where to run DHCP and DNS

I have a Symantec Firewall/Router between my servers and the internet. I
have a win2k3 server as DC. What is the recommended place to run DHCP and
DNS, from the server or from the firewall to free up resourses on the
server?

Dan

Can you not run it from a standalone server?

If not, it is probably best to run it from the server. Especially as it is
a prerequisite Active Directory and/or Dynamic DNS.

--

Bob

--------------------------------------
I'll have a B please Bob.

"Dan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a Symantec Firewall/Router between my servers and the internet. I
> have a win2k3 server as DC. What is the recommended place to run DHCP and
> DNS, from the server or from the firewall to free up resourses on the
> server?
>
> Dan
>
>

In news:(E-Mail Removed),
Dan <(E-Mail Removed)> commented
Then Kevin replied below:
> I have a Symantec Firewall/Router between my servers and
> the internet. I have a win2k3 server as DC. What is the
> recommended place to run DHCP and DNS, from the server or
> from the firewall to free up resourses on the server?

If you have any legacy clients such as Win9x or NT4 that do not support
dynamic DNS and you wish these clients to be registered in DNS, DHCP can be
ran on any Win2k or Win2k3 server because it will support dynamic
registration of the legacy clients, NT5 (Win2k) and later NT systems support
self registration and can register them selves.
DNS on the other hand is recommended to be on a Domain Controller because
only on a DC with AD integrated zones can DNS support Secure Dynamic
updates, which require the client to Authenticate before dynamic
registration is allowed. DNS uses very little resources or memory (under
5MB) so the machine won't notice it running. If DNS uses much more memory
than this it could denote a configuration problem.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Dan wrote:
> I have a Symantec Firewall/Router between my servers and the
> internet. I have a win2k3 server as DC. What is the recommended
> place to run DHCP and DNS, from the server or from the firewall to
> free up resourses on the server?
>
> Dan

On the server - DNS has to be on your DC, but you can run DHCP (and WINS)
from a member server if you wish, or just run it all from the DC if you
don't have a huge network. Don't use your firewall for anything but your
default gateway!

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:u#(E-Mail Removed)...
> Dan wrote:
> > I have a Symantec Firewall/Router between my servers and the
> > internet. I have a win2k3 server as DC. What is the recommended
> > place to run DHCP and DNS, from the server or from the firewall to
> > free up resourses on the server?
> >
> > Dan
>
> On the server - DNS has to be on your DC,

Check that. (advantages exist but no requirement.)


> but you can run DHCP (and WINS)
> from a member server if you wish, or just run it all from the DC if you
> don't have a huge network. Don't use your firewall for anything but your
> default gateway!

Good advice. Perhaps as a (strictly internal-side) caching
only DNS server (if you have only one firewall hardware
layer.)


--
Herb Martin


"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:u#(E-Mail Removed)...
> Dan wrote:
> > I have a Symantec Firewall/Router between my servers and the
> > internet. I have a win2k3 server as DC. What is the recommended
> > place to run DHCP and DNS, from the server or from the firewall to
> > free up resourses on the server?
> >
> > Dan
>
> On the server - DNS has to be on your DC, but you can run DHCP (and WINS)
> from a member server if you wish, or just run it all from the DC if you
> don't have a huge network. Don't use your firewall for anything but your
> default gateway!
>
>

"Dan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have a Symantec Firewall/Router between my servers and the internet. I
> have a win2k3 server as DC. What is the recommended place to run DHCP and
> DNS, from the server or from the firewall to free up resourses on the
> server?
>

You want to run you INTERNAL DNS on an internal
Server, generally on the DC is best.

You can safely run your DHCP there, especially in
Win2003 (where they improved the security/authentication
for DCHP registering dynamically.)

WINS is commonly run with the other two.

These services are SELDOM a burden on a DC and
if the DC is overwhelmed it is likely due to OTHER
things which should be moved, e.g., File services,
Email services, web, etc.

Compared with the other services, DNS and WINS
are very efficient and run well on the DC in all but the
largest domains.

