Learning Windows Server 2003

11.1. Dynamic Host Configuration Protocol

The Dynamic Host Configuration Protocol (DHCP) assists administrators by automatically configuring computers with IP addresses, saving the hassle of assigning and tracking static IP addresses among multiple machines. When DHCP is coupled with dynamic DNS, a technique you learned about in Chapter 4, a lot of administrative headaches formerly encountered by network administrators are reduced and, in some cases, even eliminated. Let's take a look.

11.1.1. How It Works

The process is started by a client computer, which makes a request for an IP address to a DHCP server. If a client is new to the network, or currently has an invalid IP address, the client will broadcast a DHCPDISCOVER message over the local subnet. The responding DHCP server (or, in some cases, servers) will send an offer request in the form of a DHCPOFFER packet. Then the client will acknowledge receipt of that offer and officially ask for an address with a DHCPREQUEST packet . In return, the DHCP server will confirm the lease and send any additional options that are configured with the address inside a DHCPACK packet.

Leases are granted for a period of time known as the lease duration . After 50% of the lease duration has lapsed, the client will request an extensionofficially, this is a lease renewalfrom the DHCP server from which it originally obtained the lease. If the client doesn't receive a response from that server, it will wait until 87.5% of the lease duration to attempt to renew its current lease with any DHCP machine on the network. If no server honors the lease renewal request, the client will end its use of the current IP address and then behave like a new client, as described previously.

Options are attributes of a DHCP lease that define certain characteristics about the IP address and IP stack of the computer leasing the address. For example, DHCP options specify parameters such as the DNS connection suffix (e.g., client2.hasselltech.local), the default gateway for a particular computer (which is the router through which traffic outside the local subnet is sent), and other important traits of a connection. Using DHCP options saves you a lot of time in manually assigning these traits to all your client computers, and it also adds the element of consistencyall your computers leasing addresses within a certain scope get the same options and not a hodgepodge of configurations.

A Windows feature called Automatic Private IP Addressing (APIPA) overlaps DHCP functionality and can either be your best friend or drive you to insanity. Microsoft implemented this feature so that if a client is unable to lease an IP address from a DHCP server, it will resort to using a randomly chosen IP address from Microsoft's own Class B range (169.254.0.0 with subnet 255.255.0.0 and no default gateway assigned). The address is verified using an ARP request broadcast out to the network to ensure that no other client is using that address.

This feature is meant for convenience because most small businesses and home networks don't want to offer DHCP services from Windows itself and would like their networks to just work. However, if you have connectivity problems, Automatic Client Configuration (ACC) can really get in the way of troubleshooting at times. It's best to understand ACC's behavior under the following circumstances:

• If a client has a valid lease from a DHCP server but can't connect to that DHCP server, ACC will attempt to ping the default router/gateway entry defined by the lease. If the client receives a reply, ACC assumes the machine is still on the network where the original DHCP server is located, and it will continue to use its lease.

• If a router isn't answering at the gateway address in the lease, ACC will release the current IP address and pick an automatic address from the 169.254.0.0 range.

• In any event, when ACC is active, the client will continue to search every five minutes for a valid DHCP server to either renew its lease or obtain a new address and corresponding lease.

• You can also specify that the client use an alternate address in the event that the machine can't get an IP address from the DHCP server. You can view the settings and configure this in the properties of the network connection off the Start menu.

11.1.2. Installing a DHCP Server

Now that you know a bit about how DHCP works, let's move to installing an actual DHCP server. It's a fairly easy process. From the Manage Your Server page, click Add or remove a role. Then, on the Server Role page, click DHCP Server, and then click Next.

You'll be walked through a wizard that is outlined almost identically in the next section, so let's go there now.

11.1.3. Creating a New DHCP Scope

Creating a new DHCP scope involves selecting the range of IP addresses you want to make available to be leased out to clients who request them. This set of IP addresses is known as the scope.

The New Scope Wizard appears both when you first install a DHCP server and whenever you invoke it through the DHCP administration console, which you find off the Administrative Tools menu on the Start menu. To create a new scope on your DHCP server, follow these steps:

1. Open the DHCP administration console by selecting DHCP from the Administrative Tools folder.

2. Right-click the appropriate DHCP server in the lefthand pane, and select New Scope from the pop-up context menu.

3. The New Scope Wizard appears. Click Next to move off the introductory screen.

4. Enter a name and a friendly, useful description (for your purposes only) for the new scope and then click Next.

5. The IP Address Range screen appears, as shown in Figure 11-1. Enter a noninterrupted range of IP addresses that you want to offer to clients into the Start IP address and End IP address fields. Then, enter the subnet mask to identify the network or subnet addresses you're using. (In most cases, you can accept the defaults.) Click Next to continue.

