Authorizing DHCP servers
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Authorizing DHCP servers
The Windows Server 2003 family provides integrated security support for networks that use Active Directory. This support adds and uses a class of objects that is part of the base directory schema, providing the following enhancements:
A list of IP addresses available for the computers that you authorize to operate as DHCP servers on your network.
Detection of unauthorized DHCP servers and prevention of their starting or running on your network.
The following sections discuss:
Background information about the detection of unauthorized DHCP servers.
How computers are authorized in Active Directory to provide DHCP service.
How an unauthorized server is detected and prevented from providing DHCP service.
Notes and limitations for implementing DHCP service, depending on whether the Active Directory directory service is available.
Background on unauthorized DHCP servers
When configured correctly and authorized for use on a network, DHCP servers provide a useful and intended administrative service. However, when a misconfigured or unauthorized DHCP server is introduced into a network, it can cause problems. For example, if an unauthorized DHCP server starts, it might begin either leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients attempting to renew current address leases.
Either of these configurations can produce further problems for DHCP-enabled clients. For example, clients that obtain a configuration lease from the unauthorized server can fail to locate valid domain controllers, preventing clients from successfully logging on to the network.
To resolve these issues, DHCP servers running Windows Server 2003 are verified as authorized in Active Directory before they can service clients. This avoids most of the accidental damage caused by running DHCP servers with incorrect configurations or correct configurations on the wrong network.
How DHCP servers are authorized
The authorization process for DHCP server computers depends on the installed role of the server on your network. In the Windows Server 2003 family there are three roles or server types for which each server computer can be installed:
Domain controller. The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers.
Member server. The computer is not operating as a domain controller but has joined a domain in which it has a membership account in the Active Directory database.
Stand-alone server. The computer is not operating as a domain controller or a member server in a domain. Instead, the server computer is made known to the network through a specified workgroup name, which can be shared by other computers, but is used only for browsing purposes and not to provide secured logon access to shared domain resources.
If you deploy Active Directory, all computers operating as DHCP servers must be either domain controllers or domain member servers before they can be authorized and provide DHCP service to clients.
Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients.
For more information about authorizing a DHCP server in Active Directory, see Authorize a DHCP server in Active Directory.
For more information about delegating administrative credentials, see Delegate ability to authorize DHCP servers to a non-enterprise administrator.
How unauthorized servers are detected
DHCP servers running Windows Server 2003 provide detection of both authorized and unauthorized servers using the following specific enhancements for the DHCP standard:
The use of information messaging between DHCP servers using the DHCP information message (DHCPINFORM).
The addition of several new vendor-specific option types, for communicating information about the root domain.
A DHCP server running Windows Server 2003 uses the following process to determine whether Active Directory is available. If found, the server ensures that it is authorized by adhering to the following procedure, depending on whether it is a member server or a stand-alone server:
For member servers (a server joined to a domain that is part of the enterprise), the DHCP server queries Active Directory for the list of authorized DHCP server IP addresses.
If the server finds its IP address in the authorized list, it initializes and starts providing DHCP service to clients. If it does not find itself in the authorized list, it does not initialize and stops providing DHCP services.
When installed in a multiple forest environment, DHCP servers seek authorization from within their forest only. Once authorized, DHCP servers in a multiple forest environment lease IP addresses to all reachable clients. Therefore, if clients from another forest are reached using routers with DHCP/BOOTP forwarding enabled, the DHCP server leases IP addresses to them.
If Active Directory is not available, the DHCP server continues to operate in its last known state.
For stand-alone servers (a server not joined to any domain or part of an existing enterprise). When the DHCP service starts, it sends a DHCP information message (DHCPINFORM) request to the reachable network, using the local limited broadcast address (255.255.255.255) to locate the root domain on which other DHCP servers are installed and configured.
This message includes several vendor-specific option types that are known and supported by other DHCP servers running Windows Server 2003 . When received by other DHCP servers, these option types enable the query and retrieval of information about the root domain. When queried, the other DHCP servers reply with DHCP acknowledgement messages (DHCPACK) to both acknowledge and answer with Active Directory root domain information.
If the stand-alone server receives no reply, it initializes and starts providing DHCP services to clients. If the stand-alone server receives a reply from a DHCP server that is authorized in Active Directory, the stand-alone server does not initialize and does not provide DHCP services to clients.
Authorized servers repeat the detection process at a default interval of 60 minutes. Unauthorized servers repeat the detection process at a default interval of 10 minutes.
Efforts to detect unauthorized servers are noted as "Restarting rogue detection" entries in the audit log.
The process of authorizing DHCP servers is useful only for DHCP servers running Windows 2000 or Windows Server 2003 .
When a DHCP server running Windows Server 2003 is installed in a Windows NT 4.0 domain, the server initializes and begins serving DHCP clients in the absence of directory services. However, if there is a Windows Server 2003 domain on the same subnet or on a connected network with routers configured for DHCP or BOOTP forwarding, the DHCP server in the Windows NT 4.0 domain detects its own unauthorized status and ceases to provide IP address leases to clients. If you authorize the DHCP server in Active Directory, it can provide DHCP service to the clients in the Windows NT 4.0 domain.
For the directory authorization process to work properly, it is necessary that the first DHCP server introduced on your network participate in Active Directory. This requires that the server be installed as either a domain controller or a member server. When planning or deploying Active Directory with Windows Server 2003 DHCP, it is important that you do not install your first DHCP server as a stand-alone server.
Most commonly, there is one enterprise root and, therefore, only a single point for directory authorization of the DHCP servers. However, there is no restriction on authorizing DHCP servers for more than one enterprise root.
The fully qualified domain name (FQDN) of the DHCP server cannot exceed 64 characters. If the FQDN of the DHCP server exceeds 64 characters, the attempt to authorize the server fails with the error message, "A constraint violation has occurred." If your DHCP server FQDN exceeds 64 characters, authorize the server using the server’s IP address instead of its FQDN.
DHCP servers running Windows 2000 cannot be authorized using the Windows Server 2003 administrative tools (the DHCP console and the Netsh commands for DHCP) unless Windows 2000 Server Service Pack 2 is installed.