DHCP In Corporate Setting

mac_cnc

mac_cnc

2[H]4U
Joined
Oct 14, 2000
Messages
2,560
Ok Folks here is what im working with:

Single server - Active Directory
and about 30-40 users. We currently use static IP and it is annoying me to no end. Is it applicable to use DHCP in this setting? And if i keep some of the static devices (switches, servers, etc.) as static, will DHCP "skip" those IPs when it's handing out numbers?

Any help would be good.
 
A) DHCP is great in the enterprise. Control addressing, routing, and name resolution on one system, then propogate that info to all clients autoamtically. No more worrying about a typo in a statically set IP address, accidentally setting the same address for two machines, etc.

B) You can create lease reservations, where a DHCP client gets the same IP address everytime it boots up, and you can also exclude addresses from the DHCP address pool if you have devices that require static IPs, such as network print devices, DNS servers, etc.

C) When you install and configure the DHCP service, don't forget to have an enterprise admin authorize it in Active Directory - the service will not start on a domain controller or member server without authorization.

I'm really suprised you are not on DHCP already, it makes managing and troubleshooting much easier.
 
Well the person who set it up isnt with the company anymore and she didnt really know what to do. We just kind got "technical" 3-4 years ago. There wasnt even an IT department. So my new boss and I are getting things in gear and getting it straightened out.

Can you explain how to "authorize" it a little more? I am the domain admin so I will be the one to do it.
 
If you have an IP range of 192.168.0.1-192.168.0.254 for example, you can specify the lease addresses anywhere you want. Usually you would keep servers switches and routers on the low end of the spectrum. Say you have 3 switches one router and one server. That's 5 addresses that should be 'reserved' so you can start the DHCP at 192.168.0.5 through 192.168.0.254 if you wanted. Since you only have like 40 machines, I would give yourself a bigger 'reserved' range at the low end of the range to add things like network printers, another server, etc. Say like 25 reserved spaces for a Lan this small...
 
Excellent points. Currently our switches are on 192.168.x.253 and 254 for some reason. I will have to change them.
 
Real simple there - in the DHCP MMC console, right click the server and choose 'Authorize' Sometimes it takes a minute or two to take effect, and there some bizarre time where rebooting the DHCP server magically changes the red down arrow to a green up arrow. Its kind of weird, but should work eventually.

If you have many DHCP servers, you can also use the DHCP console to "Manage Authorized Servers" and add or remove from a list.
 
Sweet. I will try that all tommorrow when no one is in. I will have to change all the machines over to DHCP. Ugh... long saturday !!!!
 
While I am not an expert on best practices with IP subnetting etc, I have static devices start at the high end of the subnet and work down, and the DHCP pool starts at the bottom and works up.

This way, I only have to tweak the high end of the DHCP pool if I need more static devices, and I can readily identify a static device - on the Class C networks we use, it has a value in the last octet >200.

The important thing here is to design a system that will accomodate future growth within subnets, and is easily and relaibly replicated to new subnets to reduce confusion. That makes the most important factor usability to you - a system isn't any good if you don't follow it.
 
Not necessarily, you can keep them there. Just make sure the DHCP range does not overlap the numbers is basically what I am saying. you only need 40 leased address, you can put that anywhere in between the range you want. Just keep it organized and give yourself enough room at the top of the range to add more switched and the bottom of the range to add printers and new servers etc. Do yourself a favor and plan ahead like 192.168.0.25-192.168.0.40 reserved for printers and start your workstations between 41-90 for example. This way you keep things neato and organized as you grow/if you grow. That should give you enough room at the top and the bottom for reserved IPs and you can always expand the DHCP leases if you need it.
 
DougLite said:
While I am not an expert on best practices with IP subnetting etc, I have static devices start at the high end of the subnet and work down, and the DHCP pool starts at the bottom and works up.

This way, I only have to tweak the high end of the DHCP pool if I need more static devices, and I can readily identify a static device - on the Class C networks we use, it has a value in the last octet >200.

The important thing here is to design a system that will accomodate future growth within subnets, and is easily and relaibly replicated to new subnets to reduce confusion. That makes the most important factor usability to you - a system isn't any good if you don't follow it.
Click to expand...


Its a matter of preference really, I guess it depends on what you're used to. Organization as you say is the most important part. We recently moved from public IP's to NAT and we set it up like this for one building:

Subnet Range .0.0 – .7.255
Gateway .0.1
Mask 255.255.248.0
Broadcast .7.255
Electronics .0.1-30
Servers .131-60
Printers .0.61 – .1.100
DHCP Scope .1.101 – .7.254
NAT XXX.XXX.XXX.XXX
IPX Network XXXXXXXX SAP

The 248 Mask is obviously because we have boatloads of network printers, which we should be 86'ing as they die. This is more complicated then what the original poster would need unless you suddenly add like 200 more devices. A standard 255.255.255.0 mask will work for him fine.
 
