Managing Windows Server 2008 DHCP Server

Server Health

In Windows Server 2008 Server Manager, under Roles, click on the new DHCP Server
entry.

You cannot manage the DHCP Server scopes and clients from here what you can do is to
manage events, services, and resources are related to the DHCP Server installation. Thus,
this is a good place to go to check the status of the DHCP Server.

Here you can Start and Stop the DHCP Service

To configure the DHCP Server and see what clients have obtained IP addresses, I need to
go to the DHCP Server MMC.

DHCP Server MMC

Goto Start > Administrative Tools, and click on DHCP

Authorizing DHCP Servers

In a Windows Server domain all DHCP servers need to be authorized in Active Directory. 

This is Microsoft's new security initiative to eliminate rogue DHCP servers created by junior
administrators.  Logon (or runas) a member of the Enterprise Admins group. 

If the DHCP server was not authorized during installation, invoke the DHCP console

Start -> All Programs -> Administrative Tools -> DHCP, right click on the DHCP to be
authorized and select Authorize.

Select and right-click on the server node this will display a pop-up menu.
Click the Authorize option in the menu.

The green arrow will appear beside the IPv4 and IPv6 options indicating that the server is
authorized now.

To achieve the same result from the command prompt, enter the following command:

netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full UNC name of
system on which the DHCP server is installed.
Configuring Global DHCP Server Properties

Configure Additional Settings in DHCP

Although the DHCP Server role is functional when installation is complete, there are still
some configurations you can to make to the DHCP server.

Highlight the DHCP server and select the Actions menu. Here you can configure

Add/Remove Bindings: This is useful if network cards were added, removed, or configured
after the initial installation.
Unauthorize: You can remove the authorization of the DHCP server in this directory.
Backup: You can back up the configuration and the database.
Restore: You can restore the configuration and the database.
All Tasks: You can start, stop, pause, resume, or restart the DHCP Server role service.
Properties: You can view or change the location of the DHCP database and backup files.

DHCP Scopes

The first thing we are going to configure on the server is a scope. You might be wondering
what a scope is, so let’s start with that.

A scope is a range of addresses that are allowed to be handed out by the DHCP server.
Generally speaking there is only one scope per subnet, but there are exceptions to that
called Super Scopes.

Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet
masks, exclusions and reservations. Each normal scope defined must exist within its own
subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes
do not have subnet masks, reservation or other TCP/IP options. Multicast scope address
ranges require that a Time To Live (TTL) value be specified (essentially the number of
routers a packet can pass through on the way to its destination).

Superscope - Essentially a collection of scopes grouped together such that they can be
enabled and disabled as a single entity.

Within the scope, you can also have Reservations and Exclusions which will do the
following:

 Reservations — You can setup certain IPs to be handed out for certain MAC
addresses (a MAC address is the unique number for a network adapter). This is
generally used for clients or devices that must always have the same IP but you still
want to manage through DHCP Server for other options (DNS or Gateway for
example)
 Exclusions — An exclusion is either a single IP or range that you do not want
managed by the DHCP server. You would do this for the IPs that you would assign
statically to devices like Servers that should always have the same IP.

When you create a scope, you must select the range of IP addresses and you must specify
the appropriate scope options to include. These options are what we were referring to above
when we mentioned that you can assign other network information to your clients at the time
they are given an IP address.

There are two types of scope options: Global and Scope.

Global options are propagated to all the scopes that you create on that DHCP server, while
Scope options are only for the individual scope that you are working with.

For example, if you have different scopes for several different subnets and each subnet will
have a different default gateway but will share the same DNS servers, you would want to set
the DNS servers as a Global option while the default gateways would be set separately in
each scope as a Scope option.

