How do you reconcile your router/firewall's DHCP server w/your PDC's AD DHCP server?

[JediFonger]

here's my setup:
-internet is through a westell 2200 DSL modem.
-Verizon gave us a static IP, gateway, dns, etc.
-modem is connected to a D-Link's DFL200. it's a router/fw/etc.
-i setup the D-Link's wan with static config provided by Verizon.
-i turn on DHCP server on the lan of the D-Link
-i have internet access.

the problem is that i want to enable the company network to be online as well. how do most people do it? i connected the D-Link's inside LAN to our network switch.

our network is w2k3-based AD/DHCP/DNS server serving about wxpp 20 clients. when i hook the D-Link to the network, none of the clients can get internet, but when i connect the D-link to a single client, i get internet. i've tried relaying DHCP server to our PDC (w2k3) but still no internet. is there a config i'm supposed to do on the D-Link or PDC that i'm missing?

how do people do it?

if i turn off DHCP completely, i get no internet connection from D-Link's inside LAN either through direction connection to a single client or through network. i guess these routers/firewalls require their internal DHCP to be on for internet to be enabled. that true?

i know a network can have more than 1 DHCP servers, but this one won't play nice? advice?

 

[big daddy fatsacks]

actually, a network CANNOT have more than 1 DHCP server unless you configure different scopes on each one. if you have both managing the same leases you're going to double-book all your internal IPs and no one is going to get on the intarweb . . . . which you may have noticed is exactly what is going on here.

turn off the DHCP server on the DLink entirely. the reason your clients cannot access the internet using your windows DHCP server is because (my guess which i am 99% confident is correct) you did not set the scope options . . . specifically the one called gateway or router. this value should be set to the IP address of the DLink. it's the default route the clients will go to get to any other network other than the one they are part of.

 

[O[H]-Zone]

1. Turn off DHCP on the D-Link router
2. Set the router LAN interface IP address to one that's part of the network but won't be given out (if your DHCP server gives out 192.168.x.x addresses and the range is 192.168.x.100 to 192.168.x.200, make the router LAN interface a 192.168.x.x address outside that range. If the DHCP range is 192.168.x.0-255, make it smaller.) Also set the subnet mask to the same one the rest of your network uses.
3. In the DHCP properties of your 2k3 AD server,
(Administrative Tools, DHCP, expand the group under the server name, expand the group under "scope", highlight and then right-click "Scope Options" and choose "Configure Options".) Check option 3 ("Router"), and put in the IP address of the D-Link router in the "IP Address" field (don't worry about the "Server Name")
4. Restart the DHCP service, or re-boot the server (I'd re-boot it)

I think that will do it. DHCP clients will need to either be re-booted, or do a repair on the network connection. To check, make sure the DHCP clients are getting an address that's:
in range
has the correct subnet mask
has the router's IP address set as the gateway

BTW, you can set a bunch of different options to be sent in the DHCP response...for example, my server is set up to get time corrections from an internet time server, and to act as a time server for my network (option 4), so all my machines are always within a few milliseconds of current time, and each other.
Hope this helped!

 

[YeOldeStonecat]

You want your real servers to be your DHCP server, not your router. Don't forget, your servers DHCP needs to hand out your domain controllers IP as the DNS server for all your workstations, else active directory functions break.

You can technically have more than 1x DHCP server on a network...if it's part of AD, it can be shared. But you don't want to have separate devices be a DHCP server, such as a router, and a server...else the server will stall it's DHCP service.

 

[MorfiusX]

a network CANNOT have more than 1 DHCP server unless you configure different scopes on each one.

MS DHCP has something called conflict detection. This enables you to be able to have two seperate DHCP servers with the exact same scope. The DHCP server will check to see if the IP is in use prior to handing it out to a requestor.

 

[big daddy fatsacks]

but that will only work if both DHCP servers are windows correct? is that new in 2k3?

 

[MorfiusX]

but that will only work if both DHCP servers are windows correct? is that new in 2k3?

