(0) exportieren Drucken
Alle erweitern

DHCP Step-by-Step Guide: Demonstrate DHCP Name Protection in a Test Lab

Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory® Domain Services (AD DS) can be used to reserve a name for a single user or computer.

Name Protection is based on the Dynamic Host Configuration Identifier (DHCID) in the Dynamic Host Configuration Protocol (DHCP) server, and support for the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force (IETF) in RFCs 4701 and 4703.

DHCID is an RR stored in DNS that maps names to prevent duplicate registration. This RR is used by DHCP to store an identifier for a computer, along with other information for the name such as the A, AAAA records of the computer. The unique position of DHCP in the name registration process enables it to request this match, and then refuse the registration of a computer with a different address attempting to register a name with an existing DHCID record.

DHCID prevents the following name squatting situations:

  • Server name squatting by a client.

  • Server name squatting by another server.

  • Client name squatting by another client.

  • Client name squatting by a server.

In addition, support for DHCP Unique Identifier (DUID) is added to the IPv4 registration on the DHCP client. DUID is described by the IETF in RFC 4361.

Name Protection can be configured for IPv4 and IPv6 at the network adapter level or scope level. Name Protection settings configured at the scope level take precedence over the setting at the IPv4 or IPv6 level. If Name Protection at the scope level is not configured at all, then the setting at the IPv4 or IPv6 network adapter takes precedence. DHCID protects names on a first come-first served basis.

The step-by-step instructions in this paper show how to set up Name Protection in a test lab so that you can better understand how this feature works.

In this guide

This step-by-step guide contains an introduction to Name Protection and instructions for setting up a test lab using one DHCP server and three client computers. Two client computers have windows installed and the other client computer has a third-party operating system installed.

ImportantWichtig
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is not designed to reflect best practices, nor does it reflect a recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Scenario overview

In this test lab, Name Protection is configured on a computer running Windows Server 2008 R2 that has the DHCP Server service installed. Three DHCP client computers are also configured: one client computer running the Windows® 7 operating system with the DHCP Client service running, and two client computers running a third-party operating system. A computer running Windows Server 2008 R2 is also used in the test lab as a domain controller and DNS server. Although Name Protection supports both IPv4 and IPv6 networks, this document details the configuration for IPv4 only to reduce the complexity of the test lab and demonstrate the feature.

Having obtained an IP address from DHCP Server 1, (Windows) DHCP Client 1, with the name enggmachine1.contoso.com, is assigned an A record by registering with DNS. (Non-Windows) DHCP Client 2, with the name enggmachine2.contoso.com, also obtains an IP address from DHCP Server 1 and is assigned an A record and a DHCID record by registering with DNS. Name Protection is demonstrated in the lab when (non-Windows) DHCP Client 3 attempts DNS registration with an already used FQDN. Although DHCP client 3 has obtained an IP address, the DNS registration is denied.

Software requirements

The following are required components of the test lab:

  • The product disc for Windows Server 2008 R2.

  • The product disc for Windows 7.

Steps for configuring the test lab

There are initial installation and configuration and post-installation configuration stages required to set up this test lab.

  • Configure DC1.

    DC1 is a server running Windows Server 2008 R2. DC1 is configured as a domain controller with AD DS and the primary DNS server for the intranet subnet.

  • Configure DHCP Server 1.

    DHCP Server 1 is a server running Windows Server 2008 R2. DHCP Server 1 is configured with the DHCP Server service, and functions as a DHCP server in the domain.

  • Configure the Windows-based DHCP clients

    DHCP Client 1 is a DHCP client running Windows 7.

  • Configure non-Windows (Linux/Solaris/Unix)-based DHCP clients.

    DHCP Client 2 and DHCP Client 3 are DHCP clients running a non-Windows-based operating system.

Configure DC1

DC1 is a computer running Windows Server 2008 R2, which provides the following services:

  • A domain controller for the Contoso.com AD DS domain.

  • A DNS server for the Contoso.com DNS domain.

To configure DC1, complete the following tasks:

  • Install the operating system.

  • Configure Transmission Control Protocol/Internet Protocol (TCP/IP).

  • Install AD DS and DNS.

  • Create a user account and group in AD DS.

The following sections explain these steps in detail.

Install the operating system on DC1

Install Windows Server 2008 R2as a stand-alone server.

To install the operating system on DC1

  1. Start your computer using the Windows Server 2008 R2 product disc.

  2. When prompted for a computer name, type DC1.

Configure TCP/IP on DC1

Configure the TCP/IP protocol with a static IP address of 172.16.1.1 and the subnet mask of 255.255.255.0.

To configure TCP/IP on DC1

  1. Click Start, click Control Panel, and then double-click Network and Internet, click Network and Sharing Center, and then click Change Adapter Settings.

  2. Right-click Local Area Connection, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. Type 172.16.1.1 next to IP address and 255.255.255.0 next to Subnet mask.

  5. Verify that Preferred DNS server is blank.

  6. Click OK, click Close, and then close Network Connections.

Configure DC1 as a domain controller and DNS server

DC1 serves as the only domain controller and DNS server for the Contoso.com domain.

To configure DC1 as a domain controller and DNS server

  1. To start the AD DS Installation Wizard, click Start, click Run, type dcpromo, and then press ENTER.

  2. In the AD DS Installation Wizard dialog box, click Next.

  3. Operating system compatibility information is displayed. Click Next again.

  4. Verify that Domain controller for a new domain is selected, and then click Next.

  5. Verify that Domain in a new forest is selected, and then click Next two times.

  6. On the Install or Configure DNS page, select No, just install and configure DNS on this computer, and then click Next.

  7. Type Contoso.com next to Full DNS name for new domain, and then click Next.

  8. Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next.

  9. Accept the default Database Folder and Log Folder directories, and then click Next.

  10. Accept the default folder location for Shared System Volume, and then click Next.

  11. Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected, and then click Next.

  12. Leave the Restore Mode Password and Confirm Password text boxes blank, and then click Next.

  13. View the summary information provided, and then click Next.

  14. Wait while the wizard completes configuration of AD DS and DNS services, and then click Finish.

  15. When prompted to restart the computer, click Restart Now.

  16. After the computer is restarted, log on to the CONTOSO domain using the Administrator account.

Create a user account in AD DS

Next, create a user account in AD DS. This account is used when logging in to DHCP Server 1.

To create a user account in AD DS

  1. Click Start, point to Administrative Tools, and then click AD DS Users and Computers.

  2. In the console tree, double-click Contoso.com, right-click Users, point to New, and then click User.

  3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name, type User1.

  4. Click Next.

  5. In the Password box, type the password that you want to use for this account, and in the Confirm password box, type the password again.

  6. Clear the User must change password at next logon check box, and select the Password never expires check box.

  7. Click Next, and then click Finish.

  8. Leave the AD DS Users and Computers console open for the following procedure.

Add user1 to the DHCP Administrators group

Next, add the newly created user to the DHCP Administrators group and use it for all of the configuration activities.

To add a user to the DHCP Administrators group

  1. In the AD DS Users and Computers console tree, click Users.

  2. In the details pane, double-click DHCP Administrators.

  3. In the DHCP Administrators Properties dialog box, click the Members tab, and then click Add.

  4. Under Enter the object names to select (examples), type User1, the user name that you created in the previous procedure, and then click OK two times.

  5. Leave the AD DS Users and Computers console open for the following procedure.

Configure DHCP Server 1

For the test lab, DHCP Server 1 is running Windows Server 2008 R2, with the DHCP server service, which provides IP addresses and leases for the requesting DHCP clients. To configure DHCP Server 1, complete the following tasks:

  • Install the operating system.

  • Configure TCP/IP.

  • Join the computer to the domain.

  • Install DHCP server roles.

  • Configure DHCP.

Install Windows Server 2008 R2

To install Windows Server 2008 R2

  1. Start your computer using the Windows Server 2008 R2 product CD.

  2. When prompted for the installation type, select Custom.

  3. Follow the instructions that appear on your screen to finish the installation.

Install the DHCP server role

  1. Click Start, and then click Server Manager.

  2. Under Roles Summary, click Add roles, and then click Next.

  3. On the Select Server Roles page, select the DHCP server, and then click Next two times.

  4. On the Select Network Connection Bindings page, verify that 172.16.1.2 is selected, and then click Next on DHCP Server 1. Similarly, on the Select Network Connection Bindings page, verify that 172.16.1.3 is selected, and then click Next on DHCP Server 2.

  5. On the Specify IPv4 DNS Server Settings page, verify that contoso.com is listed under Parent domain.

  6. Type 172.16.1.1 under Preferred DNS server IP address, and then click Validate. Verify that the result returned is valid, and then click Next.

  7. On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.

  8. On the Add or Edit DHCP Scopes page, click Add.

  9. In the Add Scope dialog box, type SS Scope next to Scope Name. Next to Starting IP Address, type 172.16.1.4, next to Ending IP Address, type 172.16.1.204, and next to Subnet Mask, type 255.255.255.0.

  10. Select the Activate this scope check box, click OK, and then click Next.

  11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next.

  12. On the Authorize DHCP Server page, select Use current credentials. Verify that CONTOSO\user1 is displayed next to Username, and then click Next.

  13. On the Confirm Installation Selections page, click Install.

  14. Verify the installation was successful, and then click Close.

Configure DHCP on DHCP Server 1

DHCP Server 1 is the member server that provides DHCP addressing. The DHCP service was partially configured during installation with Server Manager on both of these servers.

We will configure scope options further for DHCP Server 1.

Open the DHCP console

To open the DHCP console

  1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER.

  2. Leave this window open for all DHCP configuration tasks.

Configure the default user class on DHCP Server 1

Next, configure scope options for the default user class. These server options are used when a client computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default user class scope options

  1. In the DHCP console tree, under Scope [172.16.0.0] SS Scope, right-click Scope Options, and then click Configure Options.

  2. On the Advanced tab, verify that Default User Class is selected next to User class.

  3. Select the 006 DNS Servers check box, in IP Address, under Data entry, type 172.16.1.1, and then click Add.

  4. Select the 015 DNS Domain Name check box, in String value, under Data entry, type contoso.com, and then click OK.

    noteHinweis
    The 003 Router option is configured in the default user class if a default gateway is required for client computers. Because all computers in the test lab are located on the same subnet, this option is not required.

Configure the Windows-based DHCP client

DHCP Client 1 is a computer running Windows Server 2008 R2 that you use to demonstrate DHCP clients requesting IP Addresses from the DHCP server in the domain. To configure the DHCP client, complete the following tasks:

  • Install the operating system.

  • Configure TCP/IP.

  • Verify network connectivity.

  • Join the computer to the domain and restart the computer.

Install Windows 7 on DHCP clients

To install the operating system on DHCP Client 1

  1. Start your computer using the product discs for Windows 7.

  2. When prompted for the installation type, select Custom Installation.

  3. When prompted for a computer name, type DHCP Client 1.

  4. On the Select your computer's current location page, click Work.

  5. Follow the rest of the instructions that appear on your screen to finish the installation.

Configure TCP/IP on the DHCP client

To configure TCP/IP on DHCP Client 1

  1. Click Start, and then click Control Panel.

  2. Click Network and Internet, click Network and Sharing Center, and then click Manage network connections.

  3. Right-click Local Area Connection, and then click Properties.

  4. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This reduces the complexity of the lab, particularly for those who are not familiar with IPv6.

  5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  6. Verify that Obtain an IP address automatically and Obtain DNS server address automatically are selected.

  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

  8. Close the Network Connections and Network and Sharing Center windows.

Join the DHCP client to the Contoso.com domain

Because the DHCP client now has access to domain services, they can be joined to the domain.

To join DHCP Client 1 to the Contoso.com domain

  1. Click Start, right-click Computer, and then click Properties.

  2. Under Computer name, domain, and workgroup settings, click Change settings.

  3. In the System Properties dialog box, click Change.

  4. In the Computer Name/Domain Changes dialog box, select Domain, type Contoso.com, and then, in Computer Name, type enggmachine1.contoso.com.

  5. Click More, and then, in Primary DNS suffix of this computer, type Contoso.com.

  6. Click OK two times.

  7. When prompted for a user name and password, type the user name and password for the User1 account, and then click OK.

  8. When you see a dialog box that welcomes you to the Contoso.com domain, click OK.

  9. When you see a dialog box that tells you that you must restart the computer to apply changes, click OK.

  10. In the System Properties dialog box, click Close.

  11. In the dialog box that prompts you to restart the computer, click Restart the computer now.

Check DNS Records for entry of the Windows-based DHCP client

Next, check for DHCP Client 1 entry in DNS Records.

Open the DNS console

  • Click Start, click Run, type dnsmgmt.msc, and then press ENTER.

  • Leave this window open to view DNS records.

  • Click the DNS node, select the DNS server, and then double-click the Forward Lookup Zones node.

  • Click the Contoso.com domain.

  • There should be one entry for DHCP Client 1. The FQDN should be enggmachine1.contoso.com in the Name column, Host (A) in the Type column, and the IPv4 address issued by the DHCP server in the Data column.

Configure non-Windows-based DHCP clients

DHCP Client 2 and DHCP Client 3 are computers running non-Windows-based DHCP clients, such as Linux, Solaris, or Unix, that demonstrate a non-Windows-based DHCP client request for an IP Address from the DHCP server in the domain. To configure the non-Windows-based DHCP clients, complete the following tasks:

  • Install the operating system and configure the computers to be part of the domain.

  • On each client computer, configure TCP/IP to obtain an IP Address automatically from DHCP Server 1 in the domain and also to obtain the DNS server IPv4 address automatically.

  • Verify network connectivity.

  • Join the DHCP clients to the domain, giving both the same FQDN of enggmachine2.contoso.com. Then, if required, restart the computer.

Check DNS Records for entry of the non-Windows-based DHCP clients

To open the DNS console

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER.

  2. Leave this window open to view DNS records.

  3. Click DNS, select the DNS server, and then double-click Forward Lookup Zones.

  4. Click the Contoso.com domain.

  5. In the right pane, there should now be two entries for DHCP Client 2. One entry records the FQDN enggmachine2.contoso.com in the Name column, Host (A) in the Type column, and the IPv4 address issued by the DHCP server in the Data column. The second entry records FQDN enggmachine2.contoso.com in the Name column, DHCID in the Type column, and some alphanumeric (unique DHCID for this record) number in the Data column.

    DHCP Client 3 tries to register with the same FQDN as DHCP Client 2, but cannot because there are already DNS records for both DHCP Client 1 and DHCP Client 2 available in the DNS server. Although it did obtain a DHCP address from DHCP Server 1, DHCP client 3 is unable to add an entry in DNS.

Appendix

This appendix helps you with troubleshooting techniques and the setting of optional features in Windows Server 2008 R2 and Windows 7.

Review DHCP client events

Reviewing information contained in DHCP client events can help you with troubleshooting. It can also help you understand DHCP client functionality.

To review DHCP client events in Event Viewer

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type eventvwr.msc, and then press ENTER.

  3. In the left tree, navigate to Event Viewer (Local)\Windows Logs\System.

  4. Click an event in the middle pane.

  5. By default, the General tab is displayed. Click the Details tab to view additional information.

  6. You can also right-click an event, and then click Event Properties to open a new window for reviewing events.

Review DHCP server events

Reviewing information contained in Windows System events on your DHCP servers can help you with troubleshooting. It can also help you understand DHCP server functionality.

To review DHCP server events in Event Viewer

  1. Click Start, and then click Run.

  2. Type eventvwr.msc, and then press ENTER.

  3. In the left tree, navigate to Event Viewer (Local)\Custom Views\Server Roles\DHCP Server.

  4. Click an event in the middle pane.

  5. By default, the General tab is displayed. Click the Details tab to view additional information.

  6. You can also right-click an event, and then click Event Properties to open a new window for reviewing events. The following are the events pertaining to this feature:

  • 1340 - EVENT_SERVER_DNSDHCID_FAIL

    The DNS registration for DHCPv4 Client IP address %1 , FQDN %2, and DHCID %3 is denied as there is probably an existing client with same FQDN already registered with DNS.

  • 1340 - EVENT_SERVER_DNSDHCID_FAIL

    The DNS registration for DHCPv6 Client IPv6 address %1 , FQDN %2, and DHCID %3 is denied as there is probably an existing client with same FQDN already registered with DNS.

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Anzeigen:
© 2014 Microsoft