< All Topics
Print

Don’t put DHCP on your domain controller

PostedOctober 7, 2025
UpdatedOctober 7, 2025
Byadmin

What is the issue?

Installing additional services on your DC increases the attack surface, makes it difficult to manage and can lead to performance issues.

Issue #1. Manage DC with multiple roles

Domain Controllers with multiple roles installed are difficult to manage. This can often lead to instability and disruption of services.

For example, say you are having issues with DHCP or installed a security patch that requires a reboot. Rebooting a server with Active Directory Domain Services role on it could cause major disruption to your organization. This can affect authentication, replication, group policy, and DNS. Your users will not be able to access anything if DNS is down.

If you have multiple domain controllers and it’s properly configured then these issues can be avoided but why risk it?

If DHCP was installed on its own server you could reboot the DCHP server with no worries of affecting the services on the Domain Controller.

Issue #2. Security

  1. The more software/services you install the bigger your attack surface. If DHCP is installed on the DC and a new vulnerability was discovered in the DHCP service your DC server is now at risk.
  2. Do you have guest wifi? How do you feel about these unmanaged devices being connected to your DHCP/DC server? I’m not a fan of using an internal DHCP server to provide IP addresses for the public. Then to add that these public devices are also connecting to the domain controller…. yikes my security alarms are going off.
  3. When DHCP is installed on a domain controller the DHCP service inherits the security permissions of the DC computer account. This violates the principle of least privilege. Now your DHCP server is running with privileges it doesn’t need to perform a task which it was designed for. Yes, this can be corrected but why add this risk.

Installing DHCP on its own member server will reduce the attack surface of your DC.

Issue #3. Performance

Generally, I’ve seen DHCP servers run very efficiently and not require a lot of system resources such as CPU or memory.

But…

Say you just learned about a new DHCP option such as conflict detection and you turn it on for all scopes.

Uh oh… Now the CPU usage skyrockets and the domain services are slow, users can’t log in and DNS requests are painfully slow.

Maybe you install an IPAM to keep tracking of available IP addresses and it takes up CPU and memory… again taking away resources from the domain services.

I could go on and on… point being the more software/services you install on your domain controller the more it can affect performance and lead to disruption in services.

Summary
Your domain controller is one of the most critical services in a Windows domain environment, it’s your baby and deserves its on server. A Domain Controller is a Domain Controller is a Domain Controller is a Domain Controller. Nothing else.