Managing Windows Server 2008 DHCP Server

Server Health

In Windows Server 2008 Server Manager, under Roles, click on the new DHCP Server entry.

You cannot manage the DHCP Server scopes and clients from here what you can do is to manage events, services, and resources are related to the DHCP Server installation. Thus, this is a good place to go to check the status of the DHCP Server.

Here you can Start and Stop the DHCP Service

To configure the DHCP Server and see what clients have obtained IP addresses, I need to go to the DHCP Server MMC.

DHCP Server MMC

Goto Start > Administrative Tools, and click on DHCP

Authorizing DHCP Servers

In a Windows Server domain all DHCP servers need to be authorized in Active Directory. 

This is Microsoft's new security initiative to eliminate rogue DHCP servers created by junior administrators.  Logon (or runas) a member of the Enterprise Admins group. 

If the DHCP server was not authorized during installation, invoke the DHCP console

Start -> All Programs -> Administrative Tools -> DHCP, right click on the DHCP to be authorized and select Authorize.

Select and right-click on the server node this will display a pop-up menu.

Click the Authorize option in the menu.

The green arrow will appear beside the IPv4 and IPv6 options indicating that the server is authorized now.

To achieve the same result from the command prompt, enter the following command:

netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.

Configuring Global DHCP Server Properties

Configure Additional Settings in DHCP

Although the DHCP Server role is functional when installation is complete, there are still some configurations you can to make to the DHCP server.

Highlight the DHCP server and select the Actions menu. Here you can configure

Add/Remove Bindings: This is useful if network cards were added, removed, or configured after the initial installation.Unauthorize: You can remove the authorization of the DHCP server in this directory.Backup: You can back up the configuration and the database.Restore: You can restore the configuration and the database.All Tasks: You can start, stop, pause, resume, or restart the DHCP Server role service.Properties: You can view or change the location of the DHCP database and backup files.

DHCP Scopes

The first thing we are going to configure on the server is a scope. You might be wondering what a scope is, so let’s start with that.

A scope is a range of addresses that are allowed to be handed out by the DHCP server. Generally speaking there is only one scope per subnet, but there are exceptions to that called Super Scopes.

Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet.

Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options. Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination).

Superscope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity.

Within the scope, you can also have Reservations and Exclusions which will do the following:

Reservations — You can setup certain IPs to be handed out for certain MAC addresses (a MAC address is the unique number for a network adapter). This is generally used for clients or devices that must always have the same IP but you still want to manage through DHCP Server for other options (DNS or Gateway for example)

Exclusions — An exclusion is either a single IP or range that you do not want managed by the DHCP server. You would do this for the IPs that you would assign statically to devices like Servers that should always have the same IP.

When you create a scope, you must select the range of IP addresses and you must specify the appropriate scope options to include. These options are what we were referring to above when we mentioned that you can assign other network information to your clients at the time they are given an IP address.

There are two types of scope options: Global and Scope.

Global options are propagated to all the scopes that you create on that DHCP server, while Scope options are only for the individual scope that you are working with.

For example, if you have different scopes for several different subnets and each subnet will have a different default gateway but will share the same DNS servers, you would want to set the DNS servers as a Global option while the default gateways would be set separately in each scope as a Scope option.

In windows 2008 you can configure either an IPv4 scope or an IPv6 scope

A scope includes the following:

A scope name. A range of addresses, e.g. 192.168.3.1 to 192.168.3.254. A subnet mask, e.g. 255.255.255.0 (for IPv4 scopes only). A value for lease duration, which determines how frequently clients will ask to renew

their IP address lease. Any DHCP options such as WINS and DNS server addresses or the address of the

default gateway for the subnet (for IPv4 scopes only). One or more reservations, which can be used to make sure that a client always

receives the same address. One or more exclusion ranges for addresses that you do not want the DHCP server

to use, e.g. 192.168.3.100 to 192.168.3.131.

To create a scope using the DHCP Manager console navigate to the IPv4 or IPv6 folder, right-click on it, and select New scope. The wizards for IPv4 and IPv6 are similar, but there are differences that you should note such as not specifying a subnet mask for IPv6 scopes.

Let’s configure an IPv6 Scope

Select and right-click the IPv6 node under the server option this will open a pop-up menu.

On the menu, click the New Scope option. This will open the New Scope Wizard.

On the Welcome page, click the Next button.

On the Scope Name page, provide name and description of the scope. Click the Next button.

On the Scope Prefix page, provide prefix value and preference value (if required).