In windows 2008 you can configure either an IPv4 scope or an IPv6 scope

A scope includes the following:

 A scope name.
 A range of addresses, e.g. 192.168.3.1 to 192.168.3.254.
 A subnet mask, e.g. 255.255.255.0 (for IPv4 scopes only).
 A value for lease duration, which determines how frequently clients will ask to renew
their IP address lease.
 Any DHCP options such as WINS and DNS server addresses or the address of the
default gateway for the subnet (for IPv4 scopes only).
 One or more reservations, which can be used to make sure that a client always
receives the same address.
 One or more exclusion ranges for addresses that you do not want the DHCP server
to use, e.g. 192.168.3.100 to 192.168.3.131.
To create a scope using the DHCP Manager console navigate to the IPv4 or IPv6 folder,
right-click on it, and select New scope. The wizards for IPv4 and IPv6 are similar, but there
are differences that you should note such as not specifying a subnet mask for IPv6 scopes.

Let’s configure an IPv6 Scope

Select and right-click the IPv6 node under the server option this will open a pop-up menu.

On the menu, click the New Scope option. This will open the New Scope Wizard.

On the Welcome page, click the Next button.

On the Scope Name page, provide name and description of the scope. Click the Next button.

On the Scope Prefix page, provide prefix value and preference value (if required).
 Click Next

On the Add Exclusions page, add the address range that is required to be excluded.

Click Next

The Scope Lease page

Allows you to set how long a device gets to use an assigned IP address before it has to
renew its lease. You can set two different lease durations.
The section labeled Non Temporary Address (IANA) is the lease time for your more
permanent hosts (such as printers and system towers). The one labeled Temporary Address
(IATA) is for hosts that might disconnect at any time, such as laptops. click Next.

On the Completing the New Scope Wizard page, select the Yes radio button in Activate
Scope Now section. Click the Finish button.
Now let’s configure an IPv4 Scope

Expand out the server and right click on IPv4, then left click on New Scope

The New Scope Wizard starts up, go ahead and click Next

Name your scope, enter a Description blank and click on Next

Now we are going to enter the IP range we are assigning to the scope click Next.

Exam Tip When a DHCP server uses a given scope to assign addresses to clients on the
local network, the server itself needs to be assigned an address that is compatible with that
scope!
For example, if a scope distributes addresses within the 192.168.1.0/24 range to the local
network segment, the DHCP server interface facing that segment must be assigned a static
address within the same 192.168.1.0/24 range.

Now we are going to setup an exclusion range by entering the Start IP address: as
192.168.10.200 and then in the End IP address: place 192.168.10.230.

After that click Add to place your exclusion range in place.

Once the exclude range is in place then click Next

The Lease Duration window is now up and we are going to change this to 20 days. You of
course should change this to suit your environment, if you have a lot of mobile users you will
want to do shorter lease duration, as you will want IPs to free up quicker as the users come
and go. After you set your lease time click Next
The wizard will now ask if you want to configure DHCP options. There are quite a few
options you can send to the DHCP clients, but there are a couple of major ones that make
life simple, so select Yes, I want to configure these options now and then click Next

The first option to configure is Router (Default Gateway), we will put in the Router gateway
for this subnet 192.168.10.1, click Add and then click Next.

Now we will setup the DNS Server.

Add the IP addresses of the DNS servers to be used by the DHCP clients. DNS servers do
not have to be on the same subnet, the clients will attempt to contact the servers in the order
that they appear in this list. If you have a DNS server on the local subnet then put that top.

If you need WINS Servers then place the information on this next screen and click on Next
The next screen asks you if you want to activate the scope. I am going to go ahead and
select Yes, then Next

You have successfully completed the New Scope wizard! Click Finish

That’s it, you should now see your scope in DHCP Manager
To create a new DHCP scope the command syntax is

netsh dhcp server \\servername scope subnetID add iprange startIP

endIP

For example, to create a scope on subnet 192.168.2.0 ranging from 192.168.2.1 through
192.168.2.100:

netsh dhcp server \\winserver-1 scope 192.168.2.0 add iprange

192.168.2.1 192.168.2.100

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

Besides the scope options, you can configure and manage the following options:

The Address Pool here you can add exclusion ranges for IP addresses.
By adding exclusions, you ensure that machines never receive a DHCP lease for that range
of IP addresses. This is very useful to block IP addresses for your servers and routers.

Address Leases to see what clients have obtained IP addresses (active leases) the
expiration date, and the status of NAP.
Reservations

A reservation guarantees the same IP address to a client when DHCP renews its lease with
the client machine using their MAC address as the identifier.

Go into DHCP Manager and expand the scope out, then right click on Reservations and left
click on New Reservation…

Enter a name for the reservation followed by the IP address from the currently selected
scope which is to be reserved for the client together with the MAC address of the client.
Finally specify whether the reservation is to be made for BOOTP or DHCP clients, or both.
Once the information has been entered click the Add button. When all reservations have
been entered click Close.
To add a reservation using netsh the following syntax is used:

netsh dhcp server \\servername scope subnetID add reservedip

IPaddress MacAddress ReservationName Comment

For example the following command reserves an IP address for a specific MAC address
(note that the MAC address must be entered without any delimiters):

C:\Users\Administrator>netsh dhcp server \\winserver-2 scope

192.168.2.0 add reservedip
192.168.2.12 0013720B1457 "CEO Printer" "Printer in Exec Suite"

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

Reservations cannot be used interchangeably with manual (static) configurations.

DNS or DHCP servers, require their IP addresses to be configured manually and not
automatically using DHCP. Reservations are not a valid alternative to static configurations.

You can use a reservation when you want to assign a specific address to a non-essential
computer. Through this method, you can dedicate an address while still enjoying the other
benefits of DHCP, including centralized management, address conflict prevention, and
scope option assignment. For example, you might find that a print server’s specific IP
address configuration is more easily managed through a centrally configured reservation,
which is continually renewed, than through a manual configuration locally at the server.

Remember reservations can be made only to DHCP clients. In other words, a DHCP server
can lease a reservation only to clients that have been configured to obtain an IP address
automatically.
Exam Tip Look out for questions where an address is simultaneously reserved and
excluded. In such cases, the reservation can’t work!

Scope Options

To configure Router (default gateway), DNS Servers and DNS Domain Name options

Scope Options
If you want a particular option value assigned only to those clients in a certain subnet, you
should assign it as a scope option. For example, it’s common to specify different routers for
different physical subnets; if you have two scopes corresponding to different subnets, each
scope would probably have a separate value for the router option.

You can assign options that apply to all scopes (server options) or Clients within a scope
(scope options).

Some assigned options are DNS servers, routers, time servers, mail servers, and so on.

Sever Options
Server options are assigned to all scopes and clients of a particular server if there’s a setting
you want all clients of a DHCP server to have, no matter what scope they’re in.

Understanding Option Assignment

You control which DHCP options are doled

out to clients in five (slightly overlapping)
ways.

Predefined Options
Predefined options are templates that are
available in the Server, Scope, or Client
Options

Class Options
You can assign different options to clients of different types. For example, Windows 2000,
XP, Vista, Server 2003, and Server 2008 machines recognize a number of DHCP options
that Windows 98, NT, and Mac OS machines ignore, and vice versa. By defining a Windows
2000 or newer class (using the ipconfig /setclassid cmd on the client pc sets a new
class ID for the client) you could assign options only to machines that report themselves as
being in that class.

Note that you need to renew the client lease for the class assignment to take effect.

Client Options
If a client is using DHCP reservations, you can assign certain options to that specific client.
You attach client options to a particular reservation. Client options override scope, server,
and class options. The only way to override a client option is to manually configure the client.
The DHCP server manages client options.

Note: Client options override Class options,

Class options override Scope options,
and Scope options override Server options.

To configure options for a scope (after completing the New Scope Wizard),

Select the Scope Options folder in the DHCP console tree, and then from the Action or
shortcut menu, select Configure Options
The Advanced tab allows you to specify additional server options to be applied for
members of select user or vendor classes only.

