In part three of this series, we will be Installing and Configuring DHCP & DNS. In this guide DHCP & DNS will be installed onto a domain controller, but the following steps can be repeated when setting up each role on a dedicated server.
It’s very common to see DHCP & DNS installed onto a primary domain controller. You will mainly see this in small/medium business, where costing and resources don’t align the requirements for dedicated servers for each service.
As you move up into Medium to Enterprise sized business, it’s best practice to have a dedicated server for each role, with High Availability/Fail-Over implementations. In a later guide, we will be migrating our DHCP role onto a dedicated servers with High-Availability and Fail-over implementations. This kind of scenario of role migrations is very common, and seen when a business growth exponentially enlarges, or when smaller business merge.
So when should we install these roles onto a dedicated server or on the single server?
A few factors we need to look at when deciding to split roles and features are:
- Resourcing: Do you have enough Physical Resourcing to build multiple servers, that will support split roles.
- Active Endpoints/User-base Size: How many employees and active devices that are in the organisation will have a huge factor when deciding this. A basic estimation would be:
500 users/devices or less = Add the DHCP role onto a single server with secondary server for HA/FO (if resourcing allows)
500+ users/devices = DHCP roles on separate servers with HA/FO
- Costing: When factoring costing, you need to address that each server will require a windows licensing, CALS, etc. Is it cost effective for you to spend the extra money for segregated services?
These are only a few factors to account for when deciding when to segregate the DHCP role onto dedicated server. It’s also good to note that while in most cases you will find that you can run a primary DC with AD, DHCP & DNS on a single server, it is recommended by Microsoft to segregate each role onto a dedicated server for security purposes by minimising the attack surface and the chances of something causing and issue that impacts performance or functionality.
Let’s get started!
- Open Server Manager > Manage > Add Roles and Features
- Click Next
- Select “Role-based or feature-based installation” and select Next
- If you have multiple servers setup, select the appropriate server you want to install the role on. In this case I will be installing it onto the only Domain Controller VM I have. By default you should see the server we created in Part 1. Click Next.
- Select DHCP Server and Add Features on the Pop-Up, click Next
- Click Next for Features and DHCP Server
- Tick “Restart the destination server automatically if required”, if this is a non-production server and won’t affect any services running. Click Install.
The Installation process will begin and may take several minutes to complete, depending on the allocated resources for the VM and hardware specifications/load.
- Click Close to finish the installation
Configure DHCP Role
At this stage we should have already installed Active Directory, DNS and DHCP. Our Active Directory should be all up and running, ready to use. DNS should have been installed when Active Directory was installed, and now we need to proceed with DHCP configurations, followed by DNS configurations.
In this guide, I won’t be deep diving into subnetting and scope ranges etc. Generally the IP Scope and Subnetting would be organised by a network engineer, then we carry out the configurations onto the server side. If you are a one man engineer, you can read about subnet planning and IP addressing more HERE.
It is a good note that depending on the size of your organisation, its best to keep in mind the number of devices you will have. If you have 200 workstations, 200 phones, plus wifi devices, it’s best practice to have a subnet for each. For example:
x.x.1.x = workstations
x.x.2.x = wifi device
x.x.3.x = IP phones
If more IP’s are required, we can implement Split-Scoping to expand our IP range for devices (will be covered in a later guide).
In this guide, we will be creating a single scope with AD authentication to suite a small sized business(or lab in this case).
- Click the Notifications Pane in Server Manager, and select Complete DHCP Configuration
- Click Next
- If you have specific AD Administrator credentials, add them here. In this case I am configuring DHCP with the core domain Administrator account, so I will use the following credentials. If the DHCP role won’t be apart of a domain you can skip AD authorisation. Click Commit.
- Once completed, click close.
Create DHCP Scope
- In Server Manager, click on Tools > DHCP. This will open the DHCP Management Console.
- In DHCP Management Console, expand your root server and right click IPv4, select New Scope.
- Click Next on the Welcome Wizard Pop-up
- Provide a descriptive or meaningful name and add a description, followed by clicking Next.
Best practice for scope names is to state the location (if you have more than one location) and data type. For example:
SYDNEY-Data = Sydney Site Data devices like workstations, Lan devices
SYDNEY-VOICE =Sydney Site Voice IP Phones
- Enter you IP Range and Subnet (this can be provided to you by your Lead Network Engineer, otherwise will need to be scoped according before configurations. Click Next.
In this case, I will be using the 10.0.1.100 – 10.0.1.200 Scope. This leaves the folowing:
10.0.1.1 = Gateway IP
10.0.1.2-100 = Other server side things like network equipment and servers
10.0.1.201 – 256 = Printer devices
- Add any exclusions to the DHCP configurations if required, in this case I have none. Click Next.
- Generally leaving the lease duration at 8 days is safe. This means if devices check in and out of the office, the lease will reset ofter x-amount of days, hours, minutes. If the device is no longer detected, that IP will become available again for usage. Click Next.
- If you don’t wish to configure the DHCP options now, tick NO and follow through. In this case we will be configuring a few DHCP options, so select Yes and click Next.
- Enter your Routers IP address for the Default Gateway and click Next. (Note: Your router IP or Default Gateway IP might be different to mine)
- Enter your DNS Server IP address, if you have multiple add those too. In this case DNS will be on the local DC, so I’ll be adding the DC IP. Click Next.
- If you have a WINS sever, enter the details for that. In this case I don’t have a WINS sever. Click Next.
- If you wish to activate the scope right away, click Yes and then Next. In this case for demonstration purposes, I will select no to show you how to activate the scope manually.
- Click Finish.
- Activating the scope manually, expand IPv4 and right click the scope > Activate, or select the scope and click the green arrow to activate.
- Right the server > All Tasks > Restart to complete configurations (this won’t affect current production devices)
- Congratulations! You should now see your new scope activated and ready to go!
Setup DNS Reverse Lookup Zones
DNS should have already been installed and configured during part one of this guide, or when active directory was installed and configured.
To complete this, we will setup our reverse lookup zones for DNS and then your domain controller is ready for production!
- Open Server Manager > Tools > DNS
(Note: If you check the forward lookup zones, you should already see entries for your domain controller)
- Expand your DNS Server and right click Reverse Lookup Zones, click New Zone.
- On the Welcome Wizard page click Next.
- In this case we don’t have a DNS primary zone yet, so select Primary Zone and next. Enable Store zone in AD if you require.
- Choose To all DNS servers running on a domain controllers in this domain: DOMAIN and click Next
- Select the IP range you want the reverse lookup to act on (IPv4 for demo purposes). Click Next.
- Enter the start of the subnet range for that scope, in my case it’s 10.0.1.x/24. Click Next.
- Select Allow only secure dynamic updates. Click Next.
- Click Finish.
Congratulation! You have successfully Installed and Configured DHCP and DNS. At this point, any devices connected to your network should attain an IP scope in that specified range, and any devices joined to the domain should automatically have DNS configured.
You can test this by performing an nslookup on the devices name and IP, and it should return something back.