I've pulled DHCP off all our DC's and it wasn't too tough for the network team to accomodate. Using DHCP failover took a bit more work for us to perfect. Using failover you by definiton copy the confif to the new server....stand up new dhcp server, config as failover, then stand down DHCP on the domain controller and decondigure failover once the new server is confirmed to hand out IP's. (Assuming Win DHCP servers).
Totally worth it in our opinion. Dave > On Nov 30, 2017, at 8:21 AM, Heaton, Joseph@Wildlife > <[email protected]> wrote: > > Problem with that, is that I’d really like to keep the same IP for the DHCP > server. My network team has that in all their switches around the state as > ip-helper entries. > > From: [email protected] [mailto:[email protected]] > On Behalf Of Webster > Sent: Thursday, November 30, 2017 7:45 AM > To: [email protected] > Subject: RE: [NTSysADM] DHCP role > > I would migrate DHCP first. > > Webster > > From: [email protected] [mailto:[email protected]] > On Behalf Of Heaton, Joseph@Wildlife > Sent: Thursday, November 30, 2017 9:00 AM > To: [email protected] > Subject: RE: [NTSysADM] DHCP role > > That’s what we’re doing as well. Not sure why, but our service account is > member of DNSUpdateProxy, but also a member of DNSAdmins. Anyone have an > idea why that group? I didn’t set this up initially, I’m just trying to get > things in best practices, and address a current issue I’m working through, of > replacing a DC, that happens to be our main DHCP server. My thoughts at the > moment, are to add a new DC, with only DC roles. Then, DCpromo the old DC > (with DHCP), then migrate DHCP to a new server, that is only a member server, > not a DC. > > From: [email protected] [mailto:[email protected]] > On Behalf Of Mark Gottschalk > Sent: Wednesday, November 29, 2017 6:21 PM > To: [email protected] > Subject: Re: [NTSysADM] DHCP role > > https://blogs.technet.microsoft.com/stdqry/2012/04/03/dhcp-server-in-dcs-and-dns-registrations/ > > https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx > > This is what we've done with DHCP on DC. Have a user "DHCP_user" in > Protected User group, DNSUpdateProxy group. Use this for alternate > credentials. > > Note that first article says: > "A common error is to think that the DHCP Server service running in a DC will > use its service account security context to register records in DNS if no > alternate credentials are configured, and then there is security risk. In > fact, this is not the behavior of the DHCP Server in a DC. > > If the DHCP Server service detects that it is running in a domain controller, > and no alternate credentials for DNS registrations have been configured, then > it decides to not do any registrations for DHCP clients and logs event > DHCP/1056." > > It also starts with: > "One common deployment scenario for the DHCP Server service is to have it > installed in domain controllers. When this scenario is used it is necessary > to define the alternate credentials to be used by DHCP when doing DNS > registrations on behalf of the DHCP clients." > > If you can separate them with no downside, go for it. However, running DHCP > on a DC appears to be accounted for and can be addressed by above. > > -- Mark > > > > > From: "Heaton, Joseph@Wildlife" <[email protected]> > To: 'NT System Admin Issues Discussion list' > <[email protected]> > Date: 11/29/2017 02:49 PM > Subject: [NTSysADM] DHCP role > Sent by: "[email protected]" <listsadmin > > > Is it still best practice to have DHCP NOT on a DC? I’ve been reading a > bunch of stuff, but everything I’m reading refers to Server 2003 or older. > > Joe Heaton > Information Technology Operations Branch > Data and Technology Division > CA Department of Fish and Wildlife > 1700 9th Street, 3rd Floor > Sacramento, CA 95811 > Desk: 916-323-1284 >
