Wednesday, February 20, 2013 3:19 PM
I have one physical machine hosting Active Directory, Primary Domain Controller, and DNS on one virtual machine and another virtual machine hosting the file server. There is another physical machinge hosting DHCP on one virtual machine, and exchange 2013 on the other virutal machine. At this point these servers have not been deployed and I was to setup redundancy/failover for the AD, DC, DNS and for the DHCP. I figure I can put a hot-standby DHCP on the Fileserver on the first machine, but I am not sure how to integrate a redundant AD, DC, and DNS on primary DHCP server, I believe putting it on the Exchange server would be a poor idea as both are resource intensive.
These redundant servers are meant only as backups if one physical machine fails. I just want to know the best place to put the redundant AD, DC, and DNS and how to set it up. I have read that putting DHCP on the same machine as the domain controller is not necessarily a bad idea, I am just unclear as to how to setup all of the permissions.
Wednesday, February 20, 2013 3:56 PM
Redundancy for Active Directory and DNS is achieved by adding a second domain controller. Since you are using virtual machines, I would suggest you create a new virtual machine on the second physical server if at all possible. If this is not possible, you can promote the virtual machine that is already hosting DHCP to a Domain Controller. In your DHCP scope and on the other servers, you should specify both the existing DNS server and the new one you just promoted as DNS servers.
For redundancy for DHCP, you can indeed set it up on the file server. I can also see an argument for doing it on the existing Domain Controller if you decide to promote your DHCP server, that way those two machines are identical.
Wednesday, February 20, 2013 3:59 PM
With regard to DHCP, I wouldnt go with a hot or cold standby option. The best approach in my opinion is to go with a split DHCP option where you split the scopes 50/50 between two DHCP servers. Both servers are online and servicing clients. In the event of a server failure, the other DHCP server continues to issue leases. You only need to make sure there is no overlap between the range on both servers and that any reservations you create on one server, must be created on the other.
With regard to Active Directory services, the same applies... no standbys. There is no primary/backup role in Active Directory. All domain controllers (with the exception of RODCs) are masters. What I would recommend is that you have at least two DCs. Both DCs will run DNS. And yes, its OK (acceptable) to run DHCP on domain controllers if you have to. Also, if this is one domain, both DCs will also be Global Catalog servers. Leave the FSMO roles on either server.
For your clients, configure them to point to both these DNS servers for name resolution.IT Knowledge Base | itgeared.com |
Wednesday, February 20, 2013 4:11 PMI would like to but unfortunately they are running Server 2012 standard, I can only license two virtual machines on each copy.
Wednesday, February 20, 2013 4:13 PMThe reason I wanted to go with a hot standby was that there are only 30 users in the network. Very small and just doesn't seem necessary. The goal here is that if one physical machine goes down, they can still be functional. I have read that it is acceptable to run DHCP on the DC, as was done in SBS 2003, 2008 etc... But I know there is either a security issue or a permissions issue. I am just not sure how to properly configure the second domain controller on the DHCP server.
Wednesday, February 20, 2013 5:27 PM
The reason I wanted to go with a hot standby was that there are only 30 users in the network. Very small and just doesn't seem necessary. The goal here is that if one physical machine goes down, they can still be functional. I have read that it is acceptable to run DHCP on the DC, as was done in SBS 2003, 2008 etc... But I know there is either a security issue or a permissions issue. I am just not sure how to properly configure the second domain controller on the DHCP server.
When you run DHCP on a Domain Controller, you should run the service under a dedicated service account you first configure in Active Directory. So in your case, you would promote the DHCP server to be a Domain Controller (with DNS and Global Catalog), create a service account in Active Directory, then change the DHCP Server service to run under the context of this account.
From here: http://technet.microsoft.com/en-us/library/cc787034.aspx
When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).
It is necessary to configure a dedicated user account and configure the DHCP server with the account credentials under the following circumstances:
- A domain controller is configured to function as a DHCP server.
- The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
- The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.
Once you have created a dedicated user account, you can configure DHCP servers with the user account credentials by using the DHCP console or by using the Netsh DHCP context command server set dnscredentials. For more information on configuring credentials using the DHCP console, see Configure DNS dynamic update credentials. For a comprehensive reference about Netsh commands for DHCP (including syntax, parameters, and examples for the set dnscredentials command at the server context of netsh dhcp), see Netsh commands for DHCP.
- Marked As Answer by CZStech Wednesday, February 20, 2013 11:00 PM
Wednesday, February 20, 2013 5:46 PMOkay, understood, thank you for the information the only question I have is what permissions should this dedicated user account have? Should they be a domain admin, power user, etc... I have done quite a bit of research on this and cannot find the information on what permissions the user should have.
Wednesday, February 20, 2013 8:53 PM
Okay, understood, thank you for the information the only question I have is what permissions should this dedicated user account have? Should they be a domain admin, power user, etc... I have done quite a bit of research on this and cannot find the information on what permissions the user should have.You might need to grant the account the "Log on as a Service" privilege in the Default Domain Controller Security policy. Outside of that, no special permissions are required. You definitely don't want this account to be a Domain Admin, as that would defeat the purpose of running a dedicated account in the first place (since DA's can wipe out DNS entries).