Wednesday, October 22, 2008

Do I absolutely have to run DHCP on SBS 2008?

When running the Configure E-Mail and Internet Connection wizard in SBS 2003, you had the option to run DHCP services on the SBS server, or leave it on the router within the network.  There was no guidance one way or another, it was a choice you had to make to complete the wizard.

With SBS 2008, we provide guidance.

The guidance is that you should run DHCP on the server.  Why?

  1. Microsoft builds, and has been building a really high quality DHCP server built into Windows Server since Windows NT 4.  Why not get one of the highest quality DHCP servers on the market for your network?
  2. The SBS team can ensure your DHCP server is set up correctly on SBS, making sure there are no duplicate IP addresses, and that the exclusion range is set up correctly for the server’s IP address
  3. If you feel comfortable in the DHCP management UI, you can set up reservations to make sure the same clients get the same IP address.  This is handy for printers, or other things on your network that may act like servers, but you don’t want to manage the static IP address
  4. If you’re logging in remotely, you can see which clients are online by which ones have IP addresses in the DHCP management console.  You can also see the clients IP address right in the console, so it makes it easy to find clients on the network, especially if you are remote.
  5. DHCP uses limited resources and has essentially no impact on the server’s performance

If the above 5 reasons aren’t good enough for you, and you absolutely must run the DHCP service on the router, here is how you do it.

  1. Close the Windows SBS Console, and cancel the Connect to the Internet Wizard if it’s running
  2. Click Start and go to All Programs and expand Windows Small Business Server
  3. Click on Windows SBS Console (Advanced Mode)
  4. On the Network tab, select the Connectivity sub-tab
  5. Click on Start DHCP (image).
    1. At this point, the DHCP services will be forced to start.  Since you have another DHCP server running on the network, the DHCP service will stop itself, and log an event in the Event Log about how it can’t start because there is another non-authorized DHCP server on the network.  This is ok.
  6. Immediately click the same button, this time called Disable DHCP (image ).

Now the networking components of the server will ignore the fact that the DHCP service is not running, keep it disabled, and let you proceed with the Connect to the Internet Wizard without having to disable the DHCP services.

IMPORTANT: Please do not call Microsoft support with an incorrectly configured LAN DNS.  Make sure you make the SBS’s Internal IP address the primary DNS in your 3rd party DHCP server configuration.

Finally, the server is still going to alert you that DHCP services aren’t running, so to fix this:

  1. Flip on over to the Computers sub-tab on the Network tab.
  2. On the right, click on View Notification Settings.
  3. Uncheck the DHCP Server notification, and click OK.


Now DHCP services is no longer running on the server, and SBS will be fine with that.  As a final note, please only do this if you have no other way around it, and if you’re familiar with your router UI to set it up correctly.  If not, just disable DHCP on your router, and we’ll take care of the rest!


Aristarkhos said...

Heyyy! :)
Thank you. This post of yours is the solution to my question earlier about DHCP services on the router.

To me, bullet 4 (why run DHCP on SBS) is really helpful.

I knew I should have disabled DHCP and then tried using the wizard. Was just too lazy... :op

Sean Daniel said...

You can always switch back to having the server run DHCP simply by disabling DHCP on your router, and clicking "Start DHCP" above... don't forget to turn on the alert again too!

Unknown said...

The above is absolutely right but I now have to go back to running DHCP on my router since Hyper-V breaks DHCP. I've read many articles on why running hyper-V on SBS2008 is a bad idea but i'm afraid those arguments are all aimed at SBS users in the 20+ user end of the market who may have a need for a second server. Current MS policy leaves truly small customers with 5-10 users and no requirement for a second server unable to take advantage of virtualization with SBS2008 Std. Hyper-V works just fine on SBS2008 but you will have to go elsewhere for your DHCP.

Sean Daniel said...

Hi Chris, that's one of the reasons why running SBS 2008 as a Hyper-V host is not supported. When you enable DHCP, the DHCP server cannot find a nic to bind to.

