In a shared law office we have had a Cayman DSL router handling DHCP, Gateway to DNS servers for several sole practitioners and one small firm. The firm has had Windows NT as its server. The sole practitioners don't use it, haven't been part of that domain. That WinNT is being changed out for a Server 2003. Typically that Server would take over DHCP, DNS functions and the router would stop doing that. In this case however, we don't want the sole practitioners to have to be part of the domain. Is there any downside to leaving the Cayman router handling DHCP, DNS, NAT and not having DNS in the Server 2003? Would we leave AD set up?

2003 has to be its own dns server which forwards requests to the isps dns server. Note the word forwarder. DHCP is independent of domain membership. In other words you could have 2003 handle all the dhcp requests. But that's not how I would set it up. I would have two ip scopes. One on the dsl router for the practitioners and one for the 2003 domain. An example would be 192.168.0.2 thru 192.168.0.10 for the practitioners [gateway is .1] via the dhcp server of the router and 192.168.0.20 thru x.x.x.245 for the 2003 dhcp server. To make sure each pc gets the scope its suppossed to I do ip reservations. This is where you associate a pcs mac address with a ip address in the router or server. I do this for security reasons. A unknown mac address can't get on my network [without a whole bunch of work on the hackers part - should move to easier prey] You can not have AD without its own DNS. You put the isps dns servers in the Forwarder field of the 2003 dns server. This way with dhcp dns on 2003 is automatically updated. With this configuration you get security and everyone can get on the net. Golly gee wilerkers everyone. Learn to Internet Search

"2003 has to be its own dns server which forwards requests to the isps dns server. Note the word forwarder." This is a bit misleading. 2003 needs to have write access to a DNS in order to be a domain controller, which is what Active Directory is. This could be a DNS server with Linux, Unix, or Windows, it really doesn't matter, as long as the server can create DNS records on it. Since the router is simply a forwarder for DNS and does not store any DNS records, you need an internal DNS, which might as well be a Windows DNS server. You don't need to set the forwarder to the ISP's DNS servers. Point all clients to your internal DNS server, in this case probably a 2003 server, and then set up forwarding to the router. The router will then in turn forward those requests to the ISP's DNS server. The advantage of this is should the ISP's DNS server IP address change, you don't have to go and change the forwarder setup in your internal DNS server. "In other words you could have 2003 handle all the dhcp requests. But that's not how I would set it up." I absolutely would use a a windows 2003 server for DHCP services since it can securely update each host's DNS records. This is best practice by Microsoft. "To make sure each pc gets the scope its suppossed to I do ip reservations." Depends on the size of the network, but for larger networks, this will in the end make DHCP too time consuming to maintain. "A unknown mac address can't get on my network [without a whole bunch of work on the hackers part - should move to easier prey]" How do you figure they can't get in?! DHCP simply eases the ability of a client to be configured for network services. Receiving a DHCP lease is not required for network access in the slightest. A host could simply setup their IP config manually and gain TCP/IP connectivity. This adds no effective security for your network at all. And no, they don't need to do a "whole bunch of work" to figure out your internal LAN network config. I'm not a hacker, and I could figure out how to set my TCP/IP up for your network in less than 10 minutes without access to any other PC or device, but simply physically connecting in. If I can get by your defenses, your defenses suck, because I don't know jack about how to hack. In fact, if you're setting up reservations for every single DHCP client, simply not use DHCP period for AD clients! Just manually set up TCP/IP on each computer. It's a waste of time either way, but hey. A valid IP config does NOT allow you access to secured network resources if you've done the right security measures. Finally, to have multiple DHCP servers, each meant for different clients, you will require multiple broadcast domains. With your suggestion of using two DHCP servers, setting up reservations on one DHCP server for a particular client does not guarantee that client will receive a DHCP lease from the server with the reservation if there are two DHCP servers on the same broadcast domain. That is not how DHCP works. Help survivors of Hurricane Katrina. Please donate to the American Red Cross. www.redcross.org

