AD, DHCP, DNS Reconfiguration on my network

[Roaming Builder]

Good Morning,

I apologize in advance for the wall of text, but trying to put all of the pertinent information out there...

I was not sure if I should post this here or in the Networking forums, but I am looking for some help organizing my networks services. My needs are not complicated, but I have built-on, added-on, and reconfigured my network and servers at home to the point that I am wanting to slowly move some things around to where they make a little more sense, and are a little more maintainable.

My main concern right now, is I have AD, DHCP, and DNS running on Windows Server (some 2012 and one 2016), and I want to get it all out to a dedicated box that is not running any other services.

I currently have:

Network Rack:

• Modem
• ASUS RT-AC3200 Router
• 24-Port Unmanaged Switch
• UPS
• PDU
• Patch Panel for home)

Server Rack

• Server 1: DIY Build 4 years old (Server 2012, 32GB Ram, E3-1230 V2, LSI MegaRaid 9260 16i)/(Hyper-V ~5 VM's , File Shares, DNS, AD), contains PDC VM on Server 2012
• Server 2: HP DL380 SFF G6 12-Core X5670 2.93GHz 72GB 8x 146GB HDD 2x750w (Server 2012, Plex Media Server/Game Server for some Steam Games, AD,DNS,DHCP)
• Server 3: HP DL380 SFF G6 12-Core X5670 2.93GHz 72GB 8x 146GB HDD 2x750w (Server 2016, Hyper-V Server, nothing else)
• 24Port Unmanaged Switch
• UPS
• PDU
  

So I am kind of all over the place. I started with Server 1 a few years ago to set up a Development environment to mimic that at work to play with some features that I did not have access to in the real world, and outgrew its VM capacity. At that time, I set up AD/DNS/DHCP on a VM for simplicity. Since it was set up this way, all hell would break loose if this machine lost power or rebooted. The wife approval factor drops to zero if the network is down at all, short of a power failure, or something that she understands SHOULD bring the network down.

Server 1 I built, and Server 2/3 I bought of ebay at the beginning of this year for a steal.

My main goal is to increase uptime of DNS/DHCP, or as my wife calls it "whatever makes the internet work on my tablet". I want to get away from running the services on my server rack because I know in the near future due to renovations, and such I am going to have to bring down and move my rack for significant periods of time.

I am thinking that I am going to buy a simple, low-power, small form factor server to sit on top of my network rack to serve up AD/DNS/DHCP for my network. I purchased a Dell T30 that I got using a Gift Card obtained as a reward at work. New PowerEdge T30 Mini Tower Server | Dell United States

I think, for now, I am going to move all of my VM's over to server 3, and offline the ones that are not actively in use, get rid of the AD PDC VM after moving roles over to the new mini server. Possibly virtualize Server 2, run that as VM on Server 3, and sell server 2.

If I lose power, my server rack can run on the UPS long enough to shut everything down safely. I should be able to get a high amount of uptime on my network rack with its UPS even with the mini server.

What I would like to know is whether there is something else that I should be considering on how to best get DHCP/DNS to not rely on stuff in my server rack? I don't need ultra-redundancy. in the event of something super catastrophic, I can turn on DHCP on the router, renew leases, and abandon the AD/Servers until I fix the issue. I am looking for solutions that are not too expensive, but I am not opposed to investing some money if it makes sense.

For instance, someone recommended setting up a PFSense router and getting it to work with Windows Server DNS/DHCP, but I keep reading that is a bad idea.

 

[Roaming Builder]

Sorry if there is too much info in there, I have alot of things that I want to do after this, like setting up Server 1 as a dedicated storage server, but the DNS/DHCP reliability is my current obsession.

 

[Rand__]

Well if you don't need AD then turn it off
If you do need it for authentication, windows updates and whoknowswhat then you should keep on running it.
Depending on what you run it for you could replace it with a RaspberryPi or with a small Nas to keep shares up.

Totally depends on what you want/need

Now if you already have the T30 then you can put it to use, although its not a small box. A mini pc eg Zotac would have served the same purpose and would have had a smaller footprint.
But your plan sounds ok if there are no further dependencies that only you can know

 

[CreoleLakerFan]

I follow the principles of K.I.S.S for my home network/services. I choose open-source whenever possible because it's cheap and reliable. I have an isolated lab (24U rack in my garage) so that any experimentation I do doesn't overrun the functionality of my home network and piss off the wife.

Sounds like that's where you're headed ...

 

[PigLover]

Probably doesn't count as KISS - but this is where I've landed.

I've split my network into two parts. The part that must work always to ensure domestic tranquility and, separately, my toys.

On the "essentials" network is the pfSense router, cable modem, and the new Mikrotik switch (24+2). The small switch connects to everything in the house that the family uses (media PCs, desks, WiFi APs, etc). I also have the machine that runs my cameras. Lastly, there are a couple of Pi/Odroid boxes running home automation stuff.

All of this is protected by an APC UPS with almost 1 hour runtime with these things connected.

