How to deploy a network infrastructure with dhcp? Using separate equipment or all on one server?

Hi all! Enlighten me, please, how correctly, in terms of the system administrator to deploy network infrastructure in the organization?
To make it clear what it was about, I will list a few options, specify the most technically correct or describe your.

1. All in one server which network card with two inputs: Internet, proxy, AD, Exchange, distribution ip from dhcp all on the same machine, there may be a replica.

2.There is a switch, it comes to a cable provider. The same switch is enabled hosts on the same floor, switches on the other floors + server with AD, Exchange and others.

3. In a separate network "fer" (for example from cisco or mikrotik) comes to the cable provider, it also gives the address in its dhcp. In this network a server with windows server, but it is only AD Exchange and the need for other roles.
June 14th 19 at 20:57
5 answers
June 14th 19 at 20:59
Solution
Option 1 use a very brave, very stupid ...or fans of Microsoft, an unshakeable believe in the power of the firewall from MS. If this is about You - Your choice.
Option 2 is used by those who like to constantly treat the computers of users from miners and complain that the mail block as spam. Well, either someone really had nothing to hide :) If this is about You - Your choice.
Option 3 is more similar to the typical scheme of the build.

DHCP shouldn't be kept on the router. The router needs to do what it's designed to routit. Well, even firewalls and VPN as necessary. DHCP refers to the basic role of the internal network and to keep it IMHO need on the AD server - the load is cheap, but if the time to fill in the data snap - you can use it as a table of the distribution of the IP, not the whole segment You have dynamics, servers usually have static addresses.

Exch strongly encouraged to separate from AD. Proxies if there are too separate. With the current virtualization technologies to do it where as just. Filopovic - also separate.
Sorry, misunderstood. Clarifying question:
You meant that the provider twisted pair arrives to the router, which provides hosts on the floor, servers are on the same floor (as we understand it, physically, separately, or separately storage virtualization, Exchange, AD+dhcp etc), the switches on the other floors, right? - Uriel.Weissnat commented on June 14th 19 at 21:02
The cable from the dash stuck to a piece of metal type microtia, which only firewall and VPN (if needed). If there are external services can be isolated in a DMZ, which is immediately and bring to Mikrotik. Further from Mikrotik wire stuck in the switch, which is raw footage of dismantled internal server.
In larger structures the internal network is isolated a large number of routers - for example for the analysis package, the everyday, how it miss the internal network. - Esta_Upton commented on June 14th 19 at 21:05
you can still ask a private proxy or a hardware firewall be placed also in the "gap" between conditional microtia and switch? - Uriel.Weissnat commented on June 14th 19 at 21:08
,
Firewall - better than the gap, both physically and logically. But not necessarily, you can just correctly configure VLANs on the switch, then it will be only logical in the gap:
Router - vlanX - firewall - vlanY1, vlanY2.
Proxy in the DMZ.

You are a real network or something in these tips collect? - Elton.Heaney commented on June 14th 19 at 21:11
no , now the network is not collected.
But ask questions to gain knowledge and skills which they will use in the future. Also, doing in-house lab.
This question arose because of my lack of information on building infrastructure. (A training course is, no extra money on him, and he hands want to touch) - Uriel.Weissnat commented on June 14th 19 at 21:14
here one of variants of a small office, about how I would have done with some security and future-proofed. You can just in a lab to build such, and then to increase the office and add new services

Logic:
59d294485c5dc735570788.png
Physical schema:
59d294544c008528319392.png - Elton.Heaney commented on June 14th 19 at 21:17
I have firewall software raised directly into Mikrotik - Esta_Upton commented on June 14th 19 at 21:20
June 14th 19 at 21:01
The tasks are very different.
Let's say you need to do VPN at the router or gateway.
If you have a 1-2 user it will pull Mikrotik easily.
If you have 50 users you need a real computer.

I would split the role.
DHCP is a pretty small load.
Why its push into the server?
Let it be on the router.

DHCP need to push to the server if there's any good reason.
Let's say I have this on the server, as the need for integration with DHCP+BOOTP (or PXE do not remember, 100 years ago set up)

But for servers you wish to explore virtualization technology. ESX, Xen, KVM.
Allows great to simplify the recovery of servers in case.

It is possible to distribute DHCP directly from the router from the outside world which gives.
They are now quite perfect in this respect.

But on the other hand, if you go to someone to limit, to cut off from the Internet
perhaps you like this version and will not work.
Yes, I agree. that depends on the situation.

Did I understand correctly that if PXE is used, then the closest to the truth response is formulated like this: the Cable provider's network, let him come in "the player", but handing out addresses and everything else is done on the server? - Uriel.Weissnat commented on June 14th 19 at 21:04
is not the fact.
just in my specific case was a very handy utility which manages all-in-one. specifically for this software downloaded on the network - WTWare - Esta_Upton commented on June 14th 19 at 21:07
I still want to bring certain axiom how to do it right. I understand that this is impossible, and in each case the decision.
But, it turns out that the first option is the most work? One provider interface cable, and secondly everything else? - Uriel.Weissnat commented on June 14th 19 at 21:10
only the first leaked, the enemy will believe all this stuff entirely... - Elton.Heaney commented on June 14th 19 at 21:13
a protection there like complacency..... - Uriel.Weissnat commented on June 14th 19 at 21:16
on the principle of the elusive Joe? - Elton.Heaney commented on June 14th 19 at 21:19
,
I still want to bring certain axiom how to do it right.


Axiom is the following:

To divide the task into parts and see which parts require what and what is restricted.
Criteria there is a bunch: and what hardware is available, and can either buy. What you can buy, and what not.
What part of the functionality will be heavily loaded and which is almost nothing and requires no resources.
What what is not compatible or simply inconvenient to use.
Etc., etc.

On this basis, to collect a particular hardware and software configuration - Esta_Upton commented on June 14th 19 at 21:22
June 14th 19 at 21:03
As already said everything is very individual and depends on available resources, objectives, future plans and other things.
If we assume a small office, strong boundedness for the money and other resources, I would do something like this:
(1) External router -> (2) Managed switch -> (3) Computers
|
 (4) AD + DHCP + ...

A server with two network ports to expose to the Internet one of the ports is bad, because the potential attacker has access to many internal resources, having only one server that apparently on Windows.
External router let him do what he does best - mesrutiyet. That is, balancing two providers, for example, dynamic routing, etc are Configured at least wide simple rules firewall (ACL).
On the switch configured multiple VLANs and preferably also the ACL. Distribution-based vlan functions. Server separately, of course.
Functions of the internal services it is better to split into multiple servers. For example, if you need a proxy server, and if possible, it is best to use a separate server. To put it in a separate vlan, clear the ACL, you get a kind of DMZ.
Well then buy a good firewall...
June 14th 19 at 21:05
IMHO, no matter what tough professionals, but first and foremost, everything comes down to resources: money on hardware and licenses, a place to put all the equipment. If you have one or the ability to purchase only one server, one operating system license, then of course you'll have to put on one, if you have the resources, the options are many.

DHCP service undemanding, particularly for small networks. Of Windows next to the AD/DNS I have never failed, but never failed also and DHCP on pfsense is also the base or home router (Zyxell/Asus).
If the mail server is on the local network, then it I would suggest to allocate a separate machine (even a virtual one) and a separate IP address to the infected client computer or a personal smartphone, the employee on the local network did not insert the address under the anti-spam filters. Additional address many providers worth a penny.
In order to save the file server can be mounted on the controller, but there may be unpleasant situation with the ended free space, backups or malware from user-defined folders. If you have the opportunity: on dev or on a separate piece of metal.
June 14th 19 at 21:07
My version: the provider comes in a weak server, which lives quietly Linux (not exactly hurt to learn), normally configured iptables and fail2ban, which will give an idea about the router, there is dhcp+dns+vpn, you can and proxy a thread up. The Squid itself is quite functional. From it to switch out a couple of uplinks to the internal network. Now the AD is already pretty good friends with Linux, so authorization in the same squid to do no problem. Well plsci type Ulanov to set too easy, which again will give practical experience. By the way, Mikrotik the same embedded-linux, not even embedded. The finished Assembly of the type pfsense is also strange, because it worked fine permanently you need to patch, the install a new package, tend to trigger the need for updates, again patches, perverted necrophilia in General. The web interface milliganii. Well, for a small exchange organization - overhead. IMHO.
Thank you! Was just going to clarify about this variation. Linux twist very active))) - Uriel.Weissnat commented on June 14th 19 at 21:10

Find more questions by tags Computer networksLinuxMikrotikDHCPWindows Server