Controlling DHCP Active Directory Authorization

Applies To: Windows Server 2008

Authorizing DHCP servers

Windows Server 2008 provides integrated security support for networks that use Active Directory Domain Services (AD DS). This support adds and uses a class of objects that is part of the base directory schema, providing the following enhancements:

  • A list of IP addresses available for the computers that you authorize to operate as DHCP servers on your network.

  • Detection of unauthorized DHCP servers and prevention of their starting or running on your network.

The following sections discuss:

  • Background information about the detection of unauthorized DHCP servers.

  • How computers are authorized in AD DS to provide DHCP service.

  • How an unauthorized server is detected and prevented from providing DHCP service.

  • Notes and limitations for implementing DHCP service, depending on whether the directory service is available.

Background on unauthorized DHCP servers

When configured correctly and authorized for use on a network, DHCP servers provide a useful administrative service. However, when an incorrectly configured or unauthorized DHCP server is introduced into a network, it can cause problems. For example, if an unauthorized DHCP server starts, it might begin either leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients attempting to renew current address leases. Either can produce further problems for DHCP-enabled clients. For example, clients that obtain a configuration lease from the unauthorized server can fail to locate valid domain controllers, preventing clients from successfully logging on to the network

To resolve these issues, DHCP servers running Windows Server 2008 are verified as authorized in AD DS before they can service clients. This avoids most of the accidental damage caused by running DHCP servers with incorrect configurations or correct configurations on the wrong network.

How DHCP servers are authorized

The authorization process for DHCP server computers depends on the installed role of the server on your network. In Windows Server 2008 there are three roles or server types for which each server computer can be installed:

  • Domain controller.  The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers.

  • Member server.  The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database.

  • Stand-alone server.  The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources.

If you deploy AD DS, all computers operating as DHCP servers must be either domain controllers or domain member servers before they can be authorized and provide DHCP service to clients.

Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients.

For more information, see Authorize a DHCP Server in AD DS, Unauthorizie a DHCP Server in AD DS, and Delegate Ability to Authorize DHCP Servers to a Non-Enterprise Administrator.

How unauthorized servers are detected

DHCP servers running Windows Server 2008 provide detection of both authorized and unauthorized servers using the following specific enhancements to the DHCP standard:

  • The use of information messaging between DHCP servers using the DHCP information message (DHCPINFORM).

  • The addition of several new vendor-specific option types, for communicating information about the root domain.

A DHCP server running Windows Server 2008 uses the following process to determine whether AD DS is available. If found, the server ensures that it is authorized by adhering to the following procedure, depending on whether it is a member server or a stand-alone server:

  • For member servers (a server joined to a domain that is part of the enterprise), the DHCP server queries AD DS for the list of authorized DHCP server IP addresses.

    If the server finds its IP address in the authorized list, it initializes and starts providing DHCP service to clients. If it does not find itself in the authorized list, it does not initialize and stops providing DHCP services.

    When installed in a multiple forest environment, DHCP servers seek authorization from within their forest only. Once authorized, DHCP servers in a multiple forest environment lease IP addresses to all reachable clients. Therefore, if clients from another forest are reached using routers with DHCP/BOOTP forwarding enabled, the DHCP server leases IP addresses to them.

    If AD DS is not available, the DHCP server continues to operate in its last known state.

  • For stand-alone servers (a server not joined to any domain or part of an existing enterprise). When the DHCP service starts, it sends a DHCP information message (DHCPINFORM) request to the reachable network, using the local limited broadcast address (255.255.255.255) to locate the root domain on which other DHCP servers are installed and configured.

    This message includes several vendor-specific option types that are known and supported by other DHCP servers running Windows Server 2003 and Windows Server 2008. When received by other DHCP servers, these option types enable the query and retrieval of information about the root domain. When queried, the other DHCP servers reply with DHCP acknowledgement messages (DHCPACK) to both acknowledge and answer with Active Directory root domain information.

    If the stand-alone server receives no reply, it initializes and starts providing DHCP services to clients. If the stand-alone server receives a reply from a DHCP server that is authorized in AD DS, the stand-alone server does not initialize and does not provide DHCP services to clients.

Authorized servers repeat the detection process at a default interval of 60 minutes. Unauthorized servers repeat the detection process at a default interval of 10 minutes.

Efforts to detect unauthorized servers are noted as "Restarting rogue detection" entries in the audit log.

Additional considerations

For the directory authorization process to work properly, the first DHCP server introduced on your network must participate in AD DS. The server must be installed as either a domain controller or a member server. When planning or deploying AD DS with Windows Server 2008 DHCP, it is important that you do not install your first DHCP server as a stand-alone server.

Most commonly, there is one enterprise root and, therefore, only a single point for directory authorization of the DHCP servers. However, there is no restriction on authorizing DHCP servers for more than one enterprise root.

The fully qualified domain name (FQDN) of the DHCP server cannot exceed 64 characters. If the FQDN of the DHCP server exceeds 64 characters, the attempt to authorize the server fails with the error message, "A constraint violation has occurred." If your DHCP server FQDN exceeds 64 characters, authorize the server using the server’s IP address instead of its FQDN.