Options assigned at this level are only provided to clients identified as members of the
classes specified at this tab.

Configuring User Class Options

1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.
2. Right-click the IPv4 item, and select Define User Classes.
3. Click the Add button in the DHCP User Classes dialog box.
4. In the New Class dialog box, enter a descriptive name for the class in the Display Name.
Enter a class ID in the ID field. (Typically, you will enter the class ID in the ASCII portion of
the ID field.), click OK.
5. The new class appears in the DHCP User Classes dialog box.
Click Close to return to the DHCP snap-in.
6. Right-click the Scope Options node, and select Configure Options.
7. Click the Advanced tab. Select the class you defined in step 4 from the User Class menu.
8. Configure the options you want to set for the class. Click OK when you are done.
Notice that the options you configured (and the class they are associated with) appear in the
right pane of the DHCP window.

About the Default Routing and Remote Access Predefined User Class
Windows Server 2008 includes a predefined user class called the Default Routing and
Remote Access class. This class includes options important to clients connecting to Routing
and Remote Access, notably the 051 Lease option.
Be sure to know that the 051 Lease option is included within this class and is used to
assign a shorter lease duration for clients connecting to Routing and Remote Access.

Scope Properties (IPv4 and IPv6)

Each scope has a set of properties associated with it. Except for the set of options assigned
by the scope, you can find these properties on the General tab of the scope’s Properties
dialog box. Right click Scope and choose Properties
Some of these properties, such as the scope name and description, are self-explanatory.
Others require a little more explanation:
The Start IP Address and End IP Address fields allow you to set the range of the scope.

For IPv4 scopes, the settings in the section Lease Duration For DHCP Clients control how
long leases in this scope are valid.
The IPv6 scope dialog box includes a Lease tab where you set the lease properties.

Server Properties
Just as each scope has its own set of properties, so too does the server itself. You access
the server properties right-clicking the IPv4 or IPv6 object within the DHCP management
console and selecting Properties.
IPv4 and IPv6 Server’s Properties General tab
Auditing the DHCP database on your DHCP servers lets you determine which DHCP clients
on your network are leasing addresses from your server. Auditing also lets you look for
BAD_ADDRESS entries in the database and see where they originate, and this is important
because such entries can indicate address conflicts arising when rogue DHCP servers
assign addresses that are already in use.

The Advanced tab allows you to configure

Database path for the audit file path
Connection bindings
Registration credentials for dynamic DNS. The registration credential is the user account that
DHCP will use to register clients with Active Directory.

Additionally the IPv4 Advanced tab, contains the

Conflict Detection Attempts specifies how many ICMP echo requests (pings) the server
sends for an address it is about to offer. The default is 0.

IPv4 The Network Access Protection tab allows you to set up Network Access Protection
(NAP). With NAP, an administrator can

Carry out computer health policy validation which can help protect a network against the
spread of viruses, worms, and malicious software (malware)
Ensure ongoing compliance with health policies.
Optionally restrict the access of pc’s that do not meet with the computer health requirements.
In the IPv6 properties page, there is no Network Access Protection tab because security is
built in to the protocol. On the Advanced tab, there are no conflict detection settings because
IPv6 by design does not experience conflict errors.

Creating a Superscope for IPv4

A superscope allows the DHCP server to provide multiple logical subnet addresses to DHCP
clients on a single physical network. You create superscopes with the New Superscope
command, which triggers the New Superscope Wizard.

You can create a superscope only after you define at least one scope on the server (this
prevents you from creating an empty superscope). Windows Server 2008 permits you to
select which existing scopes will be moved to the superscope. You can create additional
scopes within the superscope afterwards.
Note You can have only one superscope per server.