Separately are my toys. Connected to the "essentials" network, pfsense, and my house by one of the 10Gbe ports on the Mikrotik (***). This is my rack of servers and "stuff", 10Gbe backbone (using a Ubiquiti us-16-xg switch that I both love and hate). This stuff can be powered on, powered off, reconfigured, etc., at will without ever impacting the family (well - sorta - the big NAS that has the movie rips on it is here too). This is all protected on a UPS that has about 5 min runtime on battery if most things are "on" (both UPS have the same battery size - its the draw that's different).

For your DNS/AD problem: almost nothing "in the house" depends on AD or any DNS reference local to my "toys". I run the "standard" DNS resolver (based on Unbound) as a caching resolver for the internet. My "local" domains are "home.<deleted>.com", "admin.<deleted>.com", "test.<deleted>.com", etc. For these, I use a "zone override" in unbound and point them to the AD/DNS running in my "toys" rack. Getting this approach to "play nice" with AD simply requires hand provisioning a couple of "SRV" records in the pfSense resolver.

So far its been rock solid (albeit just a couple of weeks since I got the partitioning done).

(***) the other 10Gbe port on the Mikrotik goes to the desktop PC at my desk, so I get 10Gbe extended to that machine for me AND that machine is still usable even if the "toys" are all FUBAR.

 

[Roaming Builder]

I do actually use AD for some services in my home, so I would like to keep it. Getting rid of it would make some things easier, and some things more difficult. My wife and I have a great deal of data, movies, pictures, so on and so forth that we have on the file server. She does not want to deal with passwords and logins to access file shares, and we also don't want some things "publicly" available on the network. We frequently have people (IT Pros) over and on our network that would absolutely know how to poke around and find things, and many are more inquisitive than I care for. Using AD to restrict/access access to resources is mainly why I keep it around. I also have some custom backup software that is running and is aided by having AD available.

it is also nice to have the ability to go to any of the computers in our house (we have too many) and we can log into any of them with our own account and have access to all the same stuff (home directory, GPO's that are applied for the way she likes things setup).

So long story short, while my wife complains about it, there are also alot of things that it is doing for her that she doesn't realize and would probably be upset if they went missing, lol.

Do any of you happen to know if it is possible to setup PfSense as DHCP/DNS in a way that it would not break AD, but would still allow internet access in an instance that I shut all of my AD/DNS/DHCP servers down? As I understand it, DHCP does not have to be handled by Windows, but AD does require DNS to be handled in its sphere for all of the lookups that AD requires. But that doesnt mean that it has to be the ONLY dns.

I was looking at this little puppy Netgate SG-1000 microFirewall and it would make a great small device that would fit what I was trying to do with the t30, if I could still have AD functioning correctly.

 

[Roaming Builder]

For your DNS/AD problem: almost nothing "in the house" depends on AD or any DNS reference local to my "toys". I run the "standard" DNS resolver (based on Unbound) as a caching resolver for the internet. My "local" domains are "home.<deleted>.com", "admin.<deleted>.com", "test.<deleted>.com", etc. For these, I use a "zone override" in unbound and point them to the AD/DNS running in my "toys" rack. Getting this approach to "play nice" with AD simply requires hand provisioning a couple of "SRV" records in the pfSense resolver.

So far its been rock solid (albeit just a couple of weeks since I got the partitioning done).

(***) the other 10Gbe port on the Mikrotik goes to the desktop PC at my desk, so I get 10Gbe extended to that machine for me AND that machine is still usable even if the "toys" are all FUBAR.

Are your PC's domain joined then?

 

[PigLover]

Do any of you happen to know if it is possible to setup PfSense as DHCP/DNS in a way that it would not break AD, but would still allow internet access in an instance that I shut all of my AD/DNS/DHCP servers down? As I understand it, DHCP does not have to be handled by Windows, but AD does require DNS to be handled in its sphere for all of the lookups that AD requires. But that doesnt mean that it has to be the ONLY dns.

Yes. As I described above. Use pfSense resolver for DNS. Point everything (but the AD servers) to it for DNS. Then use zone overrides in pfSense to point to the AD DNS for the zones managed by AD. There are a couple of SRV records you have to provision manually as host overrides to make sure your AD clients can find the AD Kerberos authentication. I'll dig around and try to find a good link to describe it for you.

 

[PigLover]

Are your PC's domain joined then?

Some are (the ones I use). Some are not (family - who don't understand the value).

Also - on the 'nosey smart people' thing. It doesn't completely solve the problem, but I broadcast a a WiFi SSID that I freely give out to guests, restricted to only cut-out to Internet. The one I actually use for me and the family is a "hidden" SSID that can actually access the rest of the network.

 

[Roaming Builder]

Yes. As I described above. Use pfSense resolver for DNS. Point everything (but the AD servers) to it for DNS. Then use zone overrides in pfSense to point to the AD DNS for the zones managed by AD. There are a couple of SRV records you have to provision manually as host overrides to make sure your AD clients can find the AD Kerberos authentication. I'll dig around and try to find a good link to describe it for you.

