Beruflich Dokumente
Kultur Dokumente
Remote Access Managing the DHCP Server Configuring DHCP DHCP Relay Agents
When there are no configured DHCP servers on the network and the network haves multiple network segments. When you are configuring a computer as a DHCP server, you assign that computer a static IP address.
When you configure computers as important network servers such as domain controllers, or DNS servers; you manually assign the IP address to these computers.
DHCP is a service and protocol which runs on a Windows Server 2003 operating system. DHCP functions at the application layer of the TCP/IP protocol stack. One of the primary tasks of the protocol is to automatically assign IP addresses to DHCP clients. A server running the DHCP service is called a DHCP server. The DHCP protocol automates the configuration of TCP/IP clients because IP addressing occurs through the system. You can configure a server as a DHCP server so that the DHCP server can automatically assign IP addresses to DHCP clients, and with no manual intervention. IP addresses that are assigned via a DHCP server are regarded as dynamically assigned IP addresses. The DHCP server assigns IP addresses from a predetermined IP address range(s), called a scope. The functions of the DHCP server are outlined below:
Dynamically assign IP addresses to DHCP clients. Allocate the following TCP/IP configuration information to DHCP clients:
o o o o
Domain Name System (DNS) IP addresses Windows Internet Naming Service (WINS) IP addresses
You can increase the availability of DHCP servers by using the 80/20 Rule if you have two DHCP servers located on different subnets. The 80/20 Rule is applied as follows:
Allocate 80 percent of the IP addresses to the DHCP server which resides on the local subnet. Allocate 20 percent of the IP addresses to the DHCP Server on the remote subnet.
If the DHCP server that is allocated with 80 percent of the IP addresses has a failure, the remote DHCP server would resume assigning the DHCP clients with IP addresses. Because the DHCP service is a very important service in a TCP/IP based network, the following implementations are strongly recommended.
Small networks should have at least one DHCP server. Large networks should have multiple implementations of DHCP servers. This implementation configuration enables the following benefits:
o
The framework for the DHCP protocol is defined in RFC 2131. The DHCP protocol stems from the Bootstrap Protocol (BOOTP) protocol. BOOTP enables clients to boot up from the network instead of booting up from the hard drive. The DHCP server has a predefined pool of IP addresses, from which it allocates IP addresses to DHCP clients. During the boot process, DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server. When the DHCP client boots on the network, a negotiation process called the DHCP lease process occurs between the DHCP server and client. The negotiation process comprises of four messages, sent between the DHCP server and the DHCP client.
Two messages from the client Two messages from the DHCP server
DHCP scopes
A scope can be defined as a set of IP addresses which the DHCP server can allocate or assign to DHCP clients. A scope contains specific configuration information for clients that have IP addresses which are within the particular scope. Scope information for each DHCP server is specific to that particular DHCP server only, and is not shared between DHCP servers. Scopes for DHCP servers are configured by administrators. A DHCP has to have at least one scope, which includes the following properties.
The specified range of IP addresses which are going to be leased to DHCP clients. The subnet mask The DHCP scope options (DNS IP addresses, WINS IP addresses). The lease duration. The default of 8 days is suitable for small networks. Any reservations. Reservations include elements such as a client always receiving the same IP addresses and TCP/IP configuration information when it starts.
Therefore, when you start designing your DHCP strategy, and you are defining the scopes for your DHCP servers, you should clarify the following.
The start and end addresses which would define the range of addresses you want to utilize. The subnet mask of the particular subnet. The amount of time that the lease should be for the IP addresses leased from your scopes. 3
All other TCP/IP configuration information which you want assigned to DHCP clients. Determine those IP addresses that you want to reserve for clients. Determine whether any clients using statically assigned IP addresses need to be excluded from the address pool.
If you have multiple scopes, remember that clients can only obtain IP addresses from the subnet to which they belong. Clients cannot obtain IP addresses from scopes that are connected with different subnets. However, if your clients should be able to obtain IP addresses from other scopes, you can configure a superscope. A superscope is the grouping of scopes under one administrative entity that enables clients to obtain IP addresses, and renew IP addresses from any scope that is part of the superscope. Superscopes are typically created for under the following circumstances:
The existing scope.s IP addresses supply is being depleted. You want to use two DHCP servers on the same subnet. This is usually for providing redundancy. You need to move clients from one range of IP addresses to a different range of IP addresses.
o o o
3. The client sends the DHCP server a DHCP Request message. This message indicates that the client accepted the offer from the first DHCP server which responded to it. It also indicates that the client is requesting the particular IP address for lease. The client broadcasts the acceptance message so that all other DHCP servers who offered addresses can withdraw those addresses. The message contains the IP address of the DHCP server which it has selected. 4. The DHCP server sends the client a DHCP Acknowledge message. The DHCP Acknowledge message is actually the process of assigning the IP address lease to the client.
The DHCP server can be configured to not register any IP address of the DHCP clients when it assigns IP addresses to these clients.
The DHCP server can be configured to at all times register all IP address of clients when they receive IP addresses from the DHCP server. The default option results in the DHCP server registering the IP addresses of clients with the authoritative DNS server, based on the client.s request for an IP address.
DHCP is included with Windows Server 2003: To implement DHCP requires no additional costs. Centralized, simpler management of IP addressing: You can manage IP addressing from a central location. DHCP also provides for the simple deployment of other configuration options, such as default gateway and DNS suffix. Because the system assigns IP addresses, it leads to less incorrect configurations of IP addresses. This is mainly due to IP configuration information being entered at one location, and the server distributing this information to clients. Duplicated IP addresses are prevented. IP addresses are also preserved. DHCP servers only allocate IP addresses to clients when they request them. The DHCP service of Windows Server 2003 can assign IP addresses to both individual hosts, and multicast groups. Multicast groups are used when communication occurs with server clusters. The Windows Server 2003 DHCP service supports clustering. This enables you to set up high availability DHCP servers. In Windows Server 2003, DHCP integrates with Dynamic DNS (DDNS). This facilitates dynamic IP address management because the DHCP server registers the client computer.s Address (A) records and pointer (PTR) records in the DNS database when the client obtains an IP address. This is made possible through DHCP integration with Dynamic DNS (DDNS). 6
You can monitor the pool of available IP addresses, and also be notified when the IP address pool reaches a certain threshold. Through authorizing DHCP servers in Active Directory, you can restrict your DHCP servers to only those that are authorized. Active Directory also allows you to specify those clients that the DHCP server can allocate addresses to. Dynamic IP addressing through DHCP easily scales from small to large environments. networking
The DHCP server can be a single point of failure in networking environments that only have one DHCP server. If your network has multiple segments, you have to perform either of the following additional configurations:
o o o
Place a DHCP server on each segment Place a DHCP relay agent on each segment Configure routers to forward Bootstrap Protocol (BootP) broadcasts.
All incorrectly defined configuration information will automatically be propagated to your DHCP clients. There are a few DHCP client implementations that do not function correctly with a Windows Server 2003 DHCP server.
Determine the number of hosts on your network. Determine the number of subnets that DHCP will be supporting Determine the location of your routers. Determine the transmission speed between your network segments. Determine whether Dynamic DNS (DDNS) will be used. Determine the number of clients that DHCP will be allocating IP addresses to. Determine the location of these clients. Identify those clients, if any, which could possibly not be able to use DHCP for IP addresses allocation. Identify clients which will be using BOOTP. Identify the WAN links which could possibly cause a failure that could prevent clients from accessing the DHCP server. Define the dedicated or reserved IP addresses that should be excluded from the DHCP address pool range.
It is recommended to implement at least two DHCP servers to provide redundancy. Having two different DHCP servers ensures a highly available DHCP infrastructure because it could prevent issues which arise when network link failure occurs. If your network has multiple segments, you have to perform either of the following:
o o o
Place a DHCP server on each segment Place a DHCP relay agent on each segment Configure your routers to forward Bootstrap Protocol (BootP) broadcasts.