I understand the frustration for a small business, but this is a limitation on the technology at this time, I'm sure in the future such issues may be resolved.

As you probably know, Microsoft best practices are that the Hyper-V host be only a Hyper-V host and not have any other roles or responsibilities.


Anonymous said...

In the case of using DHCP services on a router and rather than disabling the DHCP services on SBS 2008, would it be wrong to remove the DHCP role from SBS 2008 all together?

Sean Daniel said...

You could, but the only difference it's making is saving you 4mb of hard drive space, it doesn't use any other resource when it's disabled.... we haven't tested this scenario of going back to running with DHCP, so you could be a bind.

Why are you so interested in removing DHCP services?

Anonymous said...

Thank you for your very informative description about disabling DHCP, I do however have one question. Why is it important to set the SBS internal IP address as the primary DNS address on the 3rd party DHCP server (router)?
I ask because I would like my laptops and workstations to access the Internet through the router even if the SBS Server is down and my ISP tells me that the ISP's DNS address should be the primary DNS on the router. Can you clarify?

Unknown said...
This comment has been removed by the author.
Unknown said...

After I disabled DHCP on my 2WIRE router (which turns it into just a modem) I loose internet connection which prevents set-up completion on the SBS. DHCP on my server is ON. What do I do from here? Let me know if there's any additional info you need. Thanks.

Sean Daniel said...

The lack of an Internet should not prevent setup from completing on SBS, (downloading uploads, yes, but not completing) make sure you still have a link-light from your SBS to your 2WIRE router.

Additionally, it's possible the SBS server can't find the IP address of the 2WIRE (that one doesn't sound familiar from our range of router tests), you might have to run the Connect to the Internet Wizard and explicitly tell the server where the router is.

Make sure also that you're on a private subnet, SBS blocks public IP addresses!

Good luck!

Sean Daniel said...

There was another question above about having to make the DNS address the DHCP server hands out the SBS server, and why?

The answer to this is that the Active Directory needs DNS for Kerberos resolution. You won't be able to join computers to the domain or log in successfully (as well as probably some other items) without having DNS properly configured in your LAN to point to the Active Directory server, or SBS in this case.

Another thing to point out is Windows DNS servers assume that the primary and secondary (and additional of course) all have the same "view" of the Internet. Meaning you can see weird behavior if you set the primary DNS server to your SBS LAN and the secondary to the ISP. This means the primary has more information than the secondary, and Windows does not expect this. While it might appear to work, you could see some weird anomolies.

Good luck & Hope that answers your question.


Anonymous said...

Ahhh...getting closer now due to the great info in this article!

I'm setting up SBS2008 in a currently server-less environment, where the FIOS comes into the router / wireless router, all wired devices homerun back to the router, and wireless devices look to the wireless router for addresses. If I run DHCP from the server, and disable it on my router, how will internal wireless devices connect and get IP addresses?

I know, I know; that should be easy to answer...but for some reason I'm just not seeing it at the moment.

Help me out? :-)

Sean Daniel said...

If they are on the same subnet (ie. your router doesn't put wifi addresses on a seperate subnet) then the router will behavce as a switch and allow the DHCP packets to get through to the wireless computers.

this is how I run my house.

Anonymous said...

Thank you very much Sean!

I'll move forward from there...and will likely be back when I setup SBS2008 with a SonicWall TZ; which, of course, separates wifi as you eluded to. Unless you just want to go ahead and answer that question now! :-)


Sean Daniel said...

yeah, that Sonicwall is a little trickier. What I did (since I also had a sonicwall in my house, but it didn't cooperate with my xbox gaming past-time) was to turn off DHCP on the LAN (wired) network and let the SBS server do that, then leave DHCP on for the WLAN (Wireless) and change the primary DNS address that it hands out to be the SBS server's IP address on the LAN. You also have to change some firewall rules to allow all traffic to pass thorugh un-filtered between the WLAN and LAN. That will allow the DNS traffic to get through. The DHCP traffic won't go through because DHCP is local subnet traffic only, and you are crossing a NAT when you go from WLAN to LAN (or to WAN for that matter).

I hope that makes sense. Good luck Bill.

testing said...

I've tried to use this trick, but SBS doesn't warn me that there is another DHCP server on my network (there is).

I obviously have a static IP for the SBS.

Any other ways i can fake my way through to the next step?

All patches and updates are installed as of today.

Sean Daniel said...

I'm confused in your question. This functionality disables DHCP on the SBS server so you don't see the errors about another DHCP server on your network so you can run a DHCP server.

You can simply do the trick again to enable DHCP to get it back to the SBS server. What are you trying to do?

Jason Comstock said...

My client is running SBS 2008 with a SonicWALL NSA 240. DHCP for the wired network is handled by SBS, with wireless being handled by the SonicWALL. We are using HealthSense nurse call devices on the wireless network and they get their addresses from the SonicWALL. The vendor is seeing some issues with addressing and has suggested serving DHCP from SBS 2008 for the wireless network.

Is there a way to have SBS 2008 DHCP server work in a VLAN environment, so its able to assign the correct IP scope to the correct VLAN. There are 3 VLANs in the network.


Sean Daniel said...

Hey Jason, I think you are hitting a different issue. You want to make sure that all the firewalls between the WLAN and LAN are disabled. Sonicwall keeps the WLAN and LAN seperate by default (for guest access), you want to dis-allow guest access, and then add the firewall rules to allow all traffic to go from the WLAN to the LAN.

Then in the Sonicwall DHCP server, you want to set the Primary DNS server to be the SBS 2008 server's LAN IP address.

Then you'll want to make sure from a WLAN client that you can resolve the server name, domain.local name, and then server.domain.local name, they should all resolve.

That should fix your setup.

DHCP cannot pass out packets on a seperate subnet, as that's the design of DHCP, to be single subnet only. The only way to do this would be to have a wireless network card added to the server, which would drastically increase wireless traffic on that network, and you'd be putting SBS in an unsupported network configuration, which could introduce other concerns.

Hope that helps,

testing said...

Hi there,

I'm unable to make your workaround work.

When i hit "Enable DHCP" button, it starts the DHCP service just fine.

I even tried removing the SBS' manual LAN IP and setting it to "Automatic" (ie, DHCP from my router) and it STILL turns DHCP on with no problem.

Does this tip no longer work due to Microsoft SW updates or something?

And obviously, the CTIW won't budge past this.

I'm integrating this box into a well oiled Mac network, so i don't wanna mess with my working DHCP setup.

Sean Daniel said...

Because this button keys of the state of the DHCP server, you will have to click it twice.

Your router having DHCP on it tells the SBS service not to start. Thus the button says "Enable DHCP", which does start the DHCP service, and it will promptly shut down again, but click the button again which now says "Disable DHCP". At this point it will disable the DHCP service and set the flag so CTIW can continue while your router runs DHCP.

Do not set the server's IP address to dynamic, this is an unsupported scenario.

No Microsoft SW Updates will have broken this.

Anonymous said...

Great write up, I'm sure it will help.

I used dhcp server on many windows version. Unfortunatly, I've got problem running it on SBS2008. I configured it and now I cannot enter in the management interface. Is somebody having the same problem? I posted on
Thank you,

Sean Daniel said...

It should work just fine, if you open up DHCP management on the server it should load, if it doesn't, I would restart the DHCP services from services.msc.

Unknown said...

Hi Sean,

I'm having the same issue that "testing" did above. Clicking "Start DHCP" starts the DHCP service just fine. It doesn't seem to care that there's another DHCP server running on the network. Even if I wait a few minutes and hit "refresh view" it never switches to "Disable DHCP". There's obviously more going on to how SBS 2008 detects whether DHCP is disabled or not, because disabling the service and setting it to not notify is insufficient, CTIW still complains and will not run.

