Professional Documents
Culture Documents
Server Health
In Windows Server 2008 Server Manager, under Roles, click on the new DHCP Server
entry.
You cannot manage the DHCP Server scopes and clients from here what you can do is to
manage events, services, and resources are related to the DHCP Server installation. Thus,
this is a good place to go to check the status of the DHCP Server.
In a Windows Server domain all DHCP servers need to be authorized in Active Directory.
This is Microsoft's new security initiative to eliminate rogue DHCP servers created by junior
administrators. Logon (or runas) a member of the Enterprise Admins group.
If the DHCP server was not authorized during installation, invoke the DHCP console
Start -> All Programs -> Administrative Tools -> DHCP, right click on the DHCP to be
authorized and select Authorize.
Select and right-click on the server node this will display a pop-up menu.
Click the Authorize option in the menu.
The green arrow will appear beside the IPv4 and IPv6 options indicating that the server is
authorized now.
To achieve the same result from the command prompt, enter the following command:
In the above command syntax, serverID is replaced by the IP address or full UNC name of
system on which the DHCP server is installed.
Configuring Global DHCP Server Properties
Although the DHCP Server role is functional when installation is complete, there are still
some configurations you can to make to the DHCP server.
Highlight the DHCP server and select the Actions menu. Here you can configure
Add/Remove Bindings: This is useful if network cards were added, removed, or configured
after the initial installation.
Unauthorize: You can remove the authorization of the DHCP server in this directory.
Backup: You can back up the configuration and the database.
Restore: You can restore the configuration and the database.
All Tasks: You can start, stop, pause, resume, or restart the DHCP Server role service.
Properties: You can view or change the location of the DHCP database and backup files.
DHCP Scopes
The first thing we are going to configure on the server is a scope. You might be wondering
what a scope is, so let’s start with that.
A scope is a range of addresses that are allowed to be handed out by the DHCP server.
Generally speaking there is only one scope per subnet, but there are exceptions to that
called Super Scopes.
Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet
masks, exclusions and reservations. Each normal scope defined must exist within its own
subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes
do not have subnet masks, reservation or other TCP/IP options. Multicast scope address
ranges require that a Time To Live (TTL) value be specified (essentially the number of
routers a packet can pass through on the way to its destination).
Superscope - Essentially a collection of scopes grouped together such that they can be
enabled and disabled as a single entity.
Within the scope, you can also have Reservations and Exclusions which will do the
following:
Reservations — You can setup certain IPs to be handed out for certain MAC
addresses (a MAC address is the unique number for a network adapter). This is
generally used for clients or devices that must always have the same IP but you still
want to manage through DHCP Server for other options (DNS or Gateway for
example)
Exclusions — An exclusion is either a single IP or range that you do not want
managed by the DHCP server. You would do this for the IPs that you would assign
statically to devices like Servers that should always have the same IP.
When you create a scope, you must select the range of IP addresses and you must specify
the appropriate scope options to include. These options are what we were referring to above
when we mentioned that you can assign other network information to your clients at the time
they are given an IP address.
Global options are propagated to all the scopes that you create on that DHCP server, while
Scope options are only for the individual scope that you are working with.
For example, if you have different scopes for several different subnets and each subnet will
have a different default gateway but will share the same DNS servers, you would want to set
the DNS servers as a Global option while the default gateways would be set separately in
each scope as a Scope option.
In windows 2008 you can configure either an IPv4 scope or an IPv6 scope
A scope name.
A range of addresses, e.g. 192.168.3.1 to 192.168.3.254.
A subnet mask, e.g. 255.255.255.0 (for IPv4 scopes only).
A value for lease duration, which determines how frequently clients will ask to renew
their IP address lease.
Any DHCP options such as WINS and DNS server addresses or the address of the
default gateway for the subnet (for IPv4 scopes only).
One or more reservations, which can be used to make sure that a client always
receives the same address.
One or more exclusion ranges for addresses that you do not want the DHCP server
to use, e.g. 192.168.3.100 to 192.168.3.131.
To create a scope using the DHCP Manager console navigate to the IPv4 or IPv6 folder,
right-click on it, and select New scope. The wizards for IPv4 and IPv6 are similar, but there
are differences that you should note such as not specifying a subnet mask for IPv6 scopes.
Select and right-click the IPv6 node under the server option this will open a pop-up menu.
On the menu, click the New Scope option. This will open the New Scope Wizard.
On the Scope Prefix page, provide prefix value and preference value (if required).
Click Next
On the Add Exclusions page, add the address range that is required to be excluded.
Click Next
On the Completing the New Scope Wizard page, select the Yes radio button in Activate
Scope Now section. Click the Finish button.
Now let’s configure an IPv4 Scope
Expand out the server and right click on IPv4, then left click on New Scope
The New Scope Wizard starts up, go ahead and click Next
Exam Tip When a DHCP server uses a given scope to assign addresses to clients on the
local network, the server itself needs to be assigned an address that is compatible with that
scope!
For example, if a scope distributes addresses within the 192.168.1.0/24 range to the local
network segment, the DHCP server interface facing that segment must be assigned a static
address within the same 192.168.1.0/24 range.
Now we are going to setup an exclusion range by entering the Start IP address: as
192.168.10.200 and then in the End IP address: place 192.168.10.230.
The first option to configure is Router (Default Gateway), we will put in the Router gateway
for this subnet 192.168.10.1, click Add and then click Next.
If you need WINS Servers then place the information on this next screen and click on Next
The next screen asks you if you want to activate the scope. I am going to go ahead and
select Yes, then Next
You have successfully completed the New Scope wizard! Click Finish
That’s it, you should now see your scope in DHCP Manager
To create a new DHCP scope the command syntax is
For example, to create a scope on subnet 192.168.2.0 ranging from 192.168.2.1 through
192.168.2.100:
Besides the scope options, you can configure and manage the following options:
The Address Pool here you can add exclusion ranges for IP addresses.
By adding exclusions, you ensure that machines never receive a DHCP lease for that range
of IP addresses. This is very useful to block IP addresses for your servers and routers.
Address Leases to see what clients have obtained IP addresses (active leases) the
expiration date, and the status of NAP.
Reservations
A reservation guarantees the same IP address to a client when DHCP renews its lease with
the client machine using their MAC address as the identifier.
Go into DHCP Manager and expand the scope out, then right click on Reservations and left
click on New Reservation…
Enter a name for the reservation followed by the IP address from the currently selected
scope which is to be reserved for the client together with the MAC address of the client.
Finally specify whether the reservation is to be made for BOOTP or DHCP clients, or both.
Once the information has been entered click the Add button. When all reservations have
been entered click Close.
To add a reservation using netsh the following syntax is used:
For example the following command reserves an IP address for a specific MAC address
(note that the MAC address must be entered without any delimiters):
DNS or DHCP servers, require their IP addresses to be configured manually and not
automatically using DHCP. Reservations are not a valid alternative to static configurations.
You can use a reservation when you want to assign a specific address to a non-essential
computer. Through this method, you can dedicate an address while still enjoying the other
benefits of DHCP, including centralized management, address conflict prevention, and
scope option assignment. For example, you might find that a print server’s specific IP
address configuration is more easily managed through a centrally configured reservation,
which is continually renewed, than through a manual configuration locally at the server.
Remember reservations can be made only to DHCP clients. In other words, a DHCP server
can lease a reservation only to clients that have been configured to obtain an IP address
automatically.
Exam Tip Look out for questions where an address is simultaneously reserved and
excluded. In such cases, the reservation can’t work!
Scope Options
To configure Router (default gateway), DNS Servers and DNS Domain Name options
Scope Options
If you want a particular option value assigned only to those clients in a certain subnet, you
should assign it as a scope option. For example, it’s common to specify different routers for
different physical subnets; if you have two scopes corresponding to different subnets, each
scope would probably have a separate value for the router option.
You can assign options that apply to all scopes (server options) or Clients within a scope
(scope options).
Some assigned options are DNS servers, routers, time servers, mail servers, and so on.
Sever Options
Server options are assigned to all scopes and clients of a particular server if there’s a setting
you want all clients of a DHCP server to have, no matter what scope they’re in.
Predefined Options
Predefined options are templates that are
available in the Server, Scope, or Client
Options
Class Options
You can assign different options to clients of different types. For example, Windows 2000,
XP, Vista, Server 2003, and Server 2008 machines recognize a number of DHCP options
that Windows 98, NT, and Mac OS machines ignore, and vice versa. By defining a Windows
2000 or newer class (using the ipconfig /setclassid cmd on the client pc sets a new
class ID for the client) you could assign options only to machines that report themselves as
being in that class.
Note that you need to renew the client lease for the class assignment to take effect.
Client Options
If a client is using DHCP reservations, you can assign certain options to that specific client.
You attach client options to a particular reservation. Client options override scope, server,
and class options. The only way to override a client option is to manually configure the client.
The DHCP server manages client options.
To configure options for a scope (after completing the New Scope Wizard),
Select the Scope Options folder in the DHCP console tree, and then from the Action or
shortcut menu, select Configure Options
The Advanced tab allows you to specify additional server options to be applied for
members of select user or vendor classes only.
Options assigned at this level are only provided to clients identified as members of the
classes specified at this tab.
About the Default Routing and Remote Access Predefined User Class
Windows Server 2008 includes a predefined user class called the Default Routing and
Remote Access class. This class includes options important to clients connecting to Routing
and Remote Access, notably the 051 Lease option.
Be sure to know that the 051 Lease option is included within this class and is used to
assign a shorter lease duration for clients connecting to Routing and Remote Access.
For IPv4 scopes, the settings in the section Lease Duration For DHCP Clients control how
long leases in this scope are valid.
The IPv6 scope dialog box includes a Lease tab where you set the lease properties.
Server Properties
Just as each scope has its own set of properties, so too does the server itself. You access
the server properties right-clicking the IPv4 or IPv6 object within the DHCP management
console and selecting Properties.
IPv4 and IPv6 Server’s Properties General tab
Auditing the DHCP database on your DHCP servers lets you determine which DHCP clients
on your network are leasing addresses from your server. Auditing also lets you look for
BAD_ADDRESS entries in the database and see where they originate, and this is important
because such entries can indicate address conflicts arising when rogue DHCP servers
assign addresses that are already in use.
Conflict Detection Attempts specifies how many ICMP echo requests (pings) the server
sends for an address it is about to offer. The default is 0.
IPv4 The Network Access Protection tab allows you to set up Network Access Protection
(NAP). With NAP, an administrator can
Carry out computer health policy validation which can help protect a network against the
spread of viruses, worms, and malicious software (malware)
Ensure ongoing compliance with health policies.
Optionally restrict the access of pc’s that do not meet with the computer health requirements.
In the IPv6 properties page, there is no Network Access Protection tab because security is
built in to the protocol. On the Advanced tab, there are no conflict detection settings because
IPv6 by design does not experience conflict errors.
A superscope allows the DHCP server to provide multiple logical subnet addresses to DHCP
clients on a single physical network. You create superscopes with the New Superscope
command, which triggers the New Superscope Wizard.
You can create a superscope only after you define at least one scope on the server (this
prevents you from creating an empty superscope). Windows Server 2008 permits you to
select which existing scopes will be moved to the superscope. You can create additional
scopes within the superscope afterwards.
Note You can have only one superscope per server.
Creating a Superscope
The following steps take you through the process of creating a superscope:
1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.
2. Create two scopes: one for 172.16.0.0 through 172.16.255.255 and one for 172.17.0.0
through 172.17.255.255.
3. Right-click IPv4, and choose the New Superscope.
The New Superscope Wizard appears. Click Next.