The failover methods which you should consider implementing when you design a DHCP implementation are:
Deploy a standby DHCP server: In this failover method, the standby DHCP server is configured with the same scope of the primary DHCP server. The standby DHCP server is only brought online when the 8
Deploy a clustered server: Implementing a clustered server provides failover capabilities. Split the scopes: You can split the scopes of your DHCP servers when they are placed on different subnets. This provides failover when the DHCP server has a failure, or when a subnet fails. When splitting the scopes, bear in mind that you do not need to split the scopes in equal proportions. It is recommended to place a larger portion of the scope on the DHCP server that actually serves the local subnet.
Network topology Server hardware would influence the number of DHCP clients which the DHCP server would be capable of servicing. Server hardware also affects the performance of your DHCP servers. Network configuration Routing configuration Availability requirements of the DHCP servers The number of clients which the DHCP servers are going to service.
In a routed network, you would need DHCP relay agents if you plan to implement only one DHCP server. The systems that can use the DHCP Relay Agent are: Windows NT Server, Windows 2000 Server, and Windows Server 2003. It is recommended to place the DHCP server on the subnet that has the majority of hosts.
Multiple CPUs 9
If you are implementing multiple DHCP servers, place DHCP servers on all subnets which are connected via slow, unstable WAN links. This in turn prevents DHCP messages from being transmitted over the WAN.
Non Microsoft DHCP clients: These clients may need support for certain DHCP features. Non Microsoft DHCP clients do not necessarily support vendor extensions. Non DHCP Clients: Clients that do not support DHCP have to be manually assigned with IP addresses. BOOTP Clients: These are clients that do not support IP leases. BOOTP clients request IP addresses whenever they start.
Because the IP address number in a scope is limited, an unauthorized user could initiate a denial-of-service ( DoS) attack by requesting/obtaining a large numbers of IP addresses. An unauthorized user could use a rogue DHCP server to offer incorrect IP addresses to your DHCP clients. A denial-of-service (DoS) attack can by launched through an unauthorized user that performs a large number of DNS dynamic updates via the DHCP server. Assigning DNS IP addresses and WINS IP addresses through the DHCP server increases the possibility of an unauthorized user using this information to attack your DNS and WINS servers.
Implement firewalls. Close all open unused ports. If necessary, use VPN tunnels. You can use MAC address filters. Use 128-bit Wired Equivalent Privacy (WEP) encryption in wireless networks.
Plan your DHCP implementation strategy. You should identify all physical and logical subnets, and each router between your different subnets. If your routers can be configured to forward DHCP broadcasts, apply this configuration. You need to add a DHCP relay agent if your routers cannot be configured to forward DHCP broadcasts. It is recommended to configure a DHCP server for size as follows:
o o
10, 0000 or less clients for which to provide services. 1, 000 or less scopes
Improve the performance of your DHCP. This can be done by using the following:
o o
The DHCP service should not be running on a domain controller if it is going to update DNS records for legacy clients. You should place your DHCP servers and domain controllers on separate computers. Splitting the address range between two DHCP servers provides fault tolerance. Apply the 80/20 rule when you are creating scopes. All Windows NT 4 domain controllers should be upgraded to Windows Server 2003 before you deploy your DHCP servers.
11
If you have two DHCP servers, and you are using reservations for clients; create the reservations on each DHCP server. This would enable a client to obtain its IP address from either of the DHCP servers. If you are using Windows Server 2003 DHCP services use the following DHCP specific features:
o
Secure Updates: This forces a computer to be authenticated in Active Directory before it can obtain an IP address from a DHCP server. Dynamic DNS (DDNS) services: The DHCP server can register IP addresses in DNS on behalf of clients DHCP authorization: This ensures that a Windows 2000 DHCP server or Windows Server 2003 DHCP has to be authorized in Active Directory in order for it to operate in your networking environment.
An unauthorized user could start a denial-of-service ( DoS) attack by requesting and obtaining a large number of IP addresses. A denial-of-service (DoS) attack can by launched through an unauthorized user that performs a large number of DNS dynamic updates through the DHCP server. An unauthorized user could use a rogue DHCP server to provide incorrect IP addresses to your DHCP clients. Assigning DNS IP addresses and WINS IP addresses through the DHCP server increases the likelihood of an unauthorized user accessing this information and then using it to attack your DNS servers and WINS servers.
As you can see, clients can obtain IP addresses and DNS and WINS server information from the DNS server. To ensure that only authorized individuals or users connect to the DHCP server and obtain a DHCP lease, you should consider limiting physical access and wireless access to the network. 12
You should also consider configuring only the precise number of IP addresses required for each DHCP scope to make it less simple for hackers to intercept IP addresses. You can use the reservations feature to do this. The DHCP server can be a single point of failure in networking environments that only have one DHCP server. You can increase the availability of DHCP servers and protect your DNS servers from DoS attacks by deploying two DHCP servers, and then using the 80/20 Rule if you have two DHCP servers located on different subnets. The 80/20 Rule is applied as follows:
Allocate 80 percent of the IP addresses to the DHCP server which resides on the local subnet. Allocate 20 percent of the IP addresses to the DHCP Server on the remote subnet.
If the DHCP server that is allocated with 80 percent of the IP addresses has a failure or is attacked, the other DHCP server would be able to assign DHCP clients with IP addresses. With Windows Server2003, the following built-in local groups have rights to manage DHCP servers:
Enterprise Admins group: Group members have forest wide administrative rights, and have full control over the DHCP servers. Group members can also authorize DHCP servers in Active Directory. DHCP Administrators group: The DHCP Administrators group is created on each DHCP server. Group members can perform all DHCP specific management tasks, including create, activate, and delete scopes; create reservations and configure DHCP options; and back up and restore the DHCP server database hosted on your DHCP servers. DHCP Users group: The DHCP Users group is also created on each DHCP server. Group members can only view configuration information and statistical information on the DHCP server, check whether client connectivity issues exist because of the depleton of IP addresses, and check which scopes have been activated.
You should limit membership to the above mentioned groups which include rights to change DHCP server settings. You should as far as possible restrict membership to the Enterprise Admins group. If you are running a Windows Server 2003 DHCP server, consider implementing the following measures to further enhance security for DHCP servers:
DHCP authorization ensures that a Windows 2000 DHCP server or Windows Server 2003 DHCP server has to be authorized in Active Directory in order for it to operate in your networking environment. Secure Updates forces a computer to be authenticated in Active Directory before it can obtain an IP address from a DHCP server.
Basic Security Measures for DHCP Servers Basic security measures for securing the DHCP server role are listed here:
Physically secure your DHCP servers. The NTFS file system should be utilized to protect data on the system volume. Apply and maintain a strong virus protection solution. Software patches should be kept up to date. If applicable, programs and software should only be allowed to be installed if they have trusted sources. All services and applications not being utilized on your DHCP servers should be deleted or uninstalled.
13
You should perform administrative tasks on the DHCP servers with the least amount of privileges required. Your DHCP servers should be located behind a firewall. Close all open unused ports. To further secure the DHCP server, you can use VPN tunnels to secure DHCP traffic. You can also use MAC address filters. You should monitor DHCP activity by reviewing DHCP logs and viewing statistical information on your DHCP servers
Backing up and Restoring the DHCP Database By backing up a DHCP serverTMs DHCP database, you will be in a position to recover a lost or corrupted DHCP database. The full content of the DHCP database on a DHCP server is backed up if you back up the database. This includes DHCP leases, DHCP reservations, and all DHCP scope information and DHCP options. You can manually back up the DHCP database by using the DHCP management console or you can schedule an automatic back up DHCP database. To manually back up the DHCP database,
1. Click Start, Administrative Tools, and then click DHCP to open the DHCP management console. 2. Right-click the DHCP server that hosts the DHCP database that you want to back up, and select Backup from the shortcut menu. 3. When the Browse For Folder dialog box opens, select the folder to which the DHCP database should be backed up. 4. Click OK.