You should also consider setting up a DNS server, on the same machine or a different one. If you use DHCP, you're not sure which machine will get which address (unless you use leases; still it would be a pain to have to look up different computers by their addresses). In order for one computer to be able to communicate with another on the same network, you need a way to get addresses when you have names...that's DNS. In a nutshell, it's just a list of computer names and the addresses that go with them. So if your domain name (the network name used by the DHCP server) is trees.com, each computer will be <hostname>.trees.com. With a DNS server, one computer can communicate with another by IP address (if you know it; eg. 192.168.0.100), a FQDN (fully qualified domain name; eg. pine.trees.com) or just a hostname (eg. pine). You set the DNS server up to relay to your ISP's DNS server for addresses outside the network.
 
DHCP and DNS are the way to go...

Also lease reservations are the way to go... give a certain device a static of let's say 10.0.0.156, and reserve it in DHCP and it will always get that IP, PLUS the benefit is that you can always go back to your DHCP later on and see what the IP you gave the device has... makes it alot easier.

QJ
 
O[H]-Zone said:
You should also consider setting up a DNS server, on the same machine or a different one. If you use DHCP, you're not sure which machine will get which address (unless you use leases; still it would be a pain to have to look up different computers by their addresses). In order for one computer to be able to communicate with another on the same network, you need a way to get addresses when you have names...that's DNS. In a nutshell, it's just a list of computer names and the addresses that go with them. So if your domain name (the network name used by the DHCP server) is trees.com, each computer will be <hostname>.trees.com. With a DNS server, one computer can communicate with another by IP address (if you know it; eg. 192.168.0.100), a FQDN (fully qualified domain name; eg. pine.trees.com) or just a hostname (eg. pine). You set the DNS server up to relay to your ISP's DNS server for addresses outside the network.
Click to expand...

Well, he's got AD running, so he's got a DNS server somewhere. Make sure those DNS zones accept dynamic updates, and he'll be good to go.

Mac_cnc, if you are running all 2000+ clients, then enable dynamic updates on your forward and reverse lookups zones and include the address of your DNS server in scope or server options in DHCP, and the DNS records for your DHCP clients will automatically be created for your clients right after they get the DHCP lease. If you have 9X/NT clients, then the DHCP server can do the dynamic updates for them, you will need to turn that feature on in the DHCP console.
 
Whatever you do, don't make your servers DHCP clients. Exclude an address range for them and set server addresses statically. In many cases servers (particularly AD domain controllers) will NOT register all of the proper entries in DNS that they need to if the server is a DHCP client. My presumption is that this behavior is intentional and that MS designed it that way to allow you to build domain controllers at a central staging location and then ship them out to branch offices withouth creating too much of a mess in your DNS zones.

Any resource such as a server or printer should have the same IP address day-in and day-out. For printers, bootp or DHCP reservations is usually fine. For servers, routers, and other network devices, static addresses are still the best choice.

My advice is to implement something like this for a typical 24-bit subnet:

x.x.x.1 through x.x.x.29 - reserved for Network Devices (exclude from DHCP scope)
x.x.x.30 through x.x.x.49 - reserved for Servers (exclude from DHCP scope)
x.x.x.50 through x.x.x.79 - reserved for Printers (exclude or create lease reserverations)
x.x.x.80 through x.x.x.99 - reserved for future/unknown
x.x.x.100 through x.x.x.254 DHCP clients

Adjust the pools as needed, but I'd try and create a consistent standard for all your subnets. Network devices at the low end seems to be a de facto standard IMO.

Data Center Subnets are a little different however since you might need a whole lot more server addresses and very few DHCP addresses (usually for initial configuration only via Altiris, RIS, PXE boot, etc.)

Then specify at least these scope or server options:
Router (Default Gateway) - scope
DNS Zone (suffix) - server
Primary and Secondary DNS servers - server
Primary and Secondary WINS servers (if applicable) - server

Also, on your DNS servers (assuming you're running DNS on AD Domain Controllers) set your AD zones to be Active-Directory Integrated, and allow only secure updates if at all possible. A 2003 Forest allows a lot more flexibility in the DNS department. I'd strongly consider moving towards a native 2003 AD domain if at all possible.
 
Yeah, what we used to do was break it up at the third octet like:
10.1.0.x was all the servers and printers and other network stuff.
10.1.1.x was the clients, and the only range dynamically assigned.
10.1.2.x was the IP phones.
etc.

It seemed to work pretty well.
 
You must log in or register to reply here.
Back
Top