Nothing misleading. Only difference to what you said was you could have the DNS server on other platforms. Not true if you want to run 2003 AD. It requires 2003 DNS. This isn't a large network so the concern of ip reservations is of no consequence. Doesn't sound like you have a handle on ip reservations heropsycho. Here is what I am talking about. To keep it simple you have 5 wksts. You set your dhcp range from .2 to .6. You associate the mac address of one workstation to one ip address thereby assigning all 5 available ip addresses. So unless you can 1. spoof the mac address of one of the 5 stations you can't get a ip address. 2. to spoof the mac has to be captured and then the hacker has to wait until that machine is off the net to spoof its mac. I think you missed those aspects which is why you think you could manually set the your ip to in the subnet range and get in. You can't because you would have to match a mac address before you could get the dhcp assignment. This is also what assures us that the practicioners get their own ip and not that from the 2003 server. Sure you can set all to static ip addresses. But then what I suggested allows 2003 dhcp to dynamically update the 2003 servers dns. Seems like win win to me. Golly gee wilerkers everyone. Learn to Internet Search

Oh and you can have two dhcp servers on the same subnet as long as each is giving out a ip scope different from the other. Which in this case wireless has one scope and 2003 has another but both in the same subnet. Golly gee wilerkers everyone. Learn to Internet Search

"Not true if you want to run 2003 AD. It requires 2003 DNS." Show me documentation that says this. "To keep it simple you have 5 wksts. You set your dhcp range from .2 to .6. You associate the mac address of one workstation to one ip address thereby assigning all 5 available ip addresses." OK, and you also said have two DHCP servers on the network, one for these five workstations, and a different DHCP server for non AD clients. You add a 6th workstation. You create the reservations in the Windows DHCP server. The client then is hooked up and powered on. How does that client ensure it gets its DHCP lease from the one with the reservations? Reservations don't guarantee a client gets its DHCP lease from a particular DHCP server. It simply ensures that SHOULD it get a lease from that DHCP server, it will be the same IP. In this case it happens that an AD client won't accept a DHCP lease from a DHCP server not authorized in AD, but you see the problem here. This is a bad design. If you add any non windows device such as a network printer or the like that needs to receive a particular IP from the DHCP server, there are 0 guarantees it will get the lease from the 2003 DHCP server. Design it right from the get go. "Oh and you can have two dhcp servers on the same subnet as long as each is giving out a ip scope different from the other." Absolutely, except for one thing here. You specifically stated one type of clients should get DHCP addresses from a particular DHCP server. Reservations don't do that. Limiting by reservations you could very well do, which will force the non AD clients to the other DHCP server. But I fail to see what that achieves. Just do DHCP on the 2003 server for all clients. "So unless you can 1. spoof the mac address of one of the 5 stations you can't get a ip address. 2. to spoof the mac has to be captured and then the hacker has to wait until that machine is off the net to spoof its mac." True or false - You must get a DHCP lease to connect to a network. FALSE! True or false - A client must get a DHCP lease from a Windows DHCP server to connect into AD. FALSE! Want proof? You statically set IP addresses for servers! Therefore, DHCP isn't a requirement to become an AD client, or as a hacker to hack into AD. So by limiting DHCP leasing, what security did you gain? Protection against someone stupid enough to want in your network, but not think to set their IP addressing manually for your network. Whoops! Remember, since they can get a DHCP lease from the router, they can get in the network anyway at the IP level, not to mention find a valid IP address they can manually set instead of DHCP (although not guaranteed the DHCP server won't give that IP to another device during the session. Regardless, the footprint of the network as far as IP addressing has already been obtained). I don't see any security gained by your solution, only additional administrative overhead. "Sure you can set all to static ip addresses. But then what I suggested allows 2003 dhcp to dynamically update the 2003 servers dns. Seems like win win to me." Are you saying that DNS records can only be created by DHCP clients?! You are right though. A statically configured client cannot dynamically update its DNS records. After all, their DNS records are static! :-) Please help survivors of Hurricane Katrina. www.redcross.org