DHCP service and DHCP server, such as when the DHCP server started and stopped, when DHCP leases are close to being depleted, and when the DHCP database is corrupt. A few DHCP system event log IDs are listed below:
Event ID 1037 (Information): Indicates that the DHCP server has begun to clean up the DHCP database. Event ID 1038 (Information): Indicates that the DHCP server cleaned up the DHCP database for unicast addresses:
o o
Event ID 1039 (Information): Indicates that the DHCP server cleaned up the DHCP database for multicast addresses:
o o
Event ID 1044 (Information): Indicates that the DHCP server has concluded that it is authorized to start, and is currently servicing DHCP client requests for IP addresses. Event ID 1042 (Warning): Indicates that the DHCP service running on the server has detected the following servers on the network. Event ID 1056 (Warning): Indicates that the DHCP service has determined that it is running on a domain controller, and no credentials are configured for DDNS registrations. Event ID 1046 (Error): Indicates that the DHCP service running on the server has determined that it is not authorized to start to service DHCP clients.
The DHCP queue length Duplicate IP address discards DHCP server-side conflict attempts
To start System Monitor, 1. Click Start, Administrative Tools, and then click Performance. 2. When the Performance console opens, open System Monitor The DHCP performance counters that you can monitor to track DHCP traffic are:
Acks/sec; indicates the rate at which DHCPACK messages are sent by the DHCP server. Active Queue Length; indicates how many packets are in the DHCP queue for processing by the DHCP server. Conflict Check Queue Length; indicates how many packets are in the DHCP queue that are waiting for conflict detection. Declines/sec; indicates the rate at which the DHCP server receives DHCPDECLINE messages. Discovers/sec; indicates the rate at which the DHCP server receives DHCPDISCOVER messages. Duplicaed Dropped/sec; indicates the rate at which duplicated packets are being received by the DHCP server. Informs/sec; indicates the rate at which the DHCP server receives DHCPINFORM messages. Milliseconds per packet ( to send a response. Avg.); indicates the average time which the DHCP server takes
Nacks/sec; indicates the rate at which DHCPNACK messages are sent by the DHCP server. Packets Expired/sec; indicates the rate at which packets are expired while waiting in the DHCP server queue. Packets Received/sec; indicates the rate that the DHCP server is receiving packets. Releases/sec; indicates the rate at which DHCPRELEASE messages are received by the DHCP server. Requests/sec; indicates the rate at which DHCPREQUEST messages are received by the DHCP server. 16
The Network Monitor version included with Windows Server 2003: With this version of Network Monitor, you can monitor network activity only on the local computer running Network Monitor. The Network Monitor version (full) included with Microsoft Systems Management Server ( SMS): With this version, you can monitor network activity on all devices on a network segment. You can capture frames from a remote computer, resolve device names to MAC addresses, and determine the user and protocol that is consuming the most bandwidth.
Because of these features, you can use Network Monitor to monitor and troubleshoot DHCP lease traffic. You can use the Network Monitor version included in Windows Server 2003 to capture and analyze the traffic being received by the DHCP server. Before you can use Network Monitor to monitor DHCP lease traffic, you first have to install it. The Network Monitor driver is automatically installed when you install Network Monitor. How to install Network Monitor 1. Click Start, and then click Control Panel.
2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click the Details button. 5. On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK. 6. Click Next when you are returned to the Windows Components Wizard. 7. If prompted during the installation process for additional files, place the Windows Server 2003 CD- ROM into the CD-ROM drive. 8. Click Finish on the Completing the Windows Components Wizard page. Capture filters disregard frames that you do not want to capture before they are stored in the capture buffer. When you create a capture filter, you define settings that can be used to detect the frames that you do want to capture. You can design capture filters in the Capture Window to only capture 17
specific DHCP traffic, by selecting Filter from the Capture menu. You can also create a display filter after you have captured data. A display filter enables you to decide what is displayed. How to start a capture of DHCP lease traffic in Network Monitor 1. Open Network Monitor. 2. Use the Tools menu to click Capture, and then click Start. 3. If you want to examine captured data during he capture, select Stop And View from the Capture menu.
DHCP server events DHCP client events DHCP leasing DHCP rogue server detection events Active Directory authorization
The DHCP server log file format is depicted below. Each log file entry has the fields listed below, and in this particular order as well:
ID: This is the DHCP server event ID code. Event codes are used to describe information on the activity which is being logged. Date: The date when the particular log file entry was logged on your DHCP server. Time: The time when the particular log file entry was logged on your DHCP server. Description: This is a description of the particular DHCP server event. IP Address: This is the IP address of the DHCP client. Host Name: This is the host name of the DHCP client. MAC Address: This is the MAC address used by the DHCP client's network adapter.
DHCP server log files use reserved event ID codes. These event ID codes describe information on the activities being logged. The actual log file only describes event ID codes which are lower than 50. A few common DHCP server log event ID codes are listed below: 18
00; indicates the log was started. 01; indicates the log was stopped. 02; indicates the log was temporarily paused due to low disk space. 10; indicates a new IP address was leased to a client. 11; indicates a lease was renewed by a client. 12; indicates a lease was released by a client 13; indicates an IP address was detected to be in use on the network. 14; indicates a lease request could not be satisfied due to the scope's address pool being exhausted. 15; indicates a lease was denied. 16; indicates a lease was deleted 17; indicates a lease was expired 20; indicates a BootP address was leased to a client. 21; indicates a dynamic BOOTP address was leased to a client. 22; indicates a BOOTP request could not be satisfied due to the address pool of the scope for BOOTP being exhausted. 23; indicates a BOOTP IP address was deleted after confirming it was not being used. 24; indicates an IP address cleanup operation has started. 25; indicates IP address cleanup statistics. 30; indicates a DNS update request. 31; indicates DNS update failed. 32; indicates DNS update successful.
The following DHCP server log event ID codes are not described in the DHCP log file. These DHCP server log event ID codes relate to the DHCP server's Active Directory authorization status:
50 - Unreachable domain: The DHCP server could not locate the applicable domain for its Active Directory installation. 51 - Authorization succeeded: The DHCP server was authorized to start on the network. 19
52 - Upgraded to a Windows Server 2003 operating system: The DHCP server was recently upgraded to a Windows Server 2003 OS, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. 53 - Cached authorization: The DHCP server was authorized to start using previously cached information. Active Directory was not visible at the time the server was started on the network. 54 - Authorization failed: The DHCP server was not authorized to start on the network. When this even occurs, it is likely followed by the server being stopped. 55 - Authorization (servicing): The DHCP server was successfully authorized to start on the network 56 - Authorization failure: The DHCP server was not authorized to start on the network and was shut down by Windows Server 2003 OS. You must first authorize the server in the directory before starting it again. 57 - Server found in domain: Another DHCP server exists and is authorized for service in the same Active Directory domain. 58 - Server could not find domain: The DHCP server could not locate the specified Active Directory domain. 59 - Network failure: A network-related failure prevented the server from determining if it is authorized. 60 - No DC is DS enabled: No Active Directory DC was located. For detecting whether the server is authorized, a domain controller that is enabled for Active Directory is needed 61 - Server found that belongs to DS domain: Another DHCP server that belongs to the Active Directory domain was found on the network. 62 - Another server found: Another DHCP server was found on the network. 63 - Restarting rogue detection: The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network. 64 - No DHCP enabled interfaces: The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service.
How to change DHCP log files location 1. Open the DHCP console. 2. Right-click the DHCP server node and select Properties from the shortcut menu.
4. Click the Advanced tab. 5. Change the audit log file location in the Audit Log File Path text box. 6. Click OK. How to disable DHCP logging 1. Open the DHCP console. 2. Right-click the DHCP server node and select Properties from the shortcut menu. 3. The DHCP Server Properties dialog box opens. 4. On the General tab, clear the Enable DHCP Audit Logging checkbox to disable DHCP server logging. 5. Click OK.
A DHCP client cannot contact the DHCP server. A DHCP client loses connectivity.
When these events occur, one of the first tasks you need to perform is to determine whether the connectivity issues occurred because of the actual DHCP client configuration, or whether it occurred because of some other network issue. You do this by determining the address type of the IP address of the DHCP client. To determine the address type, 1. Use the Ipconfig command to determine if the client received an IP addresses lease from the DHCP server. 2. The client received an IP address from the DHCP server if the Ipconfig /all output displays:
o o
The DHCP server as being enabled The IP address is displayed as IP Address. It should not be displayed as Autoconfiguration IP Address.
3. You can also use the status dialog box for the network connection to determine the IP address type for the client. 4. To view this information, double-click the appropriate network connection in the Network Connections dialog box. 21
5. Click the Support tab. 6. The IP address type should be displayed as being Assigned By DHCP. If after the above checks, you can conclude that the IP address was assigned to the client by the DHCP server, some other network issue is the cause of the DHCP server connectivity issues being experienced. The issue is not due to an IP addressing issue on the client. When clients have the incorrect IP address, it was probably due o the computer not being able to contact the DHCP server. When this occurs, the computer assigns its own IP address through Automatic Private IP Addressing (APIPA). Computers could be unable to contact the DHCP server for a number of reasons:
A problem might exist with the hardware or software of the DHCP server. A data-link protocol issue could be preventing the computer from communicating with the network. The DHCP server and the client are on different LANs and there is no DHCP Relay Agent. A DHCP Relay Agent enables a DHCP server to handle IP address requests of clients that are located on a different LAN.
When a DHCP client is assigned an IP address that is currently being used by another client, then an address conflict has occurred. The process that occurs to detect duplicate IP addresses is illustrated below: 1. When the computer starts, the system checks for any duplicate IP addresses. 2. The TCP/IP protocol stack is disabled on the computer when the system detects duplicate IP addresses. 3. An error message is shown that indicates the hardware address of the other system that this computer is in conflict with. 4. The computer that initially owned the duplicate IP address experiences no interruptions, and operates as normally. 5. You have to reconfigure the conflicting computer with a unique IP address so that the TCP/IP protocol stack can be enabled on that particular computer again. When address conflicts exist, a warning message is displayed:
system tray
A warning message is displayed in the System log, which you can view in Event Viewer.
You have competing DHCP servers in your environment: You can use the Dhcploc.exe utility to locate any rogue DHCP servers. The Dhcploc.exe utility is included with the Windows Support Tools. To solve the competing DHCP server issue, you have to locate the rogue DHCP servers, remove the necessary rogue DHCP servers, and then check that no two DHCP servers can allocate IP address leases from the same IP address range. A scope redeployment has occurred: You can recover from a scope redeployment through the following strategy:
o o
Increase the conflict attempts on the DHCP server. Renew your DHCP client leases
One of the following methods can be used to renew your DHCP client leases:
o o
Use the Ipconfig /renew command The Repair button of the status dialog box (Support tab) of the connection can be used to renew the DHCP client lease.
When you click the Repair button of the status dialog box (Support tab) of the connection to renew the DHCP client lease, the following process occurs: 1. A DHCPREQUEST message is broadcast on the network to renew your DHCP clients' IP address leases. 2. The ARP cache is flushed. 3. The NetBIOS cache is flushed.
4. The DNS cache is flushed. 5. The NetBIOS name and IP address of the client is registered again with the WINS server. 6. The computer name and IP address of the client is registered again with the DNS server. You can enable server-side conflict detection through the following process 1. Open the DHCP console 2. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu. 3. When the Server Properties dialog box opens, click the Advanced tab. 4. Set the number of times that the DHCP server should run conflict detection prior to it leasing an IP address to a client. 23
5. Click OK. A few troubleshooting strtegies which you can use when a DHCP client cannot obtain an IP address from the DHCP server, are summarized below:
Use the Ipconfig /renew command or the Repair button of the status dialog box (Support tab) of the connection to refresh the IP configuration of the client. Following the above, verify that the DHCP server is enabled, and that a configured DHCP Relay Agent exists in the broadcast range. If the client still cannot obtain an IP address from the DHCP server, check that the actual physical connection to the DHCP server, or DHCP Relay Agent is operating correctly and is not broken. Verify the status of the DHCP server and DHCP Relay Agent. If the issue still persists after all the above checks have been performed, you might have an issue at the DHCP server or a scope issue might exist. When troubleshooting the DHCP server:
o o o
Check that the DHCP server is installed and enabled. Check that the DHCP server is correctly configured Verify that the DHCP server is authorized.
Check that the scope is enabled. Check whether all the available IP leases have already been assigned to clients
A few troubleshooting strategies which you can use when a DHCP client obtains an IP address from the incorrect scope are summarized below:
First determine whether competing DHCP servers exist on your network. Use the Dhcploc.exe utility, included with the Windows Support Tools to locate rogue DHCP servers that are allocating IP addresses to clients. If no rogue DHCP servers are located through the Dhcploc.exe utility, your next step is to verify that each DHCP server is allocating IP address leases from unique scopes. There should be no overlapping of the address space. If you have multiple scopes on your DHCP server, and the DHCP server is assigning IP addresses to clients on remote subnets, verify that a DHCP Relay Agent that is used to enable communication with the DHCP server has the correct address 24
Verify that the DHCP Server service is running on the particular server. Check the actual TCP/IP configuration settings on the DHCP server. If you are using the Active Directory directory service, verify that the DHCP server is authorized. The DHCP server could be configured with the incorrect scope. Check that the scope is correct on the DHCP server, and verify that it is active.
When you need to verify the configuration of the DHCP server, use the following process:
First check that the DHCP server is configured with the correct IP address. The network ID of the address being used must be the same for the subnet for which the DHCP server is expected to assign IP addresses to client. Verify the network bindings of the DHCP server. The DHCP server must be bound to the particular subnet. To check this, 1. Open the DHCP console 2. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu. 3. When the Server Properties dialog box opens, click the Advanced tab. 4. Click the Bindings button.
Check that the DHCP server is authorized in Active Directory. You have to authorize the DHCP server in Active Directory so that it can provide IP addresses to your DHCP clients. To authorize the DHCP server: 1. Open the DHCP console. 2. In the console tree, expand the DHCP server node. 3. Click the DHCP server that you want to authorize. 4. Click the action menu, and then select Authorize.
Verify the scope configuration associated with the DHCP server: Check that the scope is activated. To activate a scope, 25
1. Open the DHCP console 2. Right-click the scope in the console tree, and select Activate from the shortcut menu.
Verify that the scope is configured with the correct IP address range. Verify that there are available IP address leases which can be assigned to your DHCP clients. Verify the exclusions which are specified in the address pool. Confirm that all exclusions are valid and necessary. You need to verify that no IP addresses are being unnecessarily excluded. Verify the reservations which are specified. If you have a client that cannot obtain a reserved IP address, check whether the same address is also defined as an exclusion in the address pool. All reserved IP addresses must fall within the address range of the scope. Check too that the MAC addresses were successfully registered for all IP addresses that are reserved If you have DHCP servers that contain multiple scopes, check that each of these scopes is configured correctly.
Dhcp.mdb: This is considered the main DHCP database file because it contains all scope information. Dhcp.tmp: This file contains a backup copy of the database file which was created during reindexing of the DHCP database. J50.log: This log file contains changes prior to it being written to the DHCP database. J50.chk: This checkpoint file informs DHCP on those log files that still have to be recovered.
If you need to change the role of the DHCP server, and move its functions to another server, it is recommended that you migrate the DHCP database to the new DHCP server. This strategy prevents errors that occur when you manually attempt to recreate information in the DHCP database of the destination DHCP server. To migrate an existing DHCP database to a new DHCP server, 1. Open the DHCP console. 2. Right-click the DHCP server whose database you want to move to a different server, and select Backup from the shortcut menu. 26
3. When the Browse For Folder dialog box opens, select the folder to which the DHCP database should be backed up. Click OK. 4. To prevent the DHCP server from allocating new IP addresses to clients once the DHCP server database is backed up, you have to stop the DHCP server. 5. Open the Services console. 6. Double-click the DHCP server. 7. When the DHCP Server Properties dialog box opens, select Disable from the Startup Type drop down list. 8. Proceed to copy the folder which contains the backup to the new DHCP server. You now have to restore the DHCP backup at the destination DHCP server. 9. Open the DHCP console. 10. Right-click the destination DHCP server for which you want to restore the DHCP database, and select Restore from the shortcut menu. 11. When the Browse For Folder dialog box opens, select the folder that contains the back up of the database that you want to restore. Click OK. 12. Click Yes when prompted to restore the database, and to stop and restart the DHCP service. If your lease information in the DHCP database does not correspond to the actual IP addresses leased to clients on the network, you can delete your existing database files, and commence with a clean (new) database. To do this, 1. Stop the DHCP service. 2. Remove all the DHCP database files from the systemroot\system32\DHCP folder. 3. Restart the DHCP service. 4. You can rebuild the contents of the database by reconciling the DHCP scopes. The DHCP console is used for this. When DHCP database information is inconsistent with what is on the network, corrupt, or when information is missing, you can reconcile DHCP data for the scopes to recover the database. The DHCP service stores IP addresses lease data as follows:
Detailed IP address lease information is stored in the DHCP database. Summary IP address lease information is stored in the DHCP database
These sets of information are compared when scopes are reconciled. Before you can reconcile the DHCP server's scopes, you first have to stop the DHCP service running on the server. You can repair 27
any inconsistencies which are detected by the comparison between the contents of the DHCP database, and the contents of the Registry.
DHCP Leasing
An Overview of DHCP
In TCP/ IP based networks, a unique IP address must be assigned to each computer. An IP address is a unique numeric identifier that identifies computers on the network. The Dynamic Host Configuration Protocol (DHCP) is a service that can be implemented to automatically assign unique IP addresses to DHCP clients. 28
DHCP runs at the application layer of the TCP/IP protocol stack to provide the following functions in TCP/IP networks:
Dynamically assign IP addresses to DHCP clients. Allocate the following TCP/IP configuration information to DHCP clients:
o o o o
Domain Name System (DNS) IP addresses Windows Internet Naming Service (WINS) IP addresses.
RFC 2131 defines the framework for the DHCP protocol. The DHCP protocol stems from the Bootstrap Protocol (BOOTP) protocol. The DHCP server is configured with a predetermined pool of IP addresses, from which it allocates IP addresses to DHCP clients. During the boot process, DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server. When the DHCP client boots up on the network, a negotiation process called the DHCP lease process occurs between the DHCP server and client. The DHCP lease process is also known as the DHCP negotiation process, and is a fairly straightforward process. The remainder of this Article focuses on the DHCP leasing and the DHCP lease process
DHCP Leases
The DHCP lease process is a process that occurs when a computer which is a DHCP client initially boots up on the network, to provide an IP address and any additional TCP/IP configuration parameters to these clients. The terminology and concepts used when discussing DHCP leasing or the DHCP lease process is summarized below:
DHCP lease: This is the amount of time for which a DHCP client is allowed to make use of a specific IP addresses. The default setting for the DHCP lease is 8 days. DHCP lease process: The process which occurs when the client initially boots up on the network. The DHCP lease process enables DHCP clients to automatically obtain IP addresses from a DHCP server. DHCP Discovery Broadcast message: This is a message sent over the network by a client computer that wants to obtain an IP address from a DHCP server. DHCP Offer message: This is message sent by DHCP servers that serves as a reply to a Discovery Broadcast message. DHCP Request Broadcast message: This message indicates that the client accepted an IP address offer from the first DHCP server which responded to it. The client broadcasts this 29
particular message so that all the other DHCP servers that offered addresses to the client can withdraw their IP addresses.
DHCP Acknowledge message: This message is sent by the DHCP server to the DHCP client, and is the process whereby which the IP address lease is assigned to the client. Unlimited lease duration: If you do not want the IP address assigned for a particular client to expire, you assign an unlimited lease duration. DHCP scopes: A scope can be defined as a set of IP addresses which the DHCP server can allocate or assign to DHCP clients. A scope contains specific configuration information for clients that have IP addresses which are within a particular scope. Scope information for each DHCP server is specific to that particular DHCP server only, and is not shared between DHCP servers. During the DHCP lease process, the DHCP scopes configured for a DHCP server is used to provide a DHCP client with an IP address. You can configure different lease duration settings for each DHCP scope. The lease duration rules which should be implemented when you determine the lease duration time for the scope of each of your subnets are:
o
Use a shorter lease duration time if you have numerous mobile users, and if you are working in an environment that constantly has configuration changes. Use a longer lease duration time if the following statements are true:
There are no mobile computers The environment does not continually experience configuration changes
Increase the default setting of 8 days if the number of IP addresses for each subnet is by far greater than the number of DHCP devices within your environment. Use a shorter lease duration period if you have a limited number of IP addresses for each subnet, and you are near to meeting limit.
one location, and the server distributing this information to clients. Duplicated IP addresses are also prevented. The DHCP lease process that occurs between the DHCP server and client is a simple process. The negotiation process for an IP address consists of four messages sent between the DHCP server and the DHCP client.
Two messages from the client Two messages from the DHCP server
When the server assigns IP addresses to DHCP clients, it starts allocating addresses commencing from the bottom of its scope range, and starts moving to the top of its scope range. All unused addresses have to be used before the DHCP server:
Allocates a previously used IP addresses to a new DHCP client. The DHCP server first assigns IP addresses that have not been used for the longest amount of time prior to assigning other previously used IP addresses. Allocates an expired IP addresses to a new DHCP client
During the four-step DHCP lease process, the events that occur are defined by the types of DHCP messages which are exchanged between the DHCP server and DHCP client:
DHCPDISCOVER message: This message is used to request an IP address lease from a DHCP server. The message is sent when the client boots up on the network. The message is sent as a broadcast packet over the network, requesting for a DHCP server to respond to it DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a DHCP Request message. The message basically indicates that the client is requesting the particular IP address for lease. The other DHCP servers who offered addresses withdraw those addresses at this point. DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.
The four steps involved in the DHCP lease process is often called DORA:
Acknowledge
DHCPDISCOVER message: Used by DHCP clients to request an IP address lease from a DHCP server. DHCPOFFER message: The DHCP server sends this message in response to a DHCPDISCOVER message. DHCPREQUEST message: The DHCP client sends this message to one of the DHCP servers that replied to its request to obtain an IP address DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client, and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client. DHCPNACK message: This message is sent by the DHCP server to the DHCP client to indicate that the requested IP address is not invalid any more. DHCPRELEASE message: This is a message which a DHCP client sends to a DHCP server before its specified lease duration limit is reached. DHCPDECLINE message: This is a message sent by the DHCP client to the DHCP server. A DHCPDECLINE message indicates that the DHCP client is refusing the IP addresses lease offered by the particular DHCP server. DHCPINFORM messages: This a message used by the DHCP client and the DHCP server for the following purposes:
o
DHCP server end: This message is used when the DHCP service queries Active Directory to verify that the DHCP server is authorized to offer IP addresses to DHCP clients. DHCP client end: When the DHCP client has an IP address, the message is used to obtain DHCP options.
When a DHCP client boots up for the first time, and starts the TCP/IP stack. When you move from using a manually assigned IP address to using the DHCP protocol to dynamically assign IP addresses 32
A DHCP client starts the DHCP lease process by broadcasting for an IP address. A DHCP client can be configured by selecting the Obtain An IP Address Automatically option in the TCP/IP addressing properties of the particular client. The main events that occur, and points to remember about the initial step of the DHCP lease process can be summarized as follows: 1. A DHCP client boots up for the first time and starts the TCP/IP stack 2. The client broadcasts a DHCPDISCOVER message over the network, requesting an IP addresses from a DHCP server. 3. The DHCPDISCOVER message is sent on UDP port 68 and destination port 67. 4. Because the client has no IP address at this stage, and does not know the IP address of the DHCP servers running in the network, the discover message uses the following standard address information:
o o
NIC
6. The DHCP servers that responds to the discover message use the MAC address and NetBIOS name to identify the client computer, so that it can forward the correct client computer the DHCP offer message. 7. After the client sends the initial discover message, the client waits for 1 second for an IP addresses offer from a DHCP server. 8. If no offer is received from a DHCP server, the client tries again at intervals of 2, 4, 6, and 16 seconds. 9. If no reply is received after this, the client automatically assigns its own IP address through Automatic Private IP Addressing (APIPA). 10. The client continues though to broadcast the discover message at 5 minute intervals untl it obtains an IP address from a DHCP server.
The DHCP servers listening on the segment of the client that broadcast the discover message, receives the broadcast message of the client. This step in the DHCP lease process occurs when the DHCP servers which have available valid IP addresses, offer the requesting client an IP address in the form of a DHCPOFFER message. The DHCPOFFER message contains the following information:
IP address of the DHCP server which is offering the IP address. MAC address of the DHCP server. The offered IP address The subnet mask associated with the offered IP address The lease duration/period. MAC address of the client.
When a DHCP server offers an IP address to a client, it reserves that particular IP address in its database for the DHCP client. This reservation prevents a DHCP server from offering the same IP address to a different DHCP client. Only when a client refuses an IP address, is the IP address no longer reserved in the database of a DHCP server. The client accepts the IP address in the DHCP offer message from the first DHCP server which responds to its request. The client basically broadcasts a DHCPREQUEST message to indicate that it has accepted an IP address.
It is also possible for a DHCP server to reply to the DHCP client with a DHCPNACK message. This message basically indicates that the DHCP server is withdrawing its previously offered IP address. A DHCPNACK message is sent when the IP address which was previously offered is no longer valid. A DHCPNACK message is usually sent when clients attempt to renew a lease for a previously assigned IP address.
ipconfig /renew: Used to request a lease renewal by the DHCP client. This command is usually used in combination with the ipconfig /release command. ipconfig /release: Used to release an IP address lease. At this stage, the DHCP server flags the released IP address as being available again. The ipconfig /renew command usually follows the ipconfig /release command. ipconfig /setclassid classID: This command is used to set a class ID for the DHCP client.
A static range of IP addresses: This method is usually implemented when there are no internal DHCP servers. 35
An existing DHCP Server: This is achieved by relaying clients to the DHCP server for IP address allocation.
If you have an internal DHCP server, you should configure the remote access server to allocate IP addresses via this server. If your DHCP server is not within broadcast range of the RRAS server, you must perform the one of the following configuration as well:
Configure the DHCP Relay Agent on the remote access server. Configure the DHCP Relay Agent on the same subnet as the remote access server.
The DHCP Relay Agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet. The router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agent exists. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote client, so that it can relay DHCP broadcast messages to your DHCP server. If the remote access server is configured to obtain IP addresses from a DHCP server, to distribute these IP addresses to clients, the following process occurs: 1. When the remote access server starts for the first time, it obtains a block of IP addresses from the DHCP server. 2. The first IP address is used for the remote access server. 3. The remainder of the IP addresses, the remote access server distributes to all TCP/IP based remote access clients during the PPP connection establishment process. 4. When the remote access server needs over 10 IP addresses, it obtains additional blocks of 10 addresses. 5. If the DHCP server was unavailable when the remote access server started, the remote access server assigns its own IP address through Automatic Private IP Addressing (APIPA).
Configure the DHCP Relay Agent on the remote access server, or on the same subnet. Configure the RRAS server to allocate IP addresses via the Dynamic Host Configuration Protocol (DHCP) option.
To install and configure the DHCP Relay Agent, 1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. 36
2. Expand the IP Routing node in the console tree, right-click the General node, and then select New Routing Protocol from the shortcut menu. 3. When the New Routing Protocol dialog box opens, select DHCP Relay Agent. 4. Click OK. 5. Expand the IP Routing node in the console tree. 6. Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu. 7. Select the interface and click OK. 8. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab. 9. Click OK. 10. Right-click the DHCP Relay Agent node, and select Properties from the shortcut menu. 11. Enter the DHCP server's IP address. Click Add 12. Click OK. To configure the RRAS server to distribute IP addresses via the Dynamic Host Configuration Protocol (DHCP) option,Open the Routing And Remote Access console. 1. Right-click the RRAS server node and then select Properties from th shortcut menu. 2. Click the IP tab. 3. In the IP Address Assignment area of the IP tab, click the Dynamic Host Configuration Protocol (DHCP) option. 4. Click OK.
The IP address is assigned from the static address pool on the RRAS server: This method is enabled when you select the Static Address Pool option on the IP tab of the RRAS server properties dialog box. To configure this method: 37
1. Open the Routing And Remote Access console. 2. Right-click the RRAS server node and then select Properties from the shortcut menu. 3. Click the IP tab. 4. In the Static Address Pool option. 5. Click Add 6. Set the start IP address and end IP address to define the address range for the static address pool. 7. Click OK. Because a remote client can only obtain IP addresses from the RRAS server, it has to access the DHCP server to obtain any other TCP/IP configuration information, such as a DNS server IP address, or WINS server IP address. For this to occur, you have to configure a DHCP Relay Agent for the RRAS server.
The IP address is assigned from the DHCP server via a DHCP Relay Agent: For this method, the Dynamic Host Configuration Protocol (DHCP) option is configured on the IP tab of the RRAS server properties dialog box. Here, the DHCP Relay Agent is configured on the RRAS server. The DHCP server distributes IP addresses and all other TCP/IP configuration information. The IP address is assigned to the security object of the user (Active Directory): For this method, the IP address for the remote client is configured in the properties page of the particular user's security object. When the client connects to the RRAS server, the IP address configured in the properties page is used. The settings configured in the Remote Access Policy are simply ignored.
How to create a new user object in Active Directory 1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. 2. In the console tree, select the OU wherein you want to create the new user object 3. From the Action menu, click New, and then click User 4. In the New Object - User dialog box, enter information for the fields listed below:
o
First name, Initials, Last name, Full name (automatically populated), User logon name, User logon name (pre-Windows 2000).
5. Click Next 6. Enter a password in the Password field, and verify the password in the Confirm password field. 38
7. If you leave the User must change password at next logon checkbox enabled, the user has to specify a new password at next logon. Click Next 8. Verify the settings that you entered on the Summary page. 9. Click Finish to create the new user object How to configure an IP address for a user object in Active Directory 1. Click Start, Administrative Tools, and click the Active Directory Users And Computers console. 2. Right-click the domain, and select Find from the shortcut menu. The Find option is used to locate objects in Active Directory. You can specify that the search should be performed on the Active Directory directory, or on a particular OU, and you can specify various other search criteria and options. 3. Enter the username that you want to statically assign an IP address for. Click Find Now to locate the particular user object. 4. Double-click the username in the search results window to open the properties page of the user object./li> 5. Click the Dial-in tab. 6. Enable the Assign A Static IP checkbox. 7. Enter an IP address in the available box. 8. Click OK
Delegate DHCPadministration to individuals View and analyze DHCPstatistical information Change the status ofthe DHCP service Configure superscopeadministration entities. Back up the DHCPserver database. Restore the DHCPserver database. Repair a corruptedDHCP server database. Move a DHCP databaseto a different DHCP server
39
With Windows Server2003, there are three built-in local groups which have rights to manage your DHCP servers:
Enterprise Admins group: The characteristics of the Enterprise Admins group are: o Group members have forest wide administrative rights o Group members have full control over the DHCP servers. o This is the only group that can authorize DHCP servers in Active Directory. o You should as far as possible restrict membership to the Enterprise Admins group. DHCP Administrators group: The Characteristics of the DHCP Administrators group are: o This group is created on each DHCP server. o Group members can perform all DHCP specific management tasks, including: Create, activate, and delete scopes. Create reservations. Backup and restore the DHCP server database Configure DHCP options o Group members do not however have the same rights as local Administrators. DHCP Administrators group members have rights which are specific to managing DHCP servers only. DHCP Users group: The Characteristics of the DHCP Users group are: o This group is created on each DHCP server. o Group members can only view configuration information and statistical information on the DHCP server. o Group members can check whether client connectivity issues exist because of the DHCP service, or because of the depletion of IP addresses. o Group members can check which scopes have been activated.
How to change the change the status of the DHCP service from the command-line 40
Use the following commands to manage the DHCP service from the command-line:
Net Start Dhcpserver Net Stop Dhcpserver Net Pause Dhcpserver Net ContinueDhcpserver
Start Time; time when the DHCP service started Up Time; indicatesthe time from the last time when the DHCP service was started. Discovers; indicatesthe number of DHCPDISCOVER messages that was received. Offers; indicates the number of DHCPOFFER messages that was sent. Requests; indicatesthe number of DHCPREQUEST messages that was received. Acks; indicates the number of DHCPACK messages that was sent. Nacks; indicates the number of DHCPNACK messages that was sent. Declines; indicates the number of DHCPDECLINE messages that was received. Releases; indicates the number of DHCPDISCOVER messages that was received. 41
Total Scopes;indicates the number of DHCP scopes which are configured for this particular DHCP server. Total Addresses; indicatesthe number of IP addresses that are available in the scopes that are configuredfor the DHCP server. In Use; indicates the number of IP addresses that are being used. Available; indicates number of IP addresses that are available.
You can also view statistical information on the DHCP server in the DHCP server logs. How to view statistical information on a specific scope 1. Open the DHCP console. 2. In the console tree, right-click the scope that you want to view statistical information on, and select ScopeStatistics from the shortcut menu. 3. Information is displayed on the following: o The total number of IP addresses in the particular scope. o The number of IP addresses in the scope that are being used. o The number of IP addresses in the scope that are available. How to refresh DHCP statistical information 1. Open the DHCP console. 2. In the console tree, right-click the DHCP server for which you want to refresh statistical information, and then select Properties from the shortcut menu. 3. On the General tab, select the Automatically Update Statistics Every: checkbox. 4. Use the Hours and Minutes boxes to specify when the statistical information should be refreshed. 5. Click OK.
Manually back up the DHCP database by using the DHCP console Schedule an automatic back up of the DHCP database.
When the DHCP database is backed up, the contents of the entire database is backd up: This includes the following key information:
Scope information,multicast scope information, and superscope information. DHCP leases DHCP reservations. DHCP options,including, o Server options o Scope options o Class options 42
Reservation options
The DHCP service only needs to be stopped if you are planning to move the database to a different DHCP server. The location for the backup folder has to be a local directory.
Repair anin consistent or corrupt DHCP database Compact the DHCP database (offline)
It is recommended to perform an offline compaction of the DHCP database when the database size is over 30 MB. The syntax for jetpack.exe is:
jetpack database_nametemporary_database_name
To repair the DHCP database using Jetpack.exe, 1. 2. 3. 4. Click Start, Run, and enter cmd in the Run box. Locate the DHCP database directory. Enter net stop dhcp. Enter jetpack dhcp.mdb<temp> 43
<temp>;
name and location of the temporary file that is to be used to repair the DHCP database.
Configuring DHCP
Configuring the DHCP Server Environment
The primary steps required for configuring and managing your
Install the DHCP service on a server Authorize the DHCP server in Active Directory. Configure the necessary DHCP scopes for your subnets. Configure superscopes and multicast scopes Configure the DHCP lease duration. Configure the DHCP options. 44
Configure the DHCP reservations. Configure the BOOTP tables. Configure DHCP and DDNS integration. Configure split scopes for fault tolerance.
2. When the Add Or Remove Programs dialog box opens, click Add/Remove Windows Components. 3. This starts the Windows Components Wizard. 4. In the Components list box, select Networking Services, and then click the Details button.
5. The Networking Services dialog box opens. 6. In the Subcomponents Of Networking Services list box, check the Dynamic Host Configuration Protocol (DHCP) checkbox. 7. Click OK. 8. Click Next. 9. When The Completing The Windows Components Wizard page is displayed, click Finish.
Scope(s) folder Server Options folder Each scope contains the following additional folders:
o o
Address Pool: This view lists address pool information. Address Leases: This view contains an entry for each existing entry includes the following information: IP address lease. An
45
Client computer name to which the particular The IP address associated with the lease. Lease expiration information.
Reservations: This view indicates which IP addresses are reserved, and the particular devices which have these reserved IP addresses. Scope Options: This view shows the options which are configured for the particular scope.
The Action menu includes a number of options which are useful when managing your DHCP servers. To start, stop, pause, resume, or restart the DHCP service, 1. Click Start, All Programs, Administrative Tools and then click DHCP. 2. The DHCP console opens. 3. Select the DHCP server that you want to manage in the console tree. 4. From the Action menu, click All Tasks, and choose between the following options:
o o o o o
Start, to start the DHCP service Stop, to stop the DHCP service Pause, to pause the DHCP service Resume, to continue the DHCP service after it was paused. Restart, to stop and then automatically restart the DHCP service
Net Start Dhcpserver Net Stop Dhcpserver Net Pause Dhcpserver Net Continue Dhcpserver
46
If the Active Directory directory service is running in your networking environment, you have to authorize the DHCP in Active Directory so that it can provide IP addresses to your DHCP clients. When you authorize the DHCP server, the IP address of the server is added to the Active Directory object that contains the list of authorized DHCP servers. You would need to manually authorize the DHCP server in Active Directory under the following circumstances:
When the DHCP service is installed on a stand-alone server When the DHCP service is installed on a member server of an Active Directory domain.
To authorize the DHCP server in Active Directory 1. Click Start, All Programs, Administrative Tools and then click DHCP to open the DHCP console. 2. In the console tree, expand the DHCP server node. 3. Click the DHCP server that you want to authorize. 4. Click the Action menu, and then select Authorize. 5. After waiting for approximately 45 minutes for the authorization to occur, right-click the DHCP server, and verify that Unauthorize is displayed on the shortcut menu.
Creating new scopes for your DHCP servers: You would need the following information when you create a new scope:
o
The IP address range for the scope: The start and end IP addresses that defines the address range for the new scope. The IP addresses that should be excluded from the IP address pool. The IP addresses that should be reserved. The configuration parameters which you want to set for the DHCP options.
o o o
48
17. Enter the name of the DNS server that you want clients to use for name to IP address resolution in the lower portion of the Domain Name And DNS Servers page. Click Add ad then click Next. 18. On the WINS Server page, if applicable, enter the IP address of the WINS server. Click Add and then click Next. 19. On the Activate Scope page, click the Yes, I want to activate this scope now option. Click Next. 20. On the Completing The New Scope Wizard page, click Next.
Scope Name text box: Enables you to change the name of the scope. Start IP Address and End IP Address text boxes: Enables you to change the range of the existing scope. Subnet Mask text box: This is automatically populated, based on the IP address range that is specified. Lease Duration For DHCP Clients area of the General tab: Use the Days, Hours and Minutes boxes to change the existing lease duration for IP addresses of this scope.
Router (003): Indicates the default gateway router. DNS Servers (006): Indicates the DNS servers DNS Domain Name (015): Indicates the parent DNS domain name for the DNS locater service. ARP Cache Timeout (035): Indicates the timeout for the ARP cache entries
WINS Servers (044): Indicates the WINS servers. WINS Node Type (046): Indicates the NetBIOS. Classless Static Routes (249): Indicates the destination, router and mask for static routes. 49
There are four different types of DHCP options. The DHCP options are applied in a particular sequence, with any previously applied option being overwritten by any conflicting later applied option. The DHCP options and the order in which they are applied are listed below: 1. Server options: These options apply to each scope configured on the DHCP server, and also apply to all clients that obtain an IP address from the particular DHCP server. Server options are always applied first. 2. Scope options: These options are applied at the scope level, and after the Server options are applied. Scope options are applicable to a particular scope only. 3. User and Vendor Class options: You can use User classes to assign options to clients that have the same requirements. Vendor classes can be used to assign vendor specific options to clients that have the same vendor. 4. Reserved options. Reservations work differently from the above mentioned options. Each reservation has to be manually configured by an administrator. To configure User Class options, 1. Open the DHCP console. 2. Right-click the DHCP server you want to work with, and select Define User Classes from the shortcut menu. 3. When the DHCP User Classes dialog box opens, click the Add button to create a new class. 4. The New Class dialog box opens. 5. In the Display name field, enter the name for the new class. 6. In the Description field, enter a description for new class. 7. In the ID field, enter the class ID. 8. Click OK to create the new user class. 9. The newly created class should be displayed in the DHCP User Classes dialog box. 10. Click Close to close the DHCP User Classes dialog box, and to return to the DHCP console. 11. If you want to configure the class options at the server level, right-click the Server Options node in the console tree and select Configure Options from the shortcut menu. 12. If you want to configure the class options at the scope level, right-click the Scope Options node and select Configure Options from the shortcut menu.
50
13. Click the Advanced tab, and choose the class which you just created from the User Class drop-down list. 14. Set the options which you want specified for the class. 15. Click OK.
Reservation Name: Enter a name for the new reservation that uniquely identifies the particular client that is being reserved. IP Address: Enter the reserved IP address in this text box MAC Address: Enter the MAC address of the Description: Enter a useful description (optional). The options which can be selected under the Supported Types area of the New Reservation dialog box are:
o o o o
5. Click OK.
Open the DHCP console. Right-click the DHCP server node and select Properties from the shortcut menu. On the General tab, click the Show the BOOTP table folder checkbox. 51
o o
Click OK. Proceed to right-click the BOOTP table folder, and select New Boot Image from the shortcut menu. When the Add BOOTP Entry dialog box opens, enter the following information:
Boot image file name Server path to the boot file image IP address or name of the Trivial File Transfer Protocol (TFTP)
Open the DHCP console. Expand the DHCP server node and the Scope node in the console tree. Right-click the particular scope and then select Properties from the shortcut menu. Click the Advanced tab. In the Assign IP Addresses Dynamically To Clients Of area, select Both, or select BOOTP only. In the Lease Duration For BOOTP Clients area, change the lease duration if required. Click OK.
o o
The available vendor extensions that a Windows Server 2003 DHCP server can offer a BOOTP client are listed below:
o o o o o o o
BOOTP code 1; Subnet Mask BOOTP code 3; Router BOOTP code 4; Time Server BOOTP code 5; Name Server BOOTP code 9; LPR Server BOOTP code 12; Computer Name BOOTP code 15; Domain Name 52
o o o o o o o o o o
Root Path
BOOTP code 42; NTP Servers BOOTP code 44; WINS Server BOOTP code 45; NetBIOS over TCP/IP Datagram Distribution Server BOOTP code 46; NetBIOS over TCP/IP Node Type BOOTP code 47; NetBIOS over TCP/IP Scope BOOTP code 48; Window System Font Server BOOTP code 49; Window System Display Manager BOOTP code 69; SMTP Server BOOTP code 70; POP3 Server
Open the DHCP console Right-click the DHCP server in the console tree, and select New Superscope from the shortcut menu. The New Superscope Wizard starts. On the initial page of the New Superscope Wizard, click Next. On the Superscope Name page, provide a name for the new superscope. Click Next. On the Select Scopes page, select one or numerous scopes that you want to be part of the new superscope. Click Next. On the Completing the New Superscope Wizard page, click Finish to create the new superscope. Verify that the newly created DHCP superscope is displayed in the DHCP console.
o o o o
To activate a superscope
o o
Open the DHCP console. Right-click the superscope that you want to activate, ad select Activate from the shortcut menu.
o o
Open the DHCP console. Right-click the superscope that you want to delete, and select Delete from the shortcut menu. Only the superscope is deleted. All the scopes that were contained in the deleted superscope remain intact.
Open the DHCP console Right-click the DHCP server in the console tree, and select New Multicast Scope from the shortcut menu. The New Multicast Scope Wizard starts. On the initial page of the New Multicast Scope Wizard, click Next. On the Multicast Name page, provide a name for the new multicast scope. Click Next. On the IP Address Range page, enter the start IP address and the end IP address for the new multicast scope. Specify the Time to Live (TTL), and then click Next. On the Add Exclusions page, enter the IP addresses in the address range which should be excluded. Click Next. On the Lease Duration page, accept or change the default lease duration of 30 days. Click Next. On the Activate Multicast Scope page, click Yes to activate the scope immediately. On the Completing the New Multicast Scope Wizard page, click Finish to create the new multicast scope. Verify that the newly created multicast scope is displayed in the DHCP console.
o o o o
o o
o o
Open the DHCP console. Right-click the DHCP server, and then select Properties from the shortcut menu. When the Server Properties dialog box opens, click the DNS tab. Ensure that the Enable DNS Dynamic Updates According To The Settings Below checkbox is selected 54
Select the Dynamically Update DNS A And PTR Records Only If Requested By The DHCP Clients option. Select the Discard A And PTR Records When Lease Is Deleted checkbox. Click OK.
o o
Click Start, Control Panel, and then click Network Connections. Right-click the network connection you want to work with, and then click Properties from the shortcut menu. If you are working with the local area connection, on the General tab, select Internet Protocol (TCP/IP), and then click the Properties button When the Internet Protocol (TCP/IP) Properties dialog box opens, click the Obtain An IP Address Automatically option. If you want the client to automatically obtain DNS server information from the DHCP server, select the Obtain DNS Server Address Automatically option. Click OK.
Open the DHCP console Right-click the DHCP server in the console tree, and select Properties from the shortcut menu. When the Server Properties dialog box opens, click the Advanced tab. Set the number of times that the DHCP server should run conflict detection prior to it leasing an IP address to a client. Click OK.
o o
Configure all the necessary scopes for your DHCP servers Configure your exclusions, on the basis that the primary DHCP server will be managing 80 percent of the address pool, and the secondary will be managing 20 percent of the address pool. 55
o o o o o o o o o o
Configure a superscope that includes all the scopes for the subnet. From the Administrative Tools folder, open the Cluster Administrator management tool. Choose the cluster that will host the DHCP service. From the File menu, click Configure Application. The Configure Application Wizard starts next. Click Next on the initial page of the Configure Application Wizard. Select the Use an Existing Virtual Server option. Select the group, and select the Create A New Virtual Server option. Create a new virtual server through the Wizard. Select the Yes, Create A Cluster Resource For My Application Now option, and then select the DHCP resource type. Click Next. Provide a name and description for the DHCP resource. Click Next. Click Advanced Properties, and then click the Dependencies tab. Click the Modify button. Select the IP address, physical disk, and name for the DHCP server. Click OK. On the Application Resource Name and Description page, click Next. Verify your configuration settings, and then click Finish. Right-click the DHCP resource, and select Bring Online from the shortcut menu. You have to authorize the DHCP server in Active Directory.
o o o o o o o o
process, DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server. When the DHCP client boots up on the network, the DHCP lease process occurs between the DHCP server and DHCP client. During the DHCP lease process, the DHCP scopes configured for a DHCP server is used to provide DHCP clients with IP addresses. The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client:
DHCPDISCOVER message: This message is sent by a client when it boots up on the network to request an IP address lease from a DHCP server. The message is sent as a broadcast packet over the network, requesting for a DHCP server to respond to it DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a DHCP Request message. The message indicates that the client is requesting the particular IP address for lease. DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.
Because the DHCPDISCOVER message is a broadcast message, and broadcasts only cross other segments when they are explicitly routed, you might have to configure a DHCP Relay Agent on the router interface so that all DHCPDISCOVER messages can be forwarded to your DHCP server. Alternatively, you can configure the router to forward DHCP messages and BOOTP message. In a routed network, you would need DHCP Relay Agents if you plan to implement only one DHCP server. For DHCP to operate, all of client computers should be able to contact the DHCP server. DHCP relies on the network topology, and is in turn relied on by all TCP/IP based hosts within your networking environment. Therefore, if your network has multiple segments, you have to perform either of the following:
Place a DHCP server on each segment Place a DHCP Relay Agent on each segment Configure your routers to forward broadcast messages.
The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP server. The systems that can use the DHCP Relay Agent are:
57
In routed networks, you need to either enable your routers to forward DHCP broadcast messages or configure a DHCP Relay Agent for the following resons:
The router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agent exists. The DHCP lease process would not be able to place. The initial message sent by the DHCP client is a broadcast message.
Enable Routing and Remote Access Server (RRAS) Install the DHCP Relay Agent routing protocol Configure DHCP Relay Agent properties Configure/enable the DHCP Relay Agent on the router interface to forward DHCP broadcast messages. View statistical information on the operation of the DHCP Relay Agent
58
How to view statistical information on the operation of the DHCP Relay Agent
1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. 2. Select the DHCP Relay Agent node, and view the statistical information that is displayed in the details pane of the Routing And Remote Access console: o Received requests o Received replies o Discarded requests o Discarded replies
59