--
Herb Martin


> Dan
>
>

Herb Martin wrote:
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:u#(E-Mail Removed)...
>> Dan wrote:
>>> I have a Symantec Firewall/Router between my servers and the
>>> internet. I have a win2k3 server as DC. What is the recommended
>>> place to run DHCP and DNS, from the server or from the firewall to
>>> free up resourses on the server?
>>>
>>> Dan
>>
>> On the server - DNS has to be on your DC,
>
> Check that. (advantages exist but no requirement.)

I've never seen a DC not running DNS, but then again, I've never seen a lot
of things.
>
>
>> but you can run DHCP (and WINS)
>> from a member server if you wish, or just run it all from the DC if
>> you don't have a huge network. Don't use your firewall for anything
>> but your default gateway!
>
> Good advice. Perhaps as a (strictly internal-side) caching
> only DNS server (if you have only one firewall hardware
> layer.)

Even that has caused me problems, honestly - I just use forwarders.
>
>
>
> "Lanwench [MVP - Exchange]"
> <(E-Mail Removed) ahoo.com> wrote in
> message news:u#(E-Mail Removed)...
>> Dan wrote:
>>> I have a Symantec Firewall/Router between my servers and the
>>> internet. I have a win2k3 server as DC. What is the recommended
>>> place to run DHCP and DNS, from the server or from the firewall to
>>> free up resourses on the server?
>>>
>>> Dan
>>
>> On the server - DNS has to be on your DC, but you can run DHCP (and
>> WINS) from a member server if you wish, or just run it all from the
>> DC if you don't have a huge network. Don't use your firewall for
>> anything but your default gateway!

> > Check that. (advantages exist but no requirement.)
>
> I've never seen a DC not running DNS, but then again, I've never seen a
lot
> of things.

DNS on the DC is very common; I almost always
recommend it; but it is not a requirement.

Technically a BIND server running on an arbitrary
OS can support AD as long as the version is high
enough (to support SRV, dynamic DNS updates, and
is stable), but I almost never recommend that and
actively try to discourage it when someone asks for
an opinion.

(Oh, and I have a BIND server for something else so
it is not because I don't 'like' BIND.)


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

--
Herb Martin


"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:(E-Mail Removed)...
> Herb Martin wrote:
> > "Lanwench [MVP - Exchange]"
> > <(E-Mail Removed) ahoo.com> wrote in
> > message news:u#(E-Mail Removed)...
> >> Dan wrote:
> >>> I have a Symantec Firewall/Router between my servers and the
> >>> internet. I have a win2k3 server as DC. What is the recommended
> >>> place to run DHCP and DNS, from the server or from the firewall to
> >>> free up resourses on the server?
> >>>
> >>> Dan
> >>
> >> On the server - DNS has to be on your DC,
> >
> > Check that. (advantages exist but no requirement.)
>
> I've never seen a DC not running DNS, but then again, I've never seen a
lot
> of things.
> >
> >
> >> but you can run DHCP (and WINS)
> >> from a member server if you wish, or just run it all from the DC if
> >> you don't have a huge network. Don't use your firewall for anything
> >> but your default gateway!
> >
> > Good advice. Perhaps as a (strictly internal-side) caching
> > only DNS server (if you have only one firewall hardware
> > layer.)
>
> Even that has caused me problems, honestly - I just use forwarders.
> >
> >
> >
> > "Lanwench [MVP - Exchange]"
> > <(E-Mail Removed) ahoo.com> wrote in
> > message news:u#(E-Mail Removed)...
> >> Dan wrote:
> >>> I have a Symantec Firewall/Router between my servers and the
> >>> internet. I have a win2k3 server as DC. What is the recommended
> >>> place to run DHCP and DNS, from the server or from the firewall to
> >>> free up resourses on the server?
> >>>
> >>> Dan
> >>
> >> On the server - DNS has to be on your DC, but you can run DHCP (and
> >> WINS) from a member server if you wish, or just run it all from the
> >> DC if you don't have a huge network. Don't use your firewall for
> >> anything but your default gateway!
>
>