Creating a Superscope

The following steps take you through the process of creating a superscope:
1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.
2. Create two scopes: one for 172.16.0.0 through 172.16.255.255 and one for 172.17.0.0
through 172.17.255.255.
3. Right-click IPv4, and choose the New Superscope.
The New Superscope Wizard appears. Click Next.
4. On the Superscope Name page, name your superscope, and click Next.
5. The Select Scopes page appears, listing all scopes on the current server.
Select the two scopes you created in step 2, and then click the Next button.
6. The wizard’s summary page appears; click the Finish button to create your scope.
7. Verify that your new superscope appears in the DHCP snap-in.
Finally Activate the Superscope
Creating IPv4 Multicast Scopes

Multicasting occurs when one machine communicates to a network of subscribed computers

rather than specifically addressing each computer on the destination network. It’s much
more efficient to multicast a video or audio stream to multiple destinations than it is to
unicast it to the same number of clients, MADCAP, is the protocol that controls multicasting.

Creating a New Multicast Scope

1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.
2. Right-click IPv4, and choose New Multicast Scope.
The New Multicast Scope Wizard appears. Click Next on the welcome page.
3. In the Multicast Scope Name page, name your multicast scope (and add a description).
Click Next.
4. The IP Address Range page appears. Enter a start IP address of 224.0.0.0 and an end IP
address of 224.255.0.0. Adjust the TTL to 1 to make sure that no multicast packets escape
your local network segment. Click Next.
5. The Add Exclusions page appears; click its Next button.
6. The Lease Duration page appears. Since multicast addresses are used for video and
audio, you’d ordinarily leave multicast scope assignments in place somewhat longer than
you would with a regular unicast scope, so the default lease length is 30 days
(instead of 8 days for a unicast scope). Click the Next button.

7. The wizard asks you whether you want to activate the scope now. Click the No radio
button and then Next.

8. The wizard’s summary page appears; click the Finish button to create your scope.
9. Verify that your new multicast scope appears in the DHCP snap-in.

Setting Multicast Scope Properties

Once you create a multicast scope, you can adjust its properties by right-clicking the scope
name and selecting Properties.
The Multicast Scope Properties dialog box has two tabs. The General tab allows you to
change the scope’s name, its start and end address, its Time to Live (TTL) value, its lease
duration, and its description—in essence, all the settings you provided when you created it in
the first place.
The Lifetime tab allows you to limit how long your multicast scope will be active. By default, a
newly created multicast scope will live forever, but if you’re creating a scope to provide
MADCAP assignments for a single event (or a set of events of limited duration), you can
specify an expiration time for the scope. When that time is reached, the scope disappears
from the server, but not before making all its clients give up their multicast address leases.
This is a nice way to make sure the lease cleans up after itself when you’re done with it.
Configuring DHCP for DNS Integration Integrating Dynamic DNS and IPv4 DHCP

One of the keys to effectively implementing an Active Directory environment is the capability
for Windows 2000 and Windows XP workstations using DHCP to be automatically registered
in DNS.

DHCP integration with Dynamic DNS is a simple concept but powerful in action. By setting
up this integration, you can pass addresses to DHCP clients while still maintaining the
integrity of your DNS services.
The DNS server can be updated in two ways.

One way is for the DHCP client to tell the DNS server what its address is.
Another is for the DHCP server to tell the DNS server when it registers a new client.

However, neither of these updates will take place unless you configure the DNS server to
use Dynamic DNS.

You can make this change in two ways:

If you change it at the scope level, it will apply only to the scope.
If you change it at the server level, it will apply to all scopes and superscopes served by the
server.

Which of these options you choose depends on how widely you want to support Dynamic
DNS; most of the sites we visit have enabled DNS updates at the server level.

To update the settings, Right mouse click on the IPv4 scope or server and click properties.

The DNS tab of the

Properties dialog box includes the following options:
Enable DNS Dynamic Updates According to the settings below
This check box controls whether this DHCP server will attempt to register lease information
with a DNS server. It must be checked to enable Dynamic DNS.

