Prevent rogue DHCP servers on your network by authorizing DHCP servers in AD DS
Applies To: Windows Server 2008 R2
In Windows Server® 2008, the DHCP Server service is integrated with Active Directory to provide authorization for DHCP servers. An unauthorized DHCP server on a network can disrupt network operations by allocating incorrect addresses or configuration options. A DHCP server that is a domain controller or a member of an Active Directory domain queries Active Directory for the list of authorized servers (identified by IP address). If its own IP address is not in the list of authorized DHCP servers, the DHCP Server service does not complete its startup sequence and automatically shuts down.
This is a common issue for network administrators who attempt to install and configure a DHCP server in an Active Directory environment without first authorizing the server.
For a DHCP server that is not a member of the Active Directory domain, the DHCP Server service sends a broadcast DHCPInform message to request information about the root Active Directory domain in which other DHCP servers are installed and configured. Other DHCP servers on the network respond with a DHCPAck message, which contains information that the querying DHCP server uses to locate the Active Directory root domain. The starting DHCP server then queries Active Directory for a list of authorized DHCP servers and starts the DHCP Server service only if its own address is in the list.
How Authorization Works
The authorization process for DHCP server computers depends on the installed role of the server on your network. There are three roles or server types for which each server computer can be installed:
Domain controller -- The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers.
Member server -- The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database.
Stand-alone server -- The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for computer browsing purposes and not to provide secured logon access to shared domain resources.
If you deploy Active Directory, all computers operating as DHCP servers must be either domain controllers or domain member servers before they can be authorized and provide DHCP service to clients.
Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients.