Host DHCP services on server or firewall/router?

Question

I've been debating with myself about the best place for hosting a LAN's DHCP services. I have the option of either on a sonicwall firewall or a Windows 2008 server.

The two things I was looking for in addition to just handing out IP addresses were assigning a small handful static IPs through DHCP (for printers and other various network devices), and assigning three DNS servers (The server's DNS IP, and two DNS IP's from the ISP). Both the firewall and server have these features.

I reboot the server about once a month for maintenance purposes (windows updates, installing software, swapping hardware, etc). The firewall is rarely rebooted.

The number of DHCP leases doesn't generally go above 50.

What are the pros and cons of hosting DHCP services in one spot or the other?

Answer 1

The only real pro's and con's are the ones you've already addressed, which is continuity of the network. I usually put DHCP on the primary server (DC,DNS) so that DNS records can be automatically updated if/when a client's DHCP lease expires and it is issued a new IP address. It would take additional configuration to accomplish this task using the Sonicwall as the DHCP server.

The other side of the argument is that keeping DHCP and DNS settings on the SonicWall will allow continuity of client devices in regards to internet access. But with the server down, unless you only use hosted services, all they're going to do on the internet is mess around.

It really is up to you, but I hunted down some more opinions about the matter for you. Feel free to take a look at this and this. Basically, it's up to you, and there are caveats to each side. I personally recommend keeping it on the server.

Answer 2

I'm in agreement with sybreon and JohnThePro as well as the original post, but I thought I would add a few more thoughts.

If the client PC's are on a domain, I would not suggest using the ISP (or external) DNS servers for clients - if for any reason a client starts using the external DNS servers, these will have no knowledge of your internal structure so will not have the relevant A records for your servers and printers, etc. Also active directory creates a few SRV records that are needed for AD to correctly work. It is possible to recreate the entries say on a *nix box running bind, but this requires manual work. A second domain controller can automatically update all these records as needed.

Also I like using windows DHCP servers as they are highly configurable, most other DHCP servers do not provide all of the functionality available using windows DHCP.

Another benefit is when things start to go wrong, you will have less different things to look at.

Answer 3

My personal preference is to keep the DHCP services as close to the client as possible. So, I tend to set up the routers to hand out addresses. The main reason for this is because I like to decentralise things so that there isn't a single point of failure. In a more complex network setup, this can provide a performance advantage. It is possible to overload a centralised DHCP server especially if the clients are on a short lease.

So, to your question, I'd ask which device was closer to the clients. This depends on how your network is setup (whether the clients are connected to the server via the firewall or whether the firewall is upstream from the server etc).

I use the firewall to hand out DHCP leases. This way, I can easily manage different address ranges and rules etc for different zones.

Answer 4

One big advantage of hosting DHCP on a Windows Server is that it will record the name of the client in addition to the MAC address.

This can be very helpful if a client PC goes rogue and you want to track it down based on the offending IP address. Firewalls typically only reoord the MAC address of the registrant.

Answer 5

This is a great question and one which I have just recently researched during a customer installation. We ran DHCP first on the router, then the switch and finally moved it to the Windows 2008 Server. Performance was great on all three, however the configuarion options were far greater on the server versus the applicances. Often applications like Peachtree need greater configuration options to establish reliable connections. Also, on the server you can setup WINS, which I also recommend. In the event you have an interuption in DNS services, your users wont be waiting 15 minutes for a DNS timeout to find the target.