Professional Documents
Culture Documents
This is the ultimate guide to Windows DHCP best practices and tips.
If you have any best practices or tips please post them in the comments below.
In this guide, I’ll share the following DHCP best practices and tips.
Table of contents:
For example, say you are having issues with DHCP or installed a security patch
that requires a reboot. Rebooting a server with Active Directory Domain Services
role on it could cause major disruption to your organization. This can affect
authentication, replication, group policy, and DNS. Your users will not be able to
access anything if DNS is down.
If you have multiple domain controllers and it’s properly configured then these
issues can be avoided but why risk it?
If DHCP was installed on its own server you could reboot the DCHP server with
no worries of affecting the services on the Domain Controller.
Installing DHCP on its own member server will reduce the attack surface of your
DC.
But…
Say you just learned about a new DHCP option such as conflict detection and
you turn it on for all scopes.
Uh oh… Now the CPU usage skyrockets and the domain services are slow, users
can’t log in and DNS requests are painfully slow.
Maybe you install an IPAM to keep tracking of available IP addresses and it takes
up CPU and memory… again taking away resources from the domain services.
I could go on and on… point being the more software/services you install on
your domain controller the more it can affect performance and lead to disruption
in services.
Summary
The DHCP failover option is built into the Windows server operating system. The
picture below shows the setup of two DHCP servers configured with load balance
failure mode. If one server fails the other server is still active and takes over all
DCHP requests.
There are two failover design options:
This option is commonly used with the standby unit being at a physically
different location than the active.
Summary
You will need to determine which failover design is best for your
environment. It’s a free built in option so take advantage of it
and make your DHCP servers are fault tolerate.
Sources:
The question is do you install a DHCP server at these branch offices or have them
tunnel back to a centralized DHCP server?
Can the branch office work entirely by itself with no connection back to the data
center? If yes then it makes sense for there to be a local DHCP and DNS server.
If the branch office tunnels back to the data center for the internet, Active
Directory, DNS, and so on then there is no point in putting DHCP locally.
I work for a company that has offices throughout the state and I use a
centralized DHCP model. We have reliable fast connections so it makes sense for
us to use a centralized DHCP server.
One thing to consider is how many employees are at the branch office. If you
have a very large branch office with thousands of employees then having local
resources like Active Directory, DNS and DHCP can be helpful. That will be a lot
of traffic going across the WAN link and if the link goes down it would take all
those employees offline.
Summary
Sources:
I’ve been in the above situation plenty of times and like I said it’s a pain. To avoid
all of this just use DHCP reservations instead of static IP assignments.
For anything that needs a fixed IP address, I use DHCP reservations. The one
exception is infrastructure devices like routers and switches, those that get static
IPs.
Your networks will have a default route that will be a router so you definitely
want that excluded from the DHCP pool. You may also run into other equipment
that requires a static IP so it’s good to have a small range of IPs excluded from
the DHCP pool for these devices. For example, I’ve seen various alarms and
security devices that need a static IP so I just provide an IP from the exclusion
range.
Here is a screenshot of a data VLAN used for workstations and laptops with the
exclusion of 10.2.10.1 to 10.2.10.10.
Get-DhcpServerv4Scope | Get-DhcpServerv4Lease
That is just scratching the server of managing DHCP with PowerShell. I’ve added
a few links below to some additional resources for using Powershell.
Sources:
DhcpServer PowerShell cmdlet
Active Directory PowerShell Commands
You don’t want to have just one big DHCP pool for all your devices, you should
segment devices into separate networks. This also depends on the size of your
network, if you have a small network then network segmentation is not as
important.
Benefits of network segmentation
Security
By keeping devices on separate networks you have better control of the network.
Do your printers need access to the internet? Probably not. Do computers in the
finance department need to talk directly to computers in HR, absolutely NOT. By
separating devices into their own network you have much better control of their
access.
Limiting lateral movement in the network can really slow down attackers and
viruses. It is important to enable firewalls or access control lists at the network
level to limit lateral movement in your network.
Network performance
Putting everything on one big network will create a giant broadcast domain. This
can lead to all sorts of issues, like spanning tree loops, broadcast and multicast
storms. Segmenting your networks will break up the broadcast domains and
reduce possible performance issues.
