Should I run DHCP/DNS on Windows or pfsense?

Hi all,

We are consolidating our infrastructure and moving for physical hardware to virtualization using xcp-ng. At the head of the network are 2x pfsense in HA mode. Our new Window server essentials is going to be installed in a VM. Currently our Windows 2008 R2 is on a physical machine and run our DNS. DHCH and active directory. Going forward Active directory will be on the VM but we are not sure if we should run the DHCP & DNS on pfsense or keep it on the window server. We are concerned that no network will work until the VM is up and running. What are the main advantages to run this 2 service in Windows at the first place?

I’ll appreciate any advice please.

Thank you

If you are running Active Director then Windows should handle the DHCP & DNS.

3 Likes

Thank you @LTS_Tom for the quick response. Do you see any issue having the windows server in a VM? From your experience is it common this days?

Fred

We prefer to run Windows server in a VM.

1 Like

I don’t think I’ve seen a physical AD server in 10+ years. There’s certainly no reason not to have it as a VM.

As for why to run run DNS and DHCP on the windows server, AD tightly integrates with DNS, in fact I’m not sure you can even have AD without DNS on the same server. You could run with DHCP not on the windows server, but it wouldn’t be recommended, as if configured correctly it will update DNS when leases are handed out etc. making it easier to find devices on the network etc. One thing I will say is make sure DNS scavenging is enabled on the DNS server to ensure stale records are automatically purged, as far as I know it’s not enabled by default. I’ve lost count of the number of times I’ve seen it left disabled and people having issues with DNS due to multiple records pointing to the same IP and vice versa. If you do enable it make sure you fully understand how it works with the DHCP lease time, as changing that can result in records being purged earlier than they should and you will run into issues (this is probably the reason so many people fail to enable it).

1 Like

OP: As a Pro-tip, never ever install/use Windows Server Essential please. You will just open a Pandora’s box of issues with any other services from Microsoft/3rd-party you might use. It is less $$ than the Standard version, but you will pay a lot more in support, hours and headachess just to understand that Essential doesn’t support this or that.

Edit: I didn’t have time to finish my post earlier so I will do it now. Consider that DNS and Active Directory are closely related and MUST be installed on the DCs themselves. If you have thousands of DHCP client, it could be a could idea to put that service on a few other servers, but if you have less than a thousand clients, you can install the DHCP service on the DC without problem.
As for your question about “not network will work until the VMs are up” depends on what you are refering too. Anything that requires AD to run of course will depend on having your DCs up. For anything else like network related stuff or non-domain dependant service, you could have them use your firewall insterface as a DNS instead of the ones on the DCs.
Same thing for clock synchronization: use the IP that is the gateway of each vlan as the source for NTP. So in a domain, your DCs will synch with your firewall, and then your client will sync with the DCs.

@pjdouillard Thank you very much for the pro-tip :slight_smile: Windows is really not my area of expertise. I am a unix/linux guy but I need to eveolve :slight_smile:

I’ll get a bigger budget for the extra cost and follow your advise.

I see physical Windows Servers all the time. I mean all the time. I have a bunch of customers with only a single server. Why virtualize it? Whether or not to virtualize Windows Server depends on how many servers you need. If you are in a large environment, virtualizing them makes sense. If you have only one (or maybe two) then it makes more sense to have them on a physical machine. I’ve set up 2 Windows Servers for a client, both as DCs, in separate buildings for redundancy in case of things like environmental issues, power issues, and bad things like a fire.

I’m just saying there is no hard fast rule for either way. I know people who virtualize everything, and others that prefer to have physical machines. Virtualization is a big trend right now, but I’m not really one of those that is sold on it as just the way you do everything. I look for single points of failure, and having all of your servers virtualized on one physical machine is a single point of failure. The server motherboard goes down and everything grinds to a stop. I prefer redundancy, even at the cost of more hardware.

Just food for thought.

All of our new deployments and server upgrades are moving to VMs as well, but we have had several incidents where the DC on a VM comes up thinking it is on a public network so it blocks several important services until we can log in and convince the DC that it is actually on a trusted network.
That said, there are mitigations for that issue and it hasn’t stopped us from continuing with the practice of putting our servers on VMs.

Virtualize all the servers. Windows Server Standard gives you 2 VMs for the license, so build a Domain Controller and a file/print server. Migrations to new hardware are so much easier with virtualization among other things.

1 Like

What’s the benefit to virtualizing? Seriously. I really don’t see the reason.

Have you tried changing the “Network Location Awareness” service to Automatic (Delayed) ?

Easy migration. You can get a new physical server, add it to the virtualization pool, and migrate the server. No downtime.

Easy backup/restore. Easy replication.

One Windows Server license gives you the rights to virtualize two instances as long as it’s on the same physical hardware. You can have redundant essential services such as DHCP, DNS, and Active Directory. One server is in maintenance, the other is serving the business. You essentially reduce maintenance downtime.

1 Like

Another reason to go virtual is probably budget. In this way they save some money in buying physical servers. I know you can buy cheap used servers but then again if you can go virtual use 2 servers to host several operating system. The rest of the money will be allocated to licenses for the software and support.

@RobR You virtualize servers like DCs, DNS, DHCP, file server, app server because they don’t really need 8/10/12/++ cores to run properly, nor do they need 32/64/96/++ GB of RAM. But the MAIN reason is it is much easier to recover from a hic-ups - i.e, upgrade that went bad and crash your server, you’re hit with malware and you want to restore in a clean environment, maintenances are easier, etc. the list can go on and on - than it would be from a server running baremetal. If performance is an issue, that is another entire story though. But for normal day-to-day business, virtualizing servers (and now using containers too) is the way to insure proper operations. I could also add: let’s say tomorrow you want to move to the cloud. Bang! You could just take your files from your virtual machines, upload it on a cloud and make it work there (the reverse is true also if you want to leave the cloud and host your stuff).