Kinda/Yes, and No.

The MS DCHP server will do conflict detection, but the LinkSys/Cheapo Router will not.

 

[big daddy fatsacks]

how will the MS DHCP server know when there is a conflict then if it is not communicating with the other DHCP server (ie- the other one is not also windows and on the same domain)?

 

[MorfiusX]

I don't know the exact mechanism used for conflict detection, but I think it's something along the lines of a broadcast like is done on a Windows client for IP conflcit detection.

 

[big daddy fatsacks]

so the statement "2 DHCP servers cannot be run on the same subnet unless they are configured with different scopes" is still a valid best practices statement. otherwise we're relying on the devices being awake when the broadcast takes place in order for the DHCP server to find them.

if it were the case that 2 windows DHCP servers could access each other's lease pool as a part of this conflict resolution process then i'd say we've got something useful there, but it doesn't seem like that's the case.

 

[MorfiusX]

I didn't say you were wrong. I was just adding information. There is also a difference between what some thing can do and a best practice. Personally, I don't use conflict detection. I have seen some cases where it's performance wasn't exactly stellar. If you want to start talking best practices, MS recomends using the 70/30 or 80/20 rule to configure fault tollerant DHCP servers.

Also, when a device goes to sleep, it's IP is in a semi-released state. That is, the NIC will not renew it's IP because it is asleep. Also, when it come out of a sleep state, it will recheck for a conflict. But, this is all symantecs really.

 

[big daddy fatsacks]

yeah MS uses the 80/20 rule.

i'd never heard of conflict resolution so i thought perhaps it was something fancy that actually performed a useful function so i was inquiring. and it sounded like you may have been advocating conflict resolution as a way to not care about dealing with setting DHCP up properly which is why i pointing out it's deficiencies.

in any case, i think we've gone well beyond what JediFonger needed.

 

[versello]

MS DHCP does conflict detection by pinging an IP 2-3 times before leasing it. You can adjust it in the server options if I recall.

 

[shade91]

Disable MS DHCP server in favor for the router DHCP. my win2k3-AD network only serves for AD. I have DHCP/DNS/WWW handled by other BSD servers. DHCP isn't THAT intensive on a router especially a high powered one.

 

[randyc]

I would disable the DHCP on the router, and then set your domain controllers gateway to the routers IP.

Also, make sure your router and the domain controller both have static IP's outside of the DHCP Servers scope, or you will have issues.

The DNS servers on the clients need to be getting the DNS servers so they point to the DC. You should also setup your DCs network settings to get there DNS from verizon (4.2.2.2, 4.2.2.1, 4.2.2.65 etc).

 

[JediFonger]

nice! that's the piece of puzzle i may be missing. i haven't tried it yet (it's production hours right now). right now the server's IP&Subnet are set, but not the gateway. should i enter the router as gateway on the server nic?

as of now my pdc/ad server=10.0.0.1, subnet 255.0.0.0 with no gateway.
my fw/dlink=10.0.0.3.

so according to the new config, the AD/DHCP server's static route ip should be set to 10.0.0.3. the fw's DHCP&DNS should be relayed to 10.0.0.1 or should fw's DHCP&DNS be completely turned off?

i reboot and all should be well? =). this still enables me to enable web content filtering, right? kewl, i'll have to try this when no one is accessing server.

 

[randyc]

nice! that's the piece of puzzle i may be missing. i haven't tried it yet (it's production hours right now). right now the server's IP&Subnet are set, but not the gateway. should i enter the router as gateway on the server nic?

as of now my pdc/ad server=10.0.0.1, subnet 255.0.0.0 with no gateway.
my fw/dlink=10.0.0.3.

so according to the new config, the AD/DHCP server's static route ip should be set to 10.0.0.3. the fw's DHCP&DNS should be relayed to 10.0.0.1 or should fw's DHCP&DNS be completely turned off?

i reboot and all should be well? =). this still enables me to enable web content filtering, right? kewl, i'll have to try this when no one is accessing server.