You don’t want your guest network to have access to your secure network.
Separating this traffic to its own network allows you to filter this traffic and block
access to your internal network. I also use the guest network for IOT type
devices that just need an internet connection.
For large networks, consider changing the DHCP scopes for fixed devices
(workstations) to 16 days. This can reduce DHCP related network traffic.
Workstations don’t move very often so they don’t need to go through the whole
DHCP dance as often to obtain an IP address.
This can also be the case with mobile devices, this one can be tricky though with
more and more users having laptops. The default of 8 days may be sufficient but
if you know of mobile devices that move around a lot you may consider reducing
the lease time.
Summary
The DHCP server has an option to help reduce IP conflicts. The conflict detection
option on the DHCP server will first check if an IP is in use before assigning it to a
device.
The BPA scanner should help discover any basic misconfigurations. Review your
results and make any changes you feel are necessary for your environment.
SolarWinds has a free version of their IPAM, it can track up to 254 addresses. The
paid version allows you to manage all IP addresses.
DHCP options can be configured at two different levels, at the server or per each
DHCP scope.
I prefer at each scope, it’s more work but I may have scopes such as guest wifi
that I don’t want using the internal DNS. Sometimes VOIP phones need special
options to configure and I don’t want that at the server level.
Take advantage of the scope options so you can auto configure the IP settings
on all devices.
DHCP messages are broadcasted and routers do not forward broadcast packets.
To fix this issue you can enable the DHCP relay agent function on your
router/switch to allow the DHCP broadcast packets to reach the device.
You will need to check with your router documentation for the commands to
enable the relay agent.
Sources:
Rogue DHCP servers are a headache. In addition, they can be a security risk and
used for various attacks.
The best way to block rogue DHCP servers is at the network switch. This can be
done with an option called DHCP snooping or 802.1x port based network access.
DHCP Snooping
DHCP snooping is a layer 2 switch feature that blocks unauthorized (rogue)
DHCP servers from dishing out IP addresses to devices.
It’s not only good for rogue DHCP servers but for controlling network access to
anything.
802.1x is typically configured at the switch level and requires a client and
authentication server.
Did you know by default, Windows will back up the DHCP configuration every 60
minutes to this folder %SystemRoot%System32\DHCP\backup.
This is great but does you no good if the server crashes and you can’t access the
folder.
If you don’t have any offsite replication in place then you would need to copy
the backup folder to another location on a regular schedule.
This can be done with a script that copies the folder to another location or uses
PowerShell to specify a remote location.
You can read more on this in my article Backup and Restore Windows DHCP
Server
For example, you have users putting BYOD devices on your secure VLAN. You
could add these devices to the deny filter. The DHCP MAC filtering is a quick and
simple way to control access to the network. If you have the time and resources
the better option is to use 802.1x.
Conclusion
I’ve been using these tips for years when managing DHCP servers. When
configured correctly DHCP can be a set and forget server with little or no issues. I
hope you find these tips useful and please post any DHCP tips or best practices
you have in the comments below.
Best Practices
Le Thanh Tung
Reply
Robert Allen
Thanks Le
Reply
Marcus
Reply
Ehsan
Hi Thanks for nice post can you also show how to configure fail over
DHCP server in the network.
Reply
Danny
Hi Robert,
Thanks,
Danny
Reply
Neha
Reply
Robert Allen
Reply
GG
Hi, does you know if another alternative exist for Solarwinds IPAM to
manage IP, delegate DHCP roles, etc. ?
We already test IPAM and we found it’s not very stable or so useful
application than we would want.
Reply
Robert Allen
Reply
Patrick Bervoets
Thanks for the article.
What would you say is the best practice? Give a fixed or a (reserved)
dhcp-address to an ADDS that is neither a DHCP or a DNS?
It is indeed a pain if you have to go over all your devices to update the
dns reference. And in the near future I’ll have to completely alter my
addressing scheme.
Thanks
Reply
Robert Allen
Fixed.
Reply
John Hughes
Thank You
Reply
Leave a Comment
Name *
Email *
Website
Post Comment
Resources
Blog
Products
Account Portal
Company
Home
About
Contact
Connect
© 2022 Active Directory Pro. All Rights Reserved | Terms and Conditions | Privacy Policy