Untangle With New Server

[JoelM]

I have an existing office with an Untangle Router. Currently Untangle is doing DHCP & DNS. I am deploying a new server for them as they have not had one.
I know for AD to work properly workstations need to have their DNS look only to the DC. I could move DHCP to the server but am thinking of leaving it on the Untangle unit.
If I do this I know in the Untangle DHCP service I need to have it hand out the ip address of the DC for the DNS entry. I think I have found where to set that under the DNS Override setting in the DHCP Configuration on the internal interface.
I just wanted to see if this was the right location before I change the setting.

So to reiterate.
Untangle will remain DHCP server.
Need it to hand out DNS address of domain controller for AD login.

 

[YeOldeStonecat]

You can do that...but IMO...have your DC do both DHCP and DNS. Keeps everything active directory related "tighter" when the server does what it's supposed to. The server is "more aware" of clients when it's the only boss they're talking to and asking questions.
If you insist on having Untangle run DHCP...yes have it hand out the DCs IP address for DNS. If you setup DNS in Untangle properly, you can add its IP for secondary DNS. BUT....it's really really better to have a Windows server run DHCP and hand out the DCs IPs for DNS...nothing else.
I can't think of a single legit reason to have anything else besides a Windows server(s) on a domain run DHCP and DNS for the network...that's their job. Unless you have a HUGE network...DHCP is a tiny tiny tiny negligible load, thinking the server will run better by removing it...not true. If you have a HUGE network...I'm talking enterprise scale....you can spread the load by load balancing DHCP across several member servers in a domain.

 

[JoelM]

Will removing DHCP from the Untangle unit create any unseen changes with using OpenVPN for VPN access on the Untangle unit? Anything I need to tweak?

 

[Markverhyden]

In my limited experience with M$ server and actually using AD, etc you'll want DNS and DHCP on the server for the minimum of head aches.

On VPN. Remember that remote clients are not getting a current LAN address from the VPN DHCP, they're getting a different scope and getting routed to the LAN.

 

[YeOldeStonecat]

Will removing DHCP from the Untangle unit create any unseen changes with using OpenVPN for VPN access on the Untangle unit? Anything I need to tweak?

Nope. Untangle will have its own DHCP for VPN users.
We have lots of larger setups, where the primary production LAN has the Windows server doing the DHCP and DNS, and then I'll have secondary and/or third or more networks on different ethernet interfaces...where Untangle is doing the DHCP/DNS, such as for guest networks, additional separate networks, IoT networks, etc.

 

[SAFCasper]

Nope. Untangle will have its own DHCP for VPN users.
We have lots of larger setups, where the primary production LAN has the Windows server doing the DHCP and DNS, and then I'll have secondary and/or third or more networks on different ethernet interfaces...where Untangle is doing the DHCP/DNS, such as for guest networks, additional separate networks, IoT networks, etc.

Second that. We do exactly the same on our internal network. Windows server handles DHCP on the "domain-joined" subnets. Firewall handles DHCP on secondary networks like CCTV, Guest, VPN.

Mainly for security reasons we do this. Not letting a guest network anywhere near my prod servers even if just for DHCP.

Keeping everything dhcp on the firewall is fine to be honest if that's what you prefer. I just prefer the management of Windows DHCP and it ties in nicely with everything else.

 

[Sky-Knight]

Untangle can do the DHCP work, it just needs configured PERFECTLY to do so. Having Windows handle it as much as possible makes things easier.

DHCP on internal has nothing to do with DHCP on OpenVPN either, indeed the latter uses its own internals for that functionality.

The rule to follow? The dirty trick? Do NOT introduce circular dependencies into your DNS resolution paths. Untangle resolves via the world. Ad resolves via the world. The former is configured to use the latter only when necessary.

 

[trevm999]

Unless they actually use the features of having DHCP integrated, or if they need to maintain AD forests in order to keep separation of companies with using same Azure AD, I would consider AD a legacy part of their environment only there to support certain applications and thus I would want as little dependency on it as possible.