My company has numerous physical offices (for purposes of this discussion, 15 buildings). Some of them are well-connected to our primary data center via fiber. Others will be connected to the data center by P2P T1. We are in the beginning stages of implementing an Avaya VOIP telephone system, and we will be replacing a significant portion of our network infrastructure in the process.
In tandem with the phone system implementation, we are going to be re-addressing some of our networks, and consolidating most of our Windows domains into one (not all domains, just most). We currently have quite a few Windows domains, and they of course each have their own DNS zones. A few of those networks currently use DHCP, but the majority use static IP assignments for every device. I'm tired of managing static assignments -- I want to use DHCP configuration on everything except servers. Printers and etc will have DHCP reservations. The new IP phones will need to get IP addresses from DHCP, though they need to be in a separate VLAN from the computers/printers/etc.
The computers and printers need to be registered in DNS. That's currently handled by the Windows DHCP servers on each of the respective domains. We need to place a priority on DHCP and DNS being available on a per-site basis (in case something were to interrupt the WAN connection) for computers and (primarily) phones. Smaller locations (which will have IP phones but not be a member of any Windows domain) will not have any Windows DNS/DHCP server(s) available. We also are looking for the easiest way to replace a part if it were to fail. That is to say, if a server/appliance/router hosting DHCP were to crash hard, and we couldn't extremely quickly recover the DHCP reservations and leases (and subsequently restore them onto a cold spare), we anticipate that bad things could happen.
What is the best idea for how to re-implement DNS and DHCP keeping all of the above in mind? Some thoughts that have been raised (by myself or my coworkers):
- Use Windows DNS and DHCP servers, where they exist, and use IP helpers to route DHCP requests to some other Windows server if necessary. May not be acceptable if the WAN goes down and clients don't get a DHCP response.
- Use Windows DNS (everywhere, over WAN in some cases) and a mix of Windows DHCP and DHCP provided by Cisco routers. Every site would be covered for DHCP, but from what I've read, Cisco routers can't handle dynamic registration of DHCP clients to Windows DNS servers, which might create a problem where Cisco routers are used for DHCP.
- Use Windows DNS (everywhere, over WAN in some cases) and a mix of Windows DHCP and DHCP provided by some service running on an extremely low-price linux server. Is there any such software that would allow DHCP leases granted by these linux boxes to be dynamically registered on the Windows DNS servers?
- Come up with a Linux solution for both DNS and DHCP, and deploy low-price linux servers to every site. Requirements would be that the DNS zone be multi-master (like Windows DNS integrated with Active Directory), that DHCP be able to make dynamic DNS registrations in that zone, for every lease (where a hostname is provided and is thus possible), and that multiple servers be either authoritative for the same DHCP scope or at least receiving a real-time copy / replication / sync of the leases table so that if one server dies, we still know which MAC has what address.
- Purchase dedicated DNS/DHCP appliances, deploying to all sites. From what I read/see, this solves all of our technical problems. Then come the financial problems... I don't have a ton of money to spend on this.
- Or, some other solution that we've thus far overlooked and will consider upon recommendation.
Can Cisco routers or Windows servers sync DHCP lease tables so that multiple servers can be authoritative (or active/passive for all I care) for the same scope, in case one of the partners were to fail? I've read online (repeatedly) that ISC's DHCP is able to maintain the same lease table across multiple servers, in order to solve this problem. Does anyone have any experience or advice to regarding that?
Bravo on deciding to get rid of static IP assignments (except where absolutely necessary). I'd tell you to use the DHCP database as your "IP address list" documentation, too. Put in reservations for devices with static IP addresses assigned, as well. Make the DHCP database be the authoritative "IP address list" instead of having spreadsheets, etc, that fall out of date.
Here's some background re: DNS and DHCP in Windows. It sounds like you may not be aware that the client computer performs half of the registration (the "A" record), and can also perform the "PTR" record registration, too. This allows you to use virtually any DHCP server you want, so long as it hands out addresses of DNS servers that can accept dynamic registrations.
The Windows DHCP server performs backups of the DHCP database to the local hard disk drive periodcially. You can also export the database with "netsh" (W2K3 or newer) such that restore it to another server easily. Restoring an ISC DHCPd scope to another server is a matter of copying the relevant portions of the dhcpd.leases file and the dhcpd.conf file. Embedded DHCP servers may be more problematic in a restore scenario.
As stated above, your Cisco routers can hand out DHCP to Windows PCs, but the PCs can register their own "PTR" and "A" records. Have a look at the Group Policy setting "Register PTR Records" located under "Comptuer Settings", "Administrative Templates", "Network", and "DNS Client". The client will register the "A" record itself by default.
I wouldn't got with a roll-your-own Linux DNS deployment for this application. You're going to put a lot of time in it, and it will always be the source of "Gee, will this work with Windows Server 2029..." type of musings. If not for Active Directory, I might think differently. Since you've got AD in your environment, and since Microsoft tests AD on Microsoft DNS, I'd use Microsoft DNS.
Windows Server does not have the capability to sync DHCP server databases so that you can have multiple authoritative servers for the same subnet. This continues to be decidedly sub-optimal in Windows DHCP. This might be a "win" for ISC DHCPd on Linux. I haven't got any experience with this capability to share a DHCP lease database across multiple DHCP server, but it certainly sounds sweet. I am not aware of any capability in Cisco routers to do this. Again, you can have your PCs register themselves in DNS regardless of what DHCP server you use.
You could rig up active / passive DHCP on multiple Windows Server computers with some scripting and the native database export functionality, as well.
Personally, I'd go for the option of using Windows DNS everywhere, Windows DHCP everywhere where you can have a Windows DHCP server on the same LAN as the clients, and your Cisco routers handing out DHCP everywhere that you can't have a Windows Server computer. The Linux ISC DHCPd solution might be a "win", too, but I'd stick with Windows DNS.
IMO, the best way to do this is to use DHCP to assign addresses to workstations, printers, etc, but with a static MAC address to IP address mapping so that the same machine ALWAYS gets the same IP address (unless you change the mapping).
I do this at work using a mysql database and some perl scripts to generate both dhcpd.conf and DNS zonefiles from the same database. using dhcpd and bind on linux (of course :). we have at least one DHCP and DNS server in each building, with enough NICs on them that they can be on all VLANs in that bldg (so no need for DHCP relaying).
We don't assign dynamic addresses at all. All machines have to be registered (and users have to sign the AUP) before they are allowed on the network.
the absolute minimum info you'd need for each machine entry in the database is hostname, domain name, MAC Address, IP Address.
some other useful fields are VLAN, port number, user's name/room/extension number/email/etc, computer's location (room, building), type of device (computer, printer, switch, wlan access point, instrument controller, etc), tech details about the computer (brand, model, cpu, ram, etc), operating system & version, SOE details, s/w license details, status flag (e.g. In Use, In Storage, Disposed Of, etc), and comments/notes.
actually, our database does a lot more than that - it's also an asset register, software license registry, and an ITIL compliant incident/problem tracker. it associates incident reports with particular users AND particular machines so, for example, we can get reports on which users/machines are having problems. it's currently got about 1500 machine records in the database over 6 VLANs (mostly workstations and printers). It's also our IP address manager so we don't assign the same IP to multiple machines - every machine gets a record regardless of whether it is a DHCP client or is a server with a hard-coded IP address.
this database is our authoritative source for IP & DNS information. it took a fair amount of work to get all the data into the system in the first place, and takes good discipline to keep it up to date - but it's definitely worth it to have all that information available in one place when you need it.