Fantastic, sorry I didn't understand. I thought that was what you were saying, but I wanted to make sure that I wasn't making assumptions. I am a software engineer by trade, so I have exposure to some networking stuff, but I don't claim any level of expertise shot of setting up a home router and basic port forwarding and firewall stuff.

Some are (the ones I use). Some are not (family - who don't understand the value).

Also - on the 'nosey smart people' thing. It doesn't completely solve the problem, but I broadcast a a WiFi SSID that I freely give out to guests, restricted to only cut-out to Internet. The one I actually use for me and the family is a "hidden" SSID that can actually access the rest of the network.

That would be great. My router has this ability, but since I have DHCP and DNS running on my servers, there is no way (that I have found) to have the clients connected to that SSID participate in DHCP/DNS. If I flip over to PFSense, I might have to look into that again and see what options are available when I use my router as an AP.

 

[Roaming Builder]

So now I am wondering if I have been over complicating this process entirely. I just went into my DHCP servers and disabled all of the replicated scopes, and enabled DHCP on my router. My router gives me the option to leave the DHCP/Gateway settings blank (says it will be set to and processed by router. Then on the WAN internet connection I pointed DNS Server 1 to my PDC and pointed DNS Server 2 to Google's DNS (for now, I may use ISP or OpenDNS like I am currently doing for forwarding on my AD DNS servers.).

so far so good. I rebooted machines and servers. I flushed dns on my desktop and some VM's. I was able to unjoin and join machines to the domain. Everything currently appears to be working, and I am seeing the DHCP entries in the router now.

I know that if this does work, if my AD DNS server ever goes down, I will lose access to all my AD functionality, but I am fine with that possibility. I just wonder if there is something that I am missing...

 

[K D]

This is the exact situation I am in. This is where I am so far. I migrated my entire network stack to Ubiquiti products - Switches, APs and USG.
Home Network
- Media VLAN for all the devices(media streamers, TV, cell phones, tablets etc - DNS/DHCP Served by the Ubiquiti USG.
- IoT VLAN for Guest access and various "smart" devices - DNS/DHCP Served by the Ubiquiti USG.
- Camera VLAN for Security Cameras- DNS/DHCP Served by the Ubiquiti USG.
- Management VLAN for workstation, laptops, IPMI and Lab -DNS/DHCP served with Win12R2 VMs
- Main Media/Storage Server in the Management VLAN - Accessible only to certain devices in the Media VLAN
- Camera Storage Server in the Camera VLAN - Accessible from my workstation

The Media Storage Server is an all-in-one esxi host that is never touched. Have another Win12R2 VM in one of the lab hosts that has DNS/DHCP.

The whole thing is still a work in progress and is not where I want it but the home network is undisturbed while I mess around in the LAB.

 

[Roaming Builder]

I have no experience with VLAN's, especially when all of my switches are unmanaged, and I don't think my router does anything with VLans. What does the VLanning get you?

 

[K D]

I have no experience with VLAN's, especially when all of my switches are unmanaged, and I don't think my router does anything with VLans. What does the VLanning get you?

For me, it's separation between the networks. For example my IoT VLAN is for devices like nest, fridge, washer, dryer etc as well as for guests who connect to my WiFi. devices on this VLAN have internet access and nothing else.

 

[Roaming Builder]

ok, that makes sense.

 

[Roaming Builder]

As a very large bonus, setting up this way has enabled me to set up guest wireless with internet access while disabling intranet access. I will have to do more testing tomorrow to see if anything is broken.

Thanks everyone for the help and ideas!

 

[Roaming Builder]

so far, so good. I am having one issue connecting to my hyper-v service remotely, but I am seeing people reporting this issue after a windows update that was installed last night. Fingers Crossed that this will work long term. I have verified that things work fine on the internet while the servers are all offline! YAY!

 

[NetWise]

I'd setup two DC's. Use 2012R2 or 2016. Setup DHCP to use HA which does replication now. These two boxes now independently provide AD/DHCP/DNS. Now as long as only one goes down, you're golden. They don't need to big, or fancy. But I'm different that way

 

[Roaming Builder]

I'd setup two DC's. Use 2012R2 or 2016. Setup DHCP to use HA which does replication now. These two boxes now independently provide AD/DHCP/DNS. Now as long as only one goes down, you're golden. They don't need to big, or fancy. But I'm different that way

That is how I am setup right now, and I am trying to get away from having those services shared on servers that are providing other functions. There are times with I am playing with hardware in my virtual environment and I need to shutdown or reboot, and it has been disruptive. Same with File server, since I am not setup with hotswap (I am looking for a 16+ bay chassis in another thread here to solve that problem).

The T30 is coming tomorrow and will be my PDC with all FSMO roles for AD and then also AD/DNS. I may set replication back up, but I dont want it on a VM anymore, that causes too many issues. I will have to use one of my current physical hosts... I will have to come up with a strategy, lol.

 

[Rand__]

Interested in seeing where you end up I went forward with VM and now have a 3host vSan Cluster with a FT enabled PDC. Survives one host down but o/c total overkill for my soho/private requirements