Click Next

On the Add Exclusions page, add the address range that is required to be excluded.

Click Next

The Scope Lease page

Allows you to set how long a device gets to use an assigned IP address before it has to renew its lease. You can set two different lease durations.The section labeled Non Temporary Address (IANA) is the lease time for your more permanent hosts (such as printers and system towers). The one labeled Temporary Address (IATA) is for hosts that might disconnect at any time, such as laptops. click Next.

On the Completing the New Scope Wizard page, select the Yes radio button in Activate Scope Now section. Click the Finish button.

Now let’s configure an IPv4 Scope

Expand out the server and right click on IPv4, then left click on New Scope

The New Scope Wizard starts up, go ahead and click Next

Name your scope, enter a Description blank and click on Next

Now we are going to enter the IP range we are assigning to the scope click Next.

Exam Tip When a DHCP server uses a given scope to assign addresses to clients on the local network, the server itself needs to be assigned an address that is compatible with that scope!

For example, if a scope distributes addresses within the 192.168.1.0/24 range to the local network segment, the DHCP server interface facing that segment must be assigned a static address within the same 192.168.1.0/24 range.

Now we are going to setup an exclusion range by entering the Start IP address: as 192.168.10.200 and then in the End IP address: place 192.168.10.230.

After that click Add to place your exclusion range in place.

Once the exclude range is in place then click Next

The Lease Duration window is now up and we are going to change this to 20 days. You of course should change this to suit your environment, if you have a lot of mobile users you will want to do shorter lease duration, as you will want IPs to free up quicker as the users come and go. After you set your lease time click Next

The wizard will now ask if you want to configure DHCP options. There are quite a few options you can send to the DHCP clients, but there are a couple of major ones that make life simple, so select Yes, I want to configure these options now and then click Next

The first option to configure is Router (Default Gateway), we will put in the Router gateway for this subnet 192.168.10.1, click Add and then click Next.

Now we will setup the DNS Server.

Add the IP addresses of the DNS servers to be used by the DHCP clients. DNS servers do not have to be on the same subnet, the clients will attempt to contact the servers in the order that they appear in this list. If you have a DNS server on the local subnet then put that top.

If you need WINS Servers then place the information on this next screen and click on Next

The next screen asks you if you want to activate the scope. I am going to go ahead and select Yes, then Next

You have successfully completed the New Scope wizard! Click Finish

That’s it, you should now see your scope in DHCP Manager

To create a new DHCP scope the command syntax is

netsh dhcp server \\servername scope subnetID add iprange startIP endIP

For example, to create a scope on subnet 192.168.2.0 ranging from 192.168.2.1 through 192.168.2.100:

netsh dhcp server \\winserver-1 scope 192.168.2.0 add iprange 192.168.2.1 192.168.2.100

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

Besides the scope options, you can configure and manage the following options:

The Address Pool here you can add exclusion ranges for IP addresses.

By adding exclusions, you ensure that machines never receive a DHCP lease for that range of IP addresses. This is very useful to block IP addresses for your servers and routers.

Address Leases to see what clients have obtained IP addresses (active leases) the expiration date, and the status of NAP.

Reservations

A reservation guarantees the same IP address to a client when DHCP renews its lease with the client machine using their MAC address as the identifier.

Go into DHCP Manager and expand the scope out, then right click on Reservations and left click on New Reservation…

Enter a name for the reservation followed by the IP address from the currently selected scope which is to be reserved for the client together with the MAC address of the client. Finally specify whether the reservation is to be made for BOOTP or DHCP clients, or both. Once the information has been entered click the Add button. When all reservations have been entered click Close.

To add a reservation using netsh the following syntax is used:

netsh dhcp server \\servername scope subnetID add reservedip IPaddress MacAddress ReservationName Comment

For example the following command reserves an IP address for a specific MAC address (note that the MAC address must be entered without any delimiters):

C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 add reservedip192.168.2.12 0013720B1457 "CEO Printer" "Printer in Exec Suite"

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

Reservations cannot be used interchangeably with manual (static) configurations.

DNS or DHCP servers, require their IP addresses to be configured manually and not automatically using DHCP. Reservations are not a valid alternative to static configurations.

You can use a reservation when you want to assign a specific address to a non-essential computer. Through this method, you can dedicate an address while still enjoying the other benefits of DHCP, including centralized management, address conflict prevention, and scope option assignment. For example, you might find that a print server’s specific IP address configuration is more easily managed through a centrally configured reservation, which is continually renewed, than through a manual configuration locally at the server.