Webfiltering...
thats supposed to go at the gateway.

Your network:

computers - > Switch

plugged into this switch - > Your DHCP server, your DC (both one computer I'm assuming)
The DHCP server then needs to give out the proper gateway (Which is also most likely where your webfiltering is at). Say the gateway is 10.0.0.2, make sure all the computers are getting that from the DHCP server.
We need to know more about your environment to help you.

 

[JediFonger]

well the Dlink router can filter the web.

and yesh the entire network is connected to a switch. 10.0.0.1-10.0.0.9 are reserved for servers while everything else is DHCP.

i have 1 PDC/AD/DHCP/DNS server (10.0.0.1), a secondary domain controller on 10.0.0.2, firewall(dlink) on 10.0.0.3 and i think that's all for the reserved IPs for servers. all the clients/printers fall above 10.0.0.10+

 

[randyc]

well the Dlink router can filter the web.

and yesh the entire network is connected to a switch. 10.0.0.1-10.0.0.9 are reserved for servers while everything else is DHCP.

i have 1 PDC/AD/DHCP/DNS server (10.0.0.1), a secondary domain controller on 10.0.0.2, firewall(dlink) on 10.0.0.3 and i think that's all for the reserved IPs for servers. all the clients/printers fall above 10.0.0.10+

Ah, okay.

Take the DLink, turn off all the DNS/DHCP etc features on it....


....

Nevermind this.
New Idea.

Can you add a second NIC or do you have a second NIC in the DC? You could plug your cable modem or whatever the heck you have into that, and then setup the DC as the gateway in the DHCP server (and all the static computers)

-RC

 

[JediFonger]

we have Verizon biz DSL.

re: router into DC. the DC does have dual GB and that's what i'm currently doing right now. the reason i wanna get away from that is i need VPN users to access the rest of the network outside of the server. right now, the VPN can only access the server since he's connected only to that one segment.

 

[randyc]

we have Verizon biz DSL.

re: router into DC. the DC does have dual GB and that's what i'm currently doing right now. the reason i wanna get away from that is i need VPN users to access the rest of the network outside of the server. right now, the VPN can only access the server since he's connected only to that one segment.

What do you mean the rest of the network? They should be able to get onto the rest of your network through this.
Just route the VPN traffic through the Win2K server to the inside right?

 

[JediFonger]

the VPN user may need to access a client on the same network other than the server. if we do it the way we currently do so, the VPN user can't see any other computers on the network besides the server.

 

[JediFonger]

i got everything to work, thank yoU!!!!

 

[randyc]

i got everything to work, thank yoU!!!!

Mind telling us how?

 

[JediFonger]

yesh.

on the fw. the following things are the only options that deviate from default settings:
i set wan to static IP since i was using verizon biz DSL w/static IP. i set lan to 10.0.0.3/255.0.0.0 to server my class C domain. i turned off DHCP & DNS completely. on the firewall policy rules, i set only limited # of users to use internet. i limited web access from 10.0.0.1-10.0.0.14.

on my PDC. i went to DHCP's scope option and checked the router box and set it to 10.0.0.3. i also reserved all of the IPs from 10.0.0.1 through 10.0.0.14. i went to DNS properties and added 10.0.0.3 to the forwarding tab.

at first, when i physically finished connecting everything it wouldn't run. then all i did was set the PDC's nic's gateway to 10.0.0.3 and voila'! internet for those that need it and block those that don't.

i haven't tested the VPN yet, hopefully it'll work =). this is wasome!

 

[JediFonger]

awesome except the performance hit. how do i improve routing and make it go faster?

 

[MorfiusX]

i set lan to 10.0.0.3/255.0.0.0 to server my class C domain.

10.0.0.3/255.0.0.0 is a class A domain. For it to be class C, it would need to be 10.0.0.x/255.255.255.0 or 10.0.0.x/24.

 

[JediFonger]

oops!!! no wonder VPN didn't work =). thx.