let your Server manage DHCP as it will do it better than small hardware boxes.  That has (in my world) nothing to do with VPN. Set up hardware IPsec VPN on your VPN box, people can access and then get to network devices. Works great.
1
Yuri SpirinSystems IntegrationCommented:
I agree with previous expert comments. Also you can set up a DHCP Relay on your router so that the VPN users could also get their addresses from Windows DHCP server.
1
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Blue Street TechLast KnightCommented:
Hi tike55,

I like the VPNs (SSL-VPN & GVC) running on the SonicWALL because you have more flexibility and better security but leave the DHCP where it is. For DHCP scope in separate Zones e.g. for Wireless DHCP use IP-Helper so that Windows Server will manage the DHCP. To enable users to sign in to the VPN using their AD credentials simply implement LDAP in your SonicWALL. For enhanced VPN and Wireless security you can implement NPS (Network Policy Server) for VPN and/or WLAN by RADIUS authentication. You can do all of that with your SonicWALL and by implementation of a Windows NPS server, which will provide better security, controls & functionality like SSO. To get specific, I'd need to know the model of the SonicWALL, how many physical locations and users in total.

In micro environments (20 users or less) I don't think it really matters all that much but in larger environments Windows should manage DHCP for a number of reasons. Best Practices states Windows should always manage DHCP. Here are a few reason why Windows should manage DHCP:
  • DHCP HA (High Availability) - especially when multiple physical locations are evolved. Sure you can HA your Firewall/Router but that would be n+1 not 2N;
  • DHCP LB (Load Balancing) - this parlays off of HA but its different; LB distributes the load where as HA is about failure or availability;
  • Better Auditing - typically in routers they do not have an allocated logging system;
  • Centralized Management - again when dealing with multiple locations, with Windows you manage it in one pane of glass opposed to multiple panes/devices;
  • DHCP Options - typically Windows has more flexibility than a network device;
  • Auto DNS Registration - Windows will automatically register new DHCP leases in DNS;
  • Centralized Architecture - The Windows DC is the nerve center of all resources & services on the network and is designed to closely interact & interoperate with, among others, three keystone services/roles: ADDS (Active Directory Domain Services), DHCP & DNS. Furthermore, AD is designed and needs to coordinate many of its activities with the DNS and DHCP services;
  • IPv6 - Many routers do not support IPv6 DHCP leasing. Server 2012 initiated IPv6 as a default because it is more secure, has built-in IPSec & will ultimately take over IPv4.

Let me know if you have any questions!
0
Natty GregIn Theory (IT)Commented:
Lest headache, when server run dhcp-easier to manage and block user. Only exception I see here is if you're running a UTM
0
Olgierd UngehojerSenior Network AdministratorCommented:
There are many situation when is better to have dhcp working on other device no on the domain controller. For me DHCP server is more related with network then with Active Directory service. What if you server has a problem and you need restore form backup you will have no dhcp server on the network for numbers of hours. Your share drive can be somewhere else, you can have your data in the cloud, you data base can be on the other server. If your dhcp server is down and you user will restart computer, he will be not able to work. If you have good class router like Cisco, Sonic wall,  Cloud Core Mikrotik you can provide the same functionality. If you have dhcp server on windows server and somebody, some user will connect some device with dhcp service you windows dhcp server will stop working and you will not see it by a few hours if you do not have good monitoring tools.  I am not saying that dhcp server on windows server with AD is bad idea, but there is many scenarios where you can have better setup.
0
Blue Street TechLast KnightCommented:
Thanks for the points...glad we could help.

P.S. I would have appreciated an even point split - I put a lot more effort in my answer than others. #justSayin

@Olgierd Ungehojer - I don't agree with your entire post. Please incite a situation where it would be better to have DHCP on another device. Look at my previous post and tell me how any device is going to do any or all of that? Also your hypotheticals are easily countered with Best Practices. Backups should take no more than 15m - and I'm taking about dB restore to full image restore. Have a foreign DHCP server cause the Windows DHCP is completely preventable.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.