Remember reservations can be made only to DHCP clients. In other words, a DHCP server can lease a reservation only to clients that have been configured to obtain an IP address automatically.

Exam Tip Look out for questions where an address is simultaneously reserved and excluded. In such cases, the reservation can’t work!

Scope Options

To configure Router (default gateway), DNS Servers and DNS Domain Name options

Scope OptionsIf you want a particular option value assigned only to those clients in a certain subnet, youshould assign it as a scope option. For example, it’s common to specify different routers fordifferent physical subnets; if you have two scopes corresponding to different subnets, eachscope would probably have a separate value for the router option.

You can assign options that apply to all scopes (server options) or Clients within a scope (scope options).

Some assigned options are DNS servers, routers, time servers, mail servers, and so on.

Sever Options

Server options are assigned to all scopes and clients of a particular server if there’s a setting you want all clients of a DHCP server to have, no matter what scope they’re in.

Understanding Option Assignment

You control which DHCP options are doled out to clients in five (slightly overlapping) ways.

Predefined OptionsPredefined options are templates that are available in the Server, Scope, or Client Options

Class OptionsYou can assign different options to clients of different types. For example, Windows 2000,XP, Vista, Server 2003, and Server 2008 machines recognize a number of DHCP options that Windows 98, NT, and Mac OS machines ignore, and vice versa. By defining a Windows 2000 or newer class (using the ipconfig /setclassid cmd on the client pc sets a new class ID for the client) you could assign options only to machines that report themselves as being in that class.

Note that you need to renew the client lease for the class assignment to take effect.

Client OptionsIf a client is using DHCP reservations, you can assign certain options to that specific client.You attach client options to a particular reservation. Client options override scope, server, and class options. The only way to override a client option is to manually configure the client. The DHCP server manages client options.

Note: Client options override Class options, Class options override Scope options, and Scope options override Server options.

To configure options for a scope (after completing the New Scope Wizard),

Select the Scope Options folder in the DHCP console tree, and then from the Action or shortcut menu, select Configure Options

The Advanced tab allows you to specify additional server options to be applied for members of select user or vendor classes only.

Options assigned at this level are only provided to clients identified as members of the classes specified at this tab.

Configuring User Class Options1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.2. Right-click the IPv4 item, and select Define User Classes.

3. Click the Add button in the DHCP User Classes dialog box.4. In the New Class dialog box, enter a descriptive name for the class in the Display Name. Enter a class ID in the ID field. (Typically, you will enter the class ID in the ASCII portion of the ID field.), click OK.5. The new class appears in the DHCP User Classes dialog box. Click Close to return to the DHCP snap-in.6. Right-click the Scope Options node, and select Configure Options.7. Click the Advanced tab. Select the class you defined in step 4 from the User Class menu.8. Configure the options you want to set for the class. Click OK when you are done. Notice that the options you configured (and the class they are associated with) appear in theright pane of the DHCP window.

About the Default Routing and Remote Access Predefined User ClassWindows Server 2008 includes a predefined user class called the Default Routing and Remote Access class. This class includes options important to clients connecting to Routing and Remote Access, notably the 051 Lease option.Be sure to know that the 051 Lease option is included within this class and is used to assign a shorter lease duration for clients connecting to Routing and Remote Access.

Scope Properties (IPv4 and IPv6)Each scope has a set of properties associated with it. Except for the set of options assigned by the scope, you can find these properties on the General tab of the scope’s Properties dialog box. Right click Scope and choose Properties

Some of these properties, such as the scope name and description, are self-explanatory. Others require a little more explanation:The Start IP Address and End IP Address fields allow you to set the range of the scope.

For IPv4 scopes, the settings in the section Lease Duration For DHCP Clients control howlong leases in this scope are valid.The IPv6 scope dialog box includes a Lease tab where you set the lease properties.

Server Properties

Just as each scope has its own set of properties, so too does the server itself. You access the server properties right-clicking the IPv4 or IPv6 object within the DHCP management console and selecting Properties.IPv4 and IPv6 Server’s Properties General tab

Auditing the DHCP database on your DHCP servers lets you determine which DHCP clients on your network are leasing addresses from your server. Auditing also lets you look for BAD_ADDRESS entries in the database and see where they originate, and this is important because such entries can indicate address conflicts arising when rogue DHCP servers assign addresses that are already in use.

The Advanced tab allows you to configure Database path for the audit file pathConnection bindingsRegistration credentials for dynamic DNS. The registration credential is the user account that DHCP will use to register clients with Active Directory.

