A large network requires multiple DHCP servers; one for each subnet. Rogue devices are always an issue, especially if wireless is also part of the network. As for private addressing I have always recommended using the 10.0.0.0/8 network. I use it at home with a class B mask (10.0.0.0/16).

Many large networks use reservations extensively. Devices without a reservation are assigned to a separate scope that is filtered by bridges and/or routers. Most network designs depend greatly on a specified level of security.

I recall an incident at a client company producing leading edge satellite technology. An engineer set up a rogue device to smuggle designs. Because of the identifiable IP address that was assigned from an alternate scope, all of his outgoing material was audited and modified before being sent. It was a company operated "man in the middle" operation that prevented designs from being compromised and enabled law enforcement to arrest the people on the remote end. This was a unique situation, but it highlights the fact that a little network design planning can greatly enhance security.