Dynamically Update DNS A and PTR Records Only If Requested by the DHCP Clients
This radio button (which is on by default) tells the DHCP server to register the update only
if the DHCP client asks for DNS registration. When this button is active, DHCP clients that
aren’t hip to DDNS won’t have their DNS records updated. However, Windows 2000, XP,
Vista, Server 2003, and Server 2008 DHCP clients are smart enough to ask for the updates.

Always Dynamically Update DNS A and PTR Records

This radio button forces the DHCP server to register any client to which it issues a lease.
This setting may add DNS registrations for DHCP-enabled devices that don’t really need
them, such as print servers; however, it allows other clients (such as Mac OS, Windows NT,
and Linux machines) to have their DNS information automatically updated.

Discard A and PTR Records When Lease Is Deleted

This check box has a long name but a simple function. When a DHCP lease expires, what
should happen to the DNS registration?
Obviously, it would be nice if the DNS record associated with a lease vanished when the
lease expired; when this check box is checked (as it is by default), that’s exactly what
happens. If you uncheck this box, your DNS will contain entries for expired leases that are
no longer valid; when a particular IP address is reissued on a new lease, the DNS will be
updated, but in between leases you’ll have incorrect data in your DNS—something that’s
always best to avoid.
Dynamically Update DNS A and PTR Records for DHCP Clients that do not request
updates (eg NT) This check box lets you handle these older clients graciously by making
the updates using a separate mechanism.

Choose your settings then click on the Advanced tab and click on that "credentials" button.

Enter appropriate administrative credentials

If you are using secure dynamic updates, consider configuring a dedicated network user
account for dynamic updating. You can enter the account credentials by switching to the
Advanced tab.
Enter the domain user account name, domain, and password

DDNS updates and domain controllers To perform DDNS updates, you should not
configure the DHCP service on a computer that is also a domain controller. If a DHCP server
exists on a domain controller, the DHCP server has full control over all DNS objects stored in
Active Directory because the account under which it is running (the domain controller
computer account) has this privilege. This creates a security risk that should be avoided.
You should not install the DHCP server service that is configured to perform DDNS updates
on a domain controller; instead, you should install it on a member server if you're performing
DDNS updates.

As an alternative, you can use a new feature in Windows Server 2003 DHCP. This feature
enables you to create a dedicated domain user account that all DHCP servers will use when
performing DDNS updates.

Secure Dynamic Updates and the DnsUpdateProxy group

When only secure dynamic updates are allowed in a zone only the owner of a record (The
pc that originally registers the record) can update that record

This causes problems in situations where a DHCP server is being used to register host (A)
resource records on behalf of clients that cannot perform dynamic updates as the DHCP
server becomes the owner of the record.

To avoid this problem add to the DnsUpdateProxy security group DHCP servers that register
records on behalf of other computers. Members of this group are prevented from recording
ownership on the resource records they update in DNS this loosens security for these
records until they can be registered by the real owner.

You have multiple DHCP servers on your network, some of which are configured to register
DNS records on behalf of pre-W2K clients. You have configured DNS to allow only secure
updates. However you find that some DNS records are not being updated properly.

To resolve this problem

Add the DHCP servers to the DnsUpdateProxy built-in security group

Using Multiple DHCP Servers

DHCP can become a single point of failure within a network if there is only one DHCP
server.
If that server becomes unavailable, clients will not be able to obtain new leases or renew
existing leases. For this reason, it is recommended that you have more than one DHCP
server in the network. However, more than one DHCP server can create problems if they
both are configured to use the same scope or set of addresses. Microsoft recommends the
80/20 rule for redundancy of DHCP services in a network.
Implementing the 80/20 rule calls for one DHCP server to make approximately 80% of the
addresses for a given subnet available through DHCP while another server makes the
remaining 20% of the addresses available. For example, with a /24 network of 254
addresses, say 192.168.1.1 to 192.168.1.254, you might have Server 1 offer 192.168.1.10
to 192.168.1.210 while Server 2 offers 192.168.1.211 to 192.168.254.