Additionally the IPv4 Advanced tab, contains the

Conflict Detection Attempts specifies how many ICMP echo requests (pings) the server sends for an address it is about to offer. The default is 0.

IPv4 The Network Access Protection tab allows you to set up Network Access Protection (NAP). With NAP, an administrator can

Carry out computer health policy validation which can help protect a network against the spread of viruses, worms, and malicious software (malware)Ensure ongoing compliance with health policies.Optionally restrict the access of pc’s that do not meet with the computer health requirements.

In the IPv6 properties page, there is no Network Access Protection tab because security is built in to the protocol. On the Advanced tab, there are no conflict detection settings because IPv6 by design does not experience conflict errors.

Creating a Superscope for IPv4

A superscope allows the DHCP server to provide multiple logical subnet addresses to DHCP clients on a single physical network. You create superscopes with the New Superscope command, which triggers the New Superscope Wizard.

You can create a superscope only after you define at least one scope on the server (this prevents you from creating an empty superscope). Windows Server 2008 permits you to select which existing scopes will be moved to the superscope. You can create additional scopes within the superscope afterwards.Note You can have only one superscope per server.

Creating a Superscope

The following steps take you through the process of creating a superscope:1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.2. Create two scopes: one for 172.16.0.0 through 172.16.255.255 and one for 172.17.0.0 through 172.17.255.255.3. Right-click IPv4, and choose the New Superscope. The New Superscope Wizard appears. Click Next.4. On the Superscope Name page, name your superscope, and click Next.5. The Select Scopes page appears, listing all scopes on the current server. Select the two scopes you created in step 2, and then click the Next button.6. The wizard’s summary page appears; click the Finish button to create your scope.7. Verify that your new superscope appears in the DHCP snap-in.

Finally Activate the Superscope

Creating IPv4 Multicast Scopes

Multicasting occurs when one machine communicates to a network of subscribed computersrather than specifically addressing each computer on the destination network. It’s much more efficient to multicast a video or audio stream to multiple destinations than it is to unicast it to the same number of clients, MADCAP, is the protocol that controls multicasting.

Creating a New Multicast Scope

1. Open the DHCP snap-in by selecting Start > Administrative Tools > DHCP.2. Right-click IPv4, and choose New Multicast Scope. The New Multicast Scope Wizard appears. Click Next on the welcome page.3. In the Multicast Scope Name page, name your multicast scope (and add a description). Click Next.4. The IP Address Range page appears. Enter a start IP address of 224.0.0.0 and an end IPaddress of 224.255.0.0. Adjust the TTL to 1 to make sure that no multicast packets escapeyour local network segment. Click Next.

5. The Add Exclusions page appears; click its Next button.6. The Lease Duration page appears. Since multicast addresses are used for video andaudio, you’d ordinarily leave multicast scope assignments in place somewhat longer than you would with a regular unicast scope, so the default lease length is 30 days(instead of 8 days for a unicast scope). Click the Next button.

7. The wizard asks you whether you want to activate the scope now. Click the No radio button and then Next.

8. The wizard’s summary page appears; click the Finish button to create your scope.9. Verify that your new multicast scope appears in the DHCP snap-in.

Setting Multicast Scope PropertiesOnce you create a multicast scope, you can adjust its properties by right-clicking the scope name and selecting Properties.The Multicast Scope Properties dialog box has two tabs. The General tab allows you to change the scope’s name, its start and end address, its Time to Live (TTL) value, its lease duration, and its description—in essence, all the settings you provided when you created it in the first place.

The Lifetime tab allows you to limit how long your multicast scope will be active. By default, a newly created multicast scope will live forever, but if you’re creating a scope to provide MADCAP assignments for a single event (or a set of events of limited duration), you can specify an expiration time for the scope. When that time is reached, the scope disappears from the server, but not before making all its clients give up their multicast address leases. This is a nice way to make sure the lease cleans up after itself when you’re done with it.

Configuring DHCP for DNS Integration Integrating Dynamic DNS and IPv4 DHCP

One of the keys to effectively implementing an Active Directory environment is the capability for Windows 2000 and Windows XP workstations using DHCP to be automatically registered in DNS.

DHCP integration with Dynamic DNS is a simple concept but powerful in action. By setting up this integration, you can pass addresses to DHCP clients while still maintaining the integrity of your DNS services.The DNS server can be updated in two ways.

One way is for the DHCP client to tell the DNS server what its address is. Another is for the DHCP server to tell the DNS server when it registers a new client.

However, neither of these updates will take place unless you configure the DNS server touse Dynamic DNS.

You can make this change in two ways:If you change it at the scope level, it will apply only to the scope.If you change it at the server level, it will apply to all scopes and superscopes served by theserver.

Which of these options you choose depends on how widely you want to support DynamicDNS; most of the sites we visit have enabled DNS updates at the server level.

To update the settings, Right mouse click on the IPv4 scope or server and click properties.

The DNS tab of theProperties dialog box includes the following options:

Enable DNS Dynamic Updates According to the settings below This check box controls whether this DHCP server will attempt to register lease information with a DNS server. It must be checked to enable Dynamic DNS.

Dynamically Update DNS A and PTR Records Only If Requested by the DHCP ClientsThis radio button (which is on by default) tells the DHCP server to register the update onlyif the DHCP client asks for DNS registration. When this button is active, DHCP clients thataren’t hip to DDNS won’t have their DNS records updated. However, Windows 2000, XP,Vista, Server 2003, and Server 2008 DHCP clients are smart enough to ask for the updates.

Always Dynamically Update DNS A and PTR Records This radio button forces the DHCP server to register any client to which it issues a lease. This setting may add DNS registrations for DHCP-enabled devices that don’t really need them, such as print servers; however, it allows other clients (such as Mac OS, Windows NT, and Linux machines) to have their DNS information automatically updated.

Discard A and PTR Records When Lease Is Deleted This check box has a long name but a simple function. When a DHCP lease expires, what should happen to the DNS registration?Obviously, it would be nice if the DNS record associated with a lease vanished when the lease expired; when this check box is checked (as it is by default), that’s exactly what happens. If you uncheck this box, your DNS will contain entries for expired leases that are no longer valid; when a particular IP address is reissued on a new lease, the DNS will be updated, but in between leases you’ll have incorrect data in your DNS—something that’s always best to avoid.

Dynamically Update DNS A and PTR Records for DHCP Clients that do not requestupdates (eg NT) This check box lets you handle these older clients graciously by making the updates using a separate mechanism.

Choose your settings then click on the Advanced tab and click on that "credentials" button.

Enter appropriate administrative credentials

If you are using secure dynamic updates, consider configuring a dedicated network user account for dynamic updating. You can enter the account credentials by switching to the Advanced tab.Enter the domain user account name, domain, and password

DDNS updates and domain controllers To perform DDNS updates, you should not configure the DHCP service on a computer that is also a domain controller. If a DHCP server exists on a domain controller, the DHCP server has full control over all DNS objects stored in Active Directory because the account under which it is running (the domain controller computer account) has this privilege. This creates a security risk that should be avoided. You should not install the DHCP server service that is configured to perform DDNS updates on a domain controller; instead, you should install it on a member server if you're performing DDNS updates.

As an alternative, you can use a new feature in Windows Server 2003 DHCP. This feature enables you to create a dedicated domain user account that all DHCP servers will use when performing DDNS updates.

Secure Dynamic Updates and the DnsUpdateProxy group

When only secure dynamic updates are allowed in a zone only the owner of a record (The pc that originally registers the record) can update that record

This causes problems in situations where a DHCP server is being used to register host (A) resource records on behalf of clients that cannot perform dynamic updates as the DHCP server becomes the owner of the record.

To avoid this problem add to the DnsUpdateProxy security group DHCP servers that register records on behalf of other computers. Members of this group are prevented from recording ownership on the resource records they update in DNS this loosens security for these records until they can be registered by the real owner.

You have multiple DHCP servers on your network, some of which are configured to register DNS records on behalf of pre-W2K clients. You have configured DNS to allow only secure updates. However you find that some DNS records are not being updated properly.

To resolve this problem

Add the DHCP servers to the DnsUpdateProxy built-in security group

Using Multiple DHCP ServersDHCP can become a single point of failure within a network if there is only one DHCP server.If that server becomes unavailable, clients will not be able to obtain new leases or renew existing leases. For this reason, it is recommended that you have more than one DHCP server in the network. However, more than one DHCP server can create problems if they

both are configured to use the same scope or set of addresses. Microsoft recommends the 80/20 rule for redundancy of DHCP services in a network.Implementing the 80/20 rule calls for one DHCP server to make approximately 80% of the addresses for a given subnet available through DHCP while another server makes theremaining 20% of the addresses available. For example, with a /24 network of 254 addresses, say 192.168.1.1 to 192.168.1.254, you might have Server 1 offer 192.168.1.10to 192.168.1.210 while Server 2 offers 192.168.1.211 to 192.168.254.