4. On the Superscope Name page, name your superscope, and click Next.
5. The Select Scopes page appears, listing all scopes on the current server.
Select the two scopes you created in step 2, and then click the Next button.
6. The wizard’s summary page appears; click the Finish button to create your scope.
7. Verify that your new superscope appears in the DHCP snap-in.
Finally Activate the Superscope
Creating IPv4 Multicast Scopes
1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.
2. Right-click IPv4, and choose New Multicast Scope.
The New Multicast Scope Wizard appears. Click Next on the welcome page.
3. In the Multicast Scope Name page, name your multicast scope (and add a description).
Click Next.
4. The IP Address Range page appears. Enter a start IP address of 224.0.0.0 and an end IP
address of 224.255.0.0. Adjust the TTL to 1 to make sure that no multicast packets escape
your local network segment. Click Next.
5. The Add Exclusions page appears; click its Next button.
6. The Lease Duration page appears. Since multicast addresses are used for video and
audio, you’d ordinarily leave multicast scope assignments in place somewhat longer than
you would with a regular unicast scope, so the default lease length is 30 days
(instead of 8 days for a unicast scope). Click the Next button.
7. The wizard asks you whether you want to activate the scope now. Click the No radio
button and then Next.
8. The wizard’s summary page appears; click the Finish button to create your scope.
9. Verify that your new multicast scope appears in the DHCP snap-in.
One of the keys to effectively implementing an Active Directory environment is the capability
for Windows 2000 and Windows XP workstations using DHCP to be automatically registered
in DNS.
DHCP integration with Dynamic DNS is a simple concept but powerful in action. By setting
up this integration, you can pass addresses to DHCP clients while still maintaining the
integrity of your DNS services.
The DNS server can be updated in two ways.
One way is for the DHCP client to tell the DNS server what its address is.
Another is for the DHCP server to tell the DNS server when it registers a new client.
However, neither of these updates will take place unless you configure the DNS server to
use Dynamic DNS.
Which of these options you choose depends on how widely you want to support Dynamic
DNS; most of the sites we visit have enabled DNS updates at the server level.
To update the settings, Right mouse click on the IPv4 scope or server and click properties.
Dynamically Update DNS A and PTR Records Only If Requested by the DHCP Clients
This radio button (which is on by default) tells the DHCP server to register the update only
if the DHCP client asks for DNS registration. When this button is active, DHCP clients that
aren’t hip to DDNS won’t have their DNS records updated. However, Windows 2000, XP,
Vista, Server 2003, and Server 2008 DHCP clients are smart enough to ask for the updates.
Choose your settings then click on the Advanced tab and click on that "credentials" button.
DDNS updates and domain controllers To perform DDNS updates, you should not
configure the DHCP service on a computer that is also a domain controller. If a DHCP server
exists on a domain controller, the DHCP server has full control over all DNS objects stored in
Active Directory because the account under which it is running (the domain controller
computer account) has this privilege. This creates a security risk that should be avoided.
You should not install the DHCP server service that is configured to perform DDNS updates
on a domain controller; instead, you should install it on a member server if you're performing
DDNS updates.
As an alternative, you can use a new feature in Windows Server 2003 DHCP. This feature
enables you to create a dedicated domain user account that all DHCP servers will use when
performing DDNS updates.
When only secure dynamic updates are allowed in a zone only the owner of a record (The
pc that originally registers the record) can update that record
This causes problems in situations where a DHCP server is being used to register host (A)
resource records on behalf of clients that cannot perform dynamic updates as the DHCP
server becomes the owner of the record.
To avoid this problem add to the DnsUpdateProxy security group DHCP servers that register
records on behalf of other computers. Members of this group are prevented from recording
ownership on the resource records they update in DNS this loosens security for these
records until they can be registered by the real owner.
You have multiple DHCP servers on your network, some of which are configured to register
DNS records on behalf of pre-W2K clients. You have configured DNS to allow only secure
updates. However you find that some DNS records are not being updated properly.