Link to home
Create AccountLog in
Avatar of Phil Rine
Phil Rine

asked on

Remove DHCP role from Windows Server 2016

I have a customer running a Windows server 2016 with Active Directory, DHCP, DNS and File and Storage roles installed and running.  For a few reasons we want to not use the server for DHCP and instead use the current SonicWall which has DHCP turned off for DHCP.  Can I simply remove the role or disable it in services and turn on DHCP on the SonicWall?

Avatar of Scott Silva
Scott Silva
Flag of United States of America image

It is much easier for DHCP to keep internal DNS updated if they are both on the windows server, but yes you can turn one off and the other on. Then you have to restart the network stacks on the PC's, wait for the old dhcp settings to expire, or reboot. Just make sure the sonicwall dhcp settings are correct.

This will also most likely break domain interactions leaving strange ad issues...


Not sure why they would want to do this, but it does show that the customer is NOT always right...

Agree with Scott.  


For the record, I've never seen an instance where I would want (or could imagine wanting) to run DHCP on SonicWall device and NOT on Windows Server if there was a domain present.  I would suggest you describe your reasons as you may be misunderstanding something and creating an unnecessarily more complicated network.  


The one other thing I'll point out - you would be wise to shut down EVERYTHING before activating DHCP on the sonicwall if your scopes overlap.  Otherwise, for example, if Windows has a scope of .100 to .200 and your computer has an address of .100, then you shut down Windows DHCP and activate the SonicWall's with the same scope, you could get an IP conflict if the sonicwall hands out .100 to the first computer asking for an IP.  Alternatively, use a different scope.  Shrink the Windows scope to .100 to .175 (making sure nothing above that has been handed out) and then set the sonicwall to 176-250 (provided you have nothing statically set in that range.  OR, another option, change your lease time on Windows to 10 minutes or something really low.  WAIT A DAY (or 8 - or however long the original lease time is.  Then, all systems will have the short lease time.  With the short lease time set for everything, shut down Windows DHCP and wait until the lease has expired (if it's a 10 minute lease, wait 10 minutes).  Then with the Sonicwall having the same scope, enable DHCP on it and all systems should get IPs from the sonicwall with no possibility of a conflict.

You could unauthorized the DHCP server and it will stop running.

In the DHCP server admin tool, right click and see an option to unauthorize.

Scott and Lee raised why it is better to keep.

Note you have to manage and make sure the SonicWall dhcp pushes the DNS and other settings that might be needed. Pointing to the internal DC/dns.

I would initially just stop and disable the DHCP service until you are confident about the SonicWall solution. This makes it easier to fail back if necessary. However, as others have stated I am not sure why you would want to use the SonicWall Firewall. We recently moved all of our DHCP and DNS from our Windows servers, but we did that to move to Infoblox. This is a full IPAM enterprise solution. This is one reason I recommend just stopping and disabling the service. It took several attempts for us to get Infoblox working correctly in our environment and had to failback 3 or 4 times before we had it fully functioning. It was easy to just stop the Infoblox service and re-enable and starte the DHCP service on the server. 

Avatar of Phil Rine
Phil Rine

ASKER

Thank you all for answering.  Let me give a little more info.  The customer has the following:

1 Windows server as described.

3 desktops joined to the domain.

2 network printers.


There is the incoming ISP going to the SonicWall (currently DHCP is off) and then being passed through to the network.  Recently they had 2 power outages and the power was down long enough for the battery backups to drain.  When the network was restarted, the server was not giving out IPs and therefor could not be accessed.  We had to reboot the server and desktops several times, after restarting the modem and the SonicWall, and finally got connectivity to the LAN and the WAN.  Full disclosure, the 2nd time the office building lost power one of the switches got zapped which they didn't realize until I got on site.  They were trying to troubleshoot the network because I could not get there right away which is of course never a good idea.  Many times, as you probably know, users just start unplugging and plugging cables which can really foul things up.  Once I replaced the switch all was right with the network.  The way I was taught many years ago was to use something like a SonicWall or other firewall device that is capable of handlining DHCP to allow it to do so and leave the server to handle DNS.  I have several locations doing this and have never had any network issues if there was a loss of power or the ISP went down.  In fact. if there is a network connectivity issue to the Internet I have the customer power down the modem and router/firewall and bring them back up modem first and router 2nd.  All that being said, I felt that if I had to walk this customer through the process over the phone it would be easier without having the server involved.  In the current scenario is there an order I should be bringing the system back online that I am not doing?  In thinking about it I realized that maybe the correct order should be the modem first, SonicWall 2nd and the server 3rd then the desktops last.  At this point I am probably going to leave the network as is and explain to my customer that in the 5 years the network has been online these are the only 2 times where we have had issues and one of them was related to the switch.  Changing the DHCP to the SonicWall would certainly not resolve that.


But I do have to ask this question...why is it better to use the server for DHCP and not something like a SonicWall when AD is installed?  I simply just don't know the answer so your expert knowledge would really be helpful for the future.

Thanks,

Phil

In a single server, several workstations, and 2 network printers there is no specific order.
How many switches are there?
If the switch goes down, it does not really matter where the DHCP server is, there will be no network traffic being passed.

The server came back, but the network switch was dead.
An option if the Server has Two network cards, to configure the cards as a Team and have two switches one computer/printer on one switch and one computer/printer on the other.
At least this way you will have one system/printer combination functioning.

Another thing, is to set the BIOS/System config on the server to boot.
Likely the issue with the server though, was powered off by the UPS? Depending on the hardware, does it have dual power supplies? Does it have HW configurable such that loss of power/ power restore on the power supply to trigger a boot without regard the state of the system prior?

As to your final Question, the windows DHCP if configured will register the IP it is allocating in DNS and is not reliant on the Device that obtained an IP to register in DNS.




Resilience of DHCP is a perfectly reasonable request. No harm in putting in place if you need it.


Anyway, the best path may depend on how big your subnet/DHCP range(s) are.


Ideally, if your DHCP pool has some spare capacity:

  • Reduce the DHCP pool size on the server (half it if viable)
  • Take note of any sections that should not be allocated (server IPs etc.)
  • Allow several days (depending on your DHCP lease time) to ensure all clients have picked up IPs within this reduced range.
  • setup the now unused range of IPs in a DHCP pool on the Sonicwall. Apply any reservations or IPs that should not be allocated.
  • If the Sonic wall allows it, apply a delay to the DHCP so the server usually responds first.


With the above, you have two DHCP servers providing the same subnet without overlapping DHCP pools (as overlaps can cause conflicts).


Means you have two DHCP servers to monitor/diagnose when issues occur but it does mean that you have resilience in place.



ASKER CERTIFIED SOLUTION
Avatar of Phil Rine
Phil Rine

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer