Resources for IT Professionals

TechNet Chat: Configuring and Deploying DHCP with Windows Server 2003

Published: November 20, 2003

Introduction

Moderator: Brian_B (Microsoft)
Welcome to today’s Windows TechNet chat. Our topic today is Configuring and Deploying DHCP with Windows Server 2003.

Moderator: Brian_B (Microsoft)
We are pleased to welcome our experts for today I will have them introduce themselves now.

Host: Chris (Microsoft)
I'm Chris, and I'm a Test Engineer on the Windows Server Secure Network Services product team, and my area of expertise is the DHCP Server.

Host: Wai-O (Microsoft)
Hi, My name is Wai-O and I work with DHCP Server in the IAS Team.

Host: Sakura (Microsoft)
Hi, I'm Sakura Thompson. I am a Test Engineer as well and work with DHCP Client.

Host: JasonP (Microsoft)
I'm Jason and I am a Sr. Systems Engineer in Microsoft's internal IT department: Global Technology Services. My focus is core Windows infrastructure services for Microsoft's internal WINS, DNS, DHCP, AD, and IPsec architecture.

Host: Geoff (Microsoft)
I'm Geoff Brock. I am a Senior Operations Analyst and work on the Infrastructure Operations Team in Global Technology Services. My primary responsibilities are DHCP and WINS.

Moderator: Brian_B (Microsoft)
...and your pleasant, but firm Host; Brian Boston :). I am a Community Program Manager.

Start of Chat

Moderator: Brian_B (Microsoft)
Let’s begin the chat.

Host: Chris (Microsoft)
Q: I have been testing w23k DHCP, should I expect major changes b/ 2000 and 2003?
A: Please visit: http://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true for the major highlights.

Host: Wai-O (Microsoft)
Q: Are there any enhancements planned for SP1?
A: No there's no major enhancements for SP1

Host: Chris (Microsoft)
Q: Is there any plans for adding limited DHCP based on a MAC Address entry?
A: You can do this now, using reservations. However, if that isn't flexible enough for you, can write a plug-in, called a Callout DLL, that the DHCP Server can load. This plug-in can be used to affect the processing of DHCP packets at various stages. One of the actions you can take is to tell the DHCP Server to drop the packet. See http://msdn.microsoft.com/library/en-us/dhcp/dhcp/dhcp_server_api.asp for details on using this API.

Host: Wai-O (Microsoft)
Q: I hadn't heard anything about sp1, when will it be available and should I wait until sp1 to deploy 2003 dhcp?
A: You shouldn't need to wait for SP1 to deploy 2003 dhcp since there will be no major changes to it

Host: Chris (Microsoft)
Q: Do you have to write a custom script to use plugins or is there some interface for that built-in?
A: The 'plug-in' is called a callout DLL, and the structures and types, as well as the Hooks that DHCP uses to call into the DLL, are listed at the link.

Host: Chris (Microsoft)
A: http://msdn.microsoft.com/library/en-us/dhcp/dhcp/dhcp_server_api.asp

Host: Chris (Microsoft)
Q: where could I get a script to add multiple mac addresses to my reservation pool?
A: Depends on how you are acquiring the MAC addresses. It is a simple operation to add a reservation using the NETSH DHCP helper.

Host: Chris (Microsoft)
A: Please see the following link for more information. (specifically, look up the command "netsh dhcp server <IP> scope <scopeID> add reservedIP)

Host: Chris (Microsoft)
A:http://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true

Host: Wai-O (Microsoft)
Q: Does no major changes in SP1 mean that there are some minor changes/bug fixes?
A: Yes there will be some minor bug fixes in SP1

Host: Wai-O (Microsoft)
Q: Are there any major things to watch out for when upgrading your Windows 2000 DHCP to Window 2003 DHCP?
A: The major thing is that in w2K03 we moved the scopes configuration information from the registry in W2K to the Jet Database for W2K03

Host: Chris (Microsoft)
Q: I gather i have to run this command from the machine running the dhcp server
A: Yes, from >a< DHCP Server. The NETSH DHCP helper is installed with DHCP Server, and you can use the helper to administer both local and remote DHCP Servers.

Host: Chris (Microsoft)
Q: How does DHCP configuration in SBS 2003 compare with SBS 2000 or Windows 2000/2003 regular?
A: For the most part, SBS 2003 vs Standard/Advanced Server 2003 is no big difference. The major difference between SBS 2003 and the other Server 2003 versions are in how Rogue Detection is performed. When an SBS DHCP Server service starts, it sends out 4 broadcast DHCPDISCOVERS (just like a DHCP Client would), and if it receives >any< answers (meaning there's another configured DHCP Server on the network), it stops servicing. If it doesn't receive any responses, it will service clients. It then re-checks every 1 hour (by default) using the same method.

Moderator: Brian_B (Microsoft)
For those just joining the chat – our topic today is Configuring and Deploying DHCP with Windows Server 2003.

Host: Geoff (Microsoft)
Q: is it true that DHCP will detect a roge DHCP and will stop it or let the administrator know that there is one. Now if it is some other DHCP (non-microsoft os) then you can't block them.
A: Rouge detection only works with Windows server 2000/2003 servers running DHCP. Other implementations of DHCP do not verify if they are in an Active Directory environment. Windows DHCP server will check if it is participating in an Active Directory domain and if it is, will check if it is in the authorized server list. If it is not, then the DHCP service will not respond.

Host: Chris (Microsoft)
Q: beside of MAC reservations, is there another way to ensure that only my 200 PC in my office get an IP from my DHCP? I have w23k AD and I am think of a GPO to prevent anyone walking into my office plugging a laptop a gain IP connectivity into my network
A: You can use reservations, but the nature of DHCP is IP broadcast, meaning that the communications are pretty open and visible to anyone on the network. Thus, it is very easy for a determined user to sniff the traffic on your network, then to spoof and pretend to be that client, and obtain that IP. So I really wouldn't recommend DHCP as a security solution. Reservations would prevent someone from just 'getting an IP by plugging in, though'.

Host: Chris (Microsoft)
A: (cont) If you are looking for security on your network, I'd look into using IPSEC, or 802.1x, which both require true authentication and allow more granular control over network access.

Host: JasonP (Microsoft)
Q: Can you provide any links on the IPSec option that you mentioned?
A: A great link for IPsec deployment resources is http://www.microsoft.com/windows2000/technologies/communications/ipsec/default.asp

Host: Chris (Microsoft)
Q: I don't know how 2000 or 2003 does that. How is that different?
A: I'm not sure about the differences between SBS 2000 and SBS 2003, but I know that the story for the other Server types is basically the same between 2000 and 2003, as far as Rogue Detection goes.

Host: Chris (Microsoft)
A: Please see Geoff's answer above about Rogue Detection for some details. . .

Host: Chris (Microsoft)
A: I'll give a quick basic rundown of Server 2003 DHCP Server rogue detection momentarily...

Host: Chris (Microsoft)
Q: How does Rogue Detection work for DHCP Server in Windows Server 2003 (non-SBS)?
A: When the service starts, the following actions are performed:

If AD domain member, accesses AD and checks a list to see if it's IP or name appears in the authorized list.

If not, DHCP Server won't service clients.

If it finds itself, it will service clients

If a WorkGroup member, then the server sends out 4 broadcast DHCPINFORMS. Other Windows Server (2000 and above) will answer these informs with DHCPACKS, including an option identifying if they are AD or Workgroup member DHCP Servers.

: If the WG member receives answers from AD member DHCP Servers, it assumes it is not authorized, and stops servicing.

If it receives only responses from other WG servers, or no responses at all, it will service clients.

In both cases, the server re-checks authorization every 1 hour by default.

Host: JasonP (Microsoft)
Q: I implemented IPsec to prevent communication from unauthorized PCs - so I cannot create a GPO on my Computer OU so only those computers get IPs from my dhcp?
A: IPsec is not designed to prevent unauthorized users from actually obtaining an address from a DHCP server as by default it does not secure broadcast traffic.

Host: JasonP (Microsoft)
A: It does however prevent malicious use of the network by unauthorized machines by enforcing network level authentication, packet integrity and/or encryption for IP traffic between authorized hosts.

Host: Geoff (Microsoft)
Q: What do you recommend as a good "sniffer"?
A: MS provides Netmon with its server products. There are also several others on the market such as Sniffer, Netscout, and Ethereal that can capture and analyze network traffic.

Host: Chris (Microsoft)
Q: If you install and runs SBS DHCP on a system that's attached to a router with DHCP running.. will that cause issues as well?
A: Yes, SBS will shut down in the presence of any properly configured DHCP Server (one that is responding to DHCPDISCOVERs)

Host: JasonP (Microsoft)
Q: Is there a way to detect how many concurrent DHCP servers are present on a network?
A: There are no tools that I know of that can scan a network for active DHCP servers. You can pull the list of authorized Windows DHCP servers with NETSH. You could use Network Monitor or an equivalent sniffer to pick up DHCP broadcast activity on the network.

Host: Geoff (Microsoft)
Q: Briefly, can you help me understand when I want to use an Reservation vs. an Exlcusion?
A: Use a reservation to have DHCP assign a specific IP and/or options to a specific MAC address. An exclusion will prevent DHCP from assigning that IP. An exlcuded IP is used on a client that has been manually configured.

Moderator: Brian_B (Microsoft)
I like to thank Chris, Wai-O, Sukura, Jason, and Geoff from the Windows Secure Network Services product team and the Infrastructure Operations Team for Microsoft Global Technology Services for joining us today for this TechNet Chat.

Moderator: Brian_B (Microsoft)
...and the rest of you for your questions and comments.

Moderator: Brian_B (Microsoft)
If you would like further information on these technologies, check out the following locations:

Moderator: Brian_B (Microsoft)
Windows 2003 Networking and Communications Services Technology Center

http://www.microsoft.com/windowsserver2003/technologies/networking/default.mspx

Moderator: Brian_B (Microsoft)
New features for DHCP in Windows Server 2003

http://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true

Moderator: Brian_B (Microsoft)
What's New in Networking and Communication for Windows Server 2003

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/networking.mspx

Moderator: Brian_B (Microsoft)
DHCP information from the Windows 2003 Server Product Documentation

http://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true

Moderator: Brian_B (Microsoft)
Chapter 5 of the Windows 2003 Resource Kit - Deploying DHCP

http://download.microsoft.com/download/5/6/9/5695b3a2-bfbb-4638-8058-de94c3c5b7ff/05_CHAPTER_2_Deploying_DHCP.doc

Moderator: Brian_B (Microsoft)
Thanks for your interest and feedback! We are going to leave now.

For further information on this topic please visit the following:

http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx

http://www.microsoft.com/technet/itsolutions/network/default.mspx

Page view tracker