7

We've had a few issues with our Windows DHCP server failing. I'm a linux guy by nature, but not a systems guy (I'm a programmer who happens to be running IT for ~800 users), but I'm curious: how crazy would it be to just set up a couple of linux boxes to be redundant DHCP servers, either with a split scope or with some of them set up as failovers.

If we go that route, what specs are needed for a box to simply act as a reliable DHCP server?

I'm imagining we could commit these computers to acting only as DHCP and leave our Windows server as an AD controller, a fileserver, etc. Our organization has lots of users who just need wireless to work, so having DHCP reliable even when the Windows server down would be a major benefit -- my gut is that it shouldn't be hard to set up some computers to just do DHCP + DNS and do it well, but consultants I've talked to have warned us against it in the past, so I'm curious what serverfault thinks.

TomHinkle
  • 79
  • 2
  • 4
    I mean, why not fix the root cause of your issue? There's a reason the Windows DHCP server/service is failing. That's clearly not normal, so it would be best to try to resolve it and understand why the system isn't behaving properly. – ewwhite Dec 03 '15 at 15:32
  • The problem I want to solve is having a single point of failure -- digging into the particular issue causing a Windows problem at any given moment is kind of besides the point. Obviously we could buy a second Windows server, but given how simple a service DHCP is at its root, I'm thinking it should be possible to have redundancy without paying for another Windows server. I guess my real question is, if we don't need a second Windows server for other services, why can't we just configure some existing hardware to work as redundant DHCP servers to get greater reliability for the core network – TomHinkle Dec 03 '15 at 15:46
  • This reads more like a discussion than a question..... – Colyn1337 Dec 03 '15 at 15:48
  • 1
    Failover is built into Windows Server 2012 DHCP. Enabling it is the prudent thing to do. – ewwhite Dec 03 '15 at 15:48
  • 2
    @TomHinkle And the reason digging into the root case of your problem is worthwhile is that your DHCP problems may be a _symptom_ of something else... You could potentially have Active Directory issues or replication problems or even be exhausting your pool of addresses. So it's not "besides the point". – ewwhite Dec 03 '15 at 15:52
  • @ewwhite -- so Windows Server 2012 includes failover out of the box which would be superior to what I'd get with the linux set-up? Would this play well with an existing Windows 2008 server, or would I need to set up two Windows 2012 servers to get this functionality? – TomHinkle Dec 03 '15 at 16:43
  • It's superior to that you have, but yes, you would need to upgrade to 2012 to obtain this feature. – ewwhite Dec 03 '15 at 16:44
  • 1
    `(I'm a programmer who happens to be running IT for ~800 users)`, there is your problem, you have an amateur doing a professional's job. – user9517 Dec 03 '15 at 17:06
  • 3
    No, he's a pro, since he would be getting paid to do it... It's just not his area of specialization. :-) – Brian Knoblauch Dec 03 '15 at 20:25
  • @TomHinkle, you would need 2x 2012(r2) windows server. It would not be superior than the linux solution (just better integrated). – natxo asenjo Dec 04 '15 at 10:34

6 Answers6

6

Those days DNS and DHCP are really tightly linked to Active Directory. That beeing said there are people who really do this in production.

You don't need anything particular for setting a DHCP box on linux: any box can do the trick.

Xavier Nicollet
  • 600
  • 3
  • 10
4

These days, for AD, I'd recommend using Windows Server 2012 and the High Availability DHCP feature and install on a pair of servers (or domain controllers). There's no need to go to ISC DHCP on Linux for this.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
1

all comments here telling you not to do this are well meant, but are just opinions.

In the end, you know your business better and if you think after having considered all matters that going the isc-dhcpd route is what's better for your environment, then that's the best solution for you.

Windows DHCP server has improved (finally), so it now supports failover. Isc-dhcpd has had that for ages, so you could say it's the better proven solution ;-)

All other comments on dynamic updates are valid points if that is an important issue for your environment. In my opinion, dynamic dns is vastly overrated and most environments I have come across with Windows DNS and DHCP server (a very common combination in companies, true) the zones using dynamic updates are ..., messy. DNS scavenging is something not many people use (or understand, for that matter).

So you might be better off just not be updating the zone records dynamically, but having a script with dnscmd.exe do it. That way you can keep your zone file in version control and revert things when necessary. We generate our zones that way from our asset database and racktables from a jenkins job. For you this should not be a problem as you are a developer. You can delegate the script in jenkins to junior staff and have logging and alerts if something goes wrong.

But using the 2012 dhcp service is perfectly fine as well. You just need 2 windows server licenses.

natxo asenjo
  • 5,641
  • 2
  • 25
  • 27
0

This is certainly a possibility but you are only separating one part of the wider picture. Why not have multiple AD servers running under a proxy? That way if one falls over you will still have a failover. This means that not only DHCP will be protected but also everything else.

Lukasz Medza
  • 101
  • 1
  • 1
    Cost and convenience is the main reason for thinking about this route. Setting up a new windows server seems like a relatively big production and expense (our organization has been moving away from Windows anyway, so fewer and fewer people rely on AD etc. in the first place). Configuring DHCP on two linux boxes seems comparatively easy and cheap to do with excess hardware we already have lying around. – TomHinkle Dec 03 '15 at 15:34
  • 3
    _"Setting up a new windows server seems like a relatively big production and expense..."_ - Well, okay. Use Linux if you want, but you _did_ ask for advice. – ewwhite Dec 03 '15 at 15:49
0

Under the General tab of a Windows DNS zone there is a Dynamic Updates option that can be set to one of - None - Nonsecure and Secure - Secure only

Best practice is to set this to Secure to stop unwanted updates to your DNS zones.

However, if you do this then a non-windows DHCP server will NOT be able to make DNS updates on behalf of clients.

If this is not an issue for you then I see no reason why switching to a Linux DHCP server would be a problem

However, if you DO use secure dynamic updates then I'd advise you stick with the Windows DHCP Server

Phil
  • 3,138
  • 1
  • 21
  • 27
  • technically it is possible, you need to have nsupdate from bind with kerberos libraries and a AD keytab. See here: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ . The question is why the windows dhcp client needs the dhcp server to update its record. – natxo asenjo Dec 04 '15 at 10:40
0

Windows DHCP updates Windows DNS and Active Directory relies heavily on DNS. As much as I love Linux, replacing either of these service with their Linux equivalent will lead to issues. What do the syslogs say on the DHCP server? Most of the DHCP service crashes I've seen come from someone plugging in a WiFi router of some other device with a DHCP server enabled on it. You can only have one DHCP server on your network or it will crash the windows DHCP service.

Venator
  • 1
  • 3
    `You can only have one DHCP server on your network or it will crash the windows DHCP service` - That statement is not technically correct. You may be thinking of Small Business Server, which did shut down the Windows DHCP service if it discovered another DHCP server on the network, but no other editions of Windows Server do this. – joeqwerty Dec 03 '15 at 21:57
  • I guess I should clarify -- we're not having DHCP problems per se. This most recent time, the Windows server just hung with no error messages at all -- a reboot brought it back, but it meant about a half hour of downtime. From my perspective, the problem is tying our whole network performance to a Windows box. DHCP just seems simple enough I should be able to hand it to something more reliable than our Windows server. I'm making an assumption that linux might be the easiest route. – TomHinkle Dec 04 '15 at 02:52