Updated: May 8, 2008
Applies To: Windows Server 2008
The booting client and the server communicate using Dynamic Host Control Protocol (DHCP) packets. You can install Windows Deployment Services on the same physical computer or on a different physical computer from the DHCP server. However, the default installation is that Windows Deployment Services and the DCHP server (Microsoft or non-Microsoft) are located on different physical computers. In this scenario, no additional configuration steps are required for interoperability between Windows Deployment Services and the DHCP server.
However, if you are running Windows Deployment Services and DHCP on the same computer, in addition to configuring the server to not listen on port 67, you will need to use your DHCP tools to add Option 60 to their DHCP scopes. This allows booting clients to learn about the Windows Deployment Services server from the DHCP response that is generated by the DHCP server. Setting DHCP option tag 60 has one side-effect: clients booting from the network are always notified that the Windows Deployment Services server is available, even if the server is not operational or has stopped. For instructions on configuring these options, see the "DHCP section" in How to Manage Your Server.
|If Windows Deployment Services and DHCP are running on the same computer, configuring Windows Deployment Services to not respond to any client computers will not work. This is because although Windows Deployment Services will not respond, DHCP will. You can try to work around this issue by disabling DHCP option 60 on the DHCP tab.|
|There are some scenarios (particularly those that require running a DHCP server) that do not support adding custom DHCP option 60 on the same physical computer as the Windows Deployment Services server. In these circumstances, it is possible to configure the server to bind to UDP Port 67 in nonexclusive mode by passing the SO_REUSEADDR option. For more information, see Using SO_REUSEADDR and SO_EXCLUSIVEADDRUSE (http://go.microsoft.com/fwlink/?LinkId=82387).|
If DHCP is installed on a server that is located in a different subnet, you will need to do one of the following: configure your router to forward broadcasts (recommended) or add DHCP options 66 and 67. For more information about these settings, see Managing Network Boot Programs.
By default, Windows Deployment Services does not need to be authorized to service client computers. However, you can enable DHCP authorization (which is also known as rogue detection). You may want to enable this authorization for the following reasons:
To help prevent an improperly configured server on the network. You can do this by requiring that only those servers that you authorize can service clients. This is not a security protection mechanism, but it can help ensure that a server that is not approved does not service clients. Furthermore, DHCP authorization applies only to computers that are joined to the Active Directory Domain Services (AD DS) structure of the corporate network. For example, if a corporation had a forest, a malicious user could plug a computer into the corporate network, install Windows Server® 2008, run Dcpromo, create a forest, install Windows Deployment Services, and then authorize it.
Your IT department has a policy that only authorized servers should be both Windows Deployment Services server and DHCP listeners.
Authorization checks occur only if authorization checking is enabled and the Windows Deployment Services server is configured to listen on port 67. This means that authorization checks take place only in scenarios where Windows Deployment Services is running on a computer without DHCP. If Windows Deployment Services and DHCP are running on the same physical computer, then the DHCP server is listening on port 67, and it is responsible for making sure that it is authorized properly. Note that the Windows Deployment Services server will not perform any additional checks. You can enable this authorization by running WDSUTIL /Set-Server /RogueDetection:Yes.
You can authorize a Windows Deployment Services server using the Advanced tab of the server’s properties. However, you must be a domain administrator in the root domain of the forest or be an enterprise administrator. Alternatively, you may delegate permissions by using the following procedure.
Open the Active Directory Sites and Services MMC snap-in.
On the View menu, click Show Services Node.
Right-click NetServices, and then click Properties.
On the Security tab, assign the following permissions to the users or groups for which you want to authorize these servers: Read, Write, and Create all child objects.
Click Advanced. Click the user or group you just added, and then click Edit.
In the Apply to box, click This object and all descendant objects.
The environment that the Windows Deployment Services server is in influences the authorization behavior:
NT4 domain. If the Windows Deployment Services server is part of an NT4 domain, no authorization is performed and the Windows Deployment Services server will service requests. This mode is supported only if the Windows Deployment Services server is running with a custom non-Microsoft PXE provider. Windows Deployment Services requires AD DS; therefore, it cannot operate if joined only to an NT4 domain. For more information about the PXE provider included with Windows Deployment Services, see PXE Server Components.
Windows Server 2000 or later domain
. If the Windows Deployment Services server is part of a Windows Server 2000 or later domain (meaning that AD DS is present), it queries AD DS to determine its authorization state.
Workgroup. If the Windows Deployment Services server is part of a workgroup, it can service client requests as long as other DHCP servers on the same subnet are not part of a domain. If a DHCP server that is part of a domain comes online, the Windows Deployment Services server will stop servicing requests.
Windows Small Business Server 2003. If the Windows Deployment Services server is part of a Small Business Server 2003 domain, it must be the only DHCP server on the network. If another DHCP server exists or comes online, the Windows Deployment Services server stops servicing requests.