Any thoughts on what may be causing this behavior? This is SBS 2k8 running on a new Dell R710. Relatively new. Given that both "testing" and I have run into the issue relatively recently, I'd also be inclined to suspect that it's an update that has changed this feature.

Any insights would be appreciated,


Unknown said...

Right, found the resolve here:

Sorry, unfamiliar with blogger in general, not sure if I can drop a hyperlink in the comment or not, and couldn't find a way to simply edit my previous comment.

Resolve is basically to go into the SBS Console (Advanced), go to Network, Connectivity and click "Stop DHCP". Once stopped, you can run the CTIW w/out being prompted about disabling DHCP on your router. Then I disabled the DHCP notification as you described.

I did confirm that after clicking "Stop DHCP" and running the CTIW the DHCP service was set to disabled.

So far, all seems well.

David P said...

What are the GOTCHA's when you disable DHCP and allow your router to provide that function?

I want my router to do DHCP so other network clients still function when the SBS is down.

However... I use VPN on my SBS. Will I be jacked with regard to VPN access if SBS doesnt control DHCP? And What other gotcha's should we be aware of?

Sean Daniel said...

The key thing is just to ensure that DNS is configured correctly.

thehackedhome said...

Worked like a charm! Thanks for the info!

Larry T [AKA VMSysProg] said...

Hi Sean,
I appreciated the ideas and integration tips with the SonicWall devices as well.

I just wanted to raise a DHCP feature "DHCP Relay" which enables any router to forward DHCP requests on to a DHCP server.

It's very helpful as in the HealthSense case where three subnets on the wireless in addition to the inside LAN / SBS native subnet can be served by a single Windows DHCP server.

So, I have multiple subnets defined in my DHCP servers and for each subnet, I get all the pluses of creating reservations, etc as Sean mentioned.

Last, the equivalent of DHCP relay can most likely be found so your wireless network will just listen for DHCP requests and seamlessly to the DHCP client send them to the Windows DHCP server on SBS 2003 or SBS 2008.

CAVENT: I use "netsh dhcp server (ip address) dump (subnet) >servername-subnet-id-DHCP-SETTINGS.txt" so a batch job backups up the many DHCP servers I have on various dedicated Windows Server VMs. This approach works just as easy for SBS 2003/2008 environment with 10-75 users on the LAN and multiple wireless subnets.

When I'm not learning about SBS server migrations (hobby), I have 43 VLANs at work and in paricular, for each floor, I have a separate desktop DHCP server, printer DHCP server (used to boot VOIP devices as well) and a VOIP DHCP server. The desktop DHCP server handles all the wireless and VPN DHCP relay requests from our CIsco firewalls and MERU wireless controllers along with Radius server requests, etc. for authentication.

All the DHCP servers run on Windows Server 2003 R2 virtual machines (under VMware) and as I said, I use a single script using netsh dhcp server dump etc to create separate files for each subnet range that matches to the local IP subnet assigned to each VLAN.

I replicate that folder to all DHCP servers in case I have to have one or more take over for a problem DHCP server in a pinch.

Larry T [AKA VMSysProg]

us vpn said...

I think you should run DHCP on SBS, so that you're more secured.

Sean Daniel said...

US VPN - there is nothing insecure on where you run your DHCP server, the router or the SBS server, the security level is the same. SBS will most likely have a better DHCP server and is more robust, or have more features, that should be what your decision is made from

Larry T, Seems like you know too much to be dangerous on SBS! You can absolutely run DHCP on SBS, and it seems like you know how to configure it.

Alex G. said...

Hello, I am trying to figure out how to install a SBS 2011 in a hosted environment. I was wondering if you have any suggestions. The scenario is simple, hosted company is giving me a Hyper-V with 24GB of RAM i7 4x2(HT)x2.66+ GHz with 2 TB of HD with one fixed IP. I would like to create my SBS 2011 and an application server (2k8r2) on this box. I am also thinking of getting one more for my 10 users virtual pcs (might be an over kill)… I know that the sbs2011 wants to take over the network (DHCP, DNS…) I have played around with a sbs2011 install on one of my boxes in the office and it really gave me a bad time with my router wanting to do the DHCP. If I do not have control over the hosts network… I can get additional IPs though and maybe create some sort of network configuration in the Hyper-V, not sure if that would work. Oh, I have absolutely no experience with Hyper-V. If there is some reading I can get out there for something that I am trying to do that you might know of, that would help also. Any suggestions would be greatly appreciated.

Sean Daniel said...

I don't have any guidelines other than this post. You can give SBS 2011 a static IP and disable DHCP services using this post, and that should get you in a happy environment to be hosted.

The Phil said...


I am running into an identical issue as testing and Jim up above. I am trying to test SBS 2011 and run the CTIW after doing the steps you detailed above.
But after I click Start DHCP, I get prompted and asked if I want to start DHCP, I click yes. It tries to start and immediately shuts off. I see the error logged in Event Viewer.
But when I run the CTIW right after, the wizard keeps detecting that DHCP is still running on the firewall and quits when I click either Postpone or Continue.
Is there any workaround for SBS 2011?

Sean Daniel said...

If you want to run DHCP on your router, you have to click it once to turn it on, and then immediately click it a second time to turn it off. Then run the CTIW and it will ignore the other DHCP server on the network and let you continue.

Anonymous said...

I followed you guide and when starting DHCP, windows states DHCP started sucessfully. I also stopped the services by disabling it and connect to internet fails...

Anonymous said...

Microsoft doesn't know how to solve this problem about CTIW. I am disappointed, disable router dhcp and to say we are not able to connect to internet. How come we spend a lot of time for the best product? this guy Sean Daniel his talking around and around the technology he really doesn't know how it works. Do you work for Microsoft, may be.

Sean Daniel said...

oh we know how it works. :)

uk vpn said...

Great post. Thanks.

Unknown said...

This SBS 2011 installation is really disappointing. I am migrating from SBS 2003 and the fact that the DHCP is so hard to turn off and the fact that there are only CERTAIN allowed IP addresses we can use on our internal network is just terrible. We use a public IP range on our private network as a security step - and we use static IP addresses on all our devices. As such, people who potentially reach our network will have a harder time (and bots / viruses too) because we use a nonstandard IP range. The fact that Microsoft thinks they are "idiot proofing" their SBS 2011 product just means they are taking out a ton of the functionality for customizing the server. So annoying.

Take the migration from 2003 to 2011. I want to do an OFFLINE migration, so that I can make the new 2011 server essentailly the same computer as the running 2003 one. Same IP, same name. this is to enable a bunch of applications to continue to wokr without having to modify them. However, the migration tools only allow for the two servers to be on teh same network together. This is impossible in my situation and it introduces so many possibilities for issues in having both SBS computers on the same network at the same time.


Sean Daniel said...

Hi Unknown,

Thanks for your feedback. Seems like you want Standard Server for ultimately flexibility.

Willie Aames said...

This is helpful, thanks.

amy said...

I am in the middle of phasing out a SBS 2003 server, exchange has been migrated to a new server running Exchange 2010 and I have setup a second dedicated ip vpn service with AD replicating. The next step I would assume is to migrate DHCP and DNS, I have been doing some research online trying to find the best method with minimal downtime. Should DNS be migrated from the SBS 2003 box to the 2008 R2 box before DHCP or the order does not really matter?

Sean Daniel said...

Hi Amy, sorry for the delay, the two services are mutually exclusive to each other, so it really doesn't matter, one hands out IP addresses and is only really needed whenever an IP address is required (a lease expires or a machine boots up). The DNS service is only used when a machine is looking to resolve such an IP address. If a new computer gets a new IP address from any DNS Server, it'll advertise on the network it's new IP address as if it just got a new one from any DHCP server.

So, either one first, good luck!