   Figure 11-1. The IP Address Range screen

6. The Add Exclusions page appears next, depicted in Figure 11-2. On this page, you can enter a single address or range of addresses within your scope range that you want to exclude from client provisioningfor example, if you have a few servers with IP addresses within your chosen range, you can identify those addresses here so that DHCP won't give them out and cause a conflict. Click Next to continue when you've entered any relevant addresses.

7. The Lease Duration screen appears, which allows you to specify how long a DHCP-assigned address will be valid for a given scope. This is shown in Figure 11-3. Desktop systems can keep an IP lease for a long time; laptops and other mobile computers, however, should be given short lease durations so that when they are inactive their IP address becomes available to be reassigned to other machines. If you have a mix of both, I suggest favoring a shorter lease time. Adjust the time using the individual sliders for days, hours, and minutes, and then click Next when you're done.

8. The Configure DHCP Options screen appears. Here, you can specify whether to simply configure the scope with the options you've specified to this point, or further customize the data transmitted in response to each DHCP request. In this example, we'll proceed through the extended options to discuss each one. Select Yes, I want to configure these options now, and then click Next to continue.

   Figure 11-2. The Add Exclusions screen

   Figure 11-3. The Lease Duration screen

9. The Router (Default Gateway) screen appears, as depicted in Figure 11-4. Here, you can specify a list of available network gateways or routers in the order of your preference. Add them using the Add buttons and adjust the list as needed using the Remove, Up, and Down buttons. Click Next when you've finished entering gateways.

   Figure 11-4. The Router (Default Gateway) screen

10. The Domain Name and DNS Servers screen appears, shown in Figure 11-5. On this screen, you can input the parent domain name that your client computers should use for this connection. You also can specify preferred DNS servers for your client computers. You can either input a fully qualified domain name and click the Resolve button to find out the IP address, or enter the IP address directly and click Add to insert a server into the list. Use the Remove, Up, and Down buttons to edit the list as needed. Click Next when you've finished.

11. The WINS Servers screen appears. This is shown in Figure 11-6. On this screen, enter the WINS servers for your enterprise that clients receiving addresses from this scope should use. You can either input a fully qualified domain name and click the Resolve button to find out the IP address, or enter the IP address directly and click Add to insert a server into the list. Use the Remove, Up, and Down buttons to edit the list as needed. Click Next when you've finished.

12. Finally, the Activate Scope screen appears. When you activate a scope, you start DHCP service for it. Choose your preferred option, and then click Next.

Once inside the DHCP console, which is shown in Figure 11-7, under the specific scope you can view the address pool, add a new exclusion range, view current IP addresses, enter reservations (more on this later), and reconfigure options for the scope. To view the current set of leases, simply click Address Leases underneath the node that represents the scope in which you're interested.

11.1.4. Authorizing a DHCP Server

Although you can install DHCP servers on any machine running Windows Server 2003, the first DHCP server you install must hook itself into Active Directory and needs to be on a machine that is a member of a domain. Authorized DHCP servers are listed within the directory, and each DHCP server in a domain checks this list to see if it is authorized to provide service; if it doesn't find itself in that list, it will not respond to DHCP requests. DHCP servers on standalone servers that are not members of domains can respond to DHCP requests; they do not need to be authorized, although this can pose a security threat, since a rogue server could assist clients and route them to different servers.

If you have a DHCP server that is located on a domain member machine, you can authorize it by doing the following:

1. Log on to the machine with an account that has Enterprise Administrator credentials.

2. Open the DHCP administration console by selecting DHCP from the Administrative Tools folder.

3. Right-click the appropriate DHCP server in the lefthand pane and select Manage authorized servers from the pop-up context menu.

4. The Manage Authorized Servers screen appears, as shown in Figure 11-8. The screen lists all previously authorized DHCP servers. Click Authorize to add the server to this list.

5. On the following screen, enter the fully qualified domain name for the DHCP server or its associated IP address. Press OK.

6. Confirm your choice on the following dialog box.

Now the DHCP server is authorized and will begin serving IP addresses to clients who request them.

11.1.5. Reservations

Reservations allow you to effectively set static IP addresses through DHCP . Although a client using reservations still will be configured to obtain a dynamic IP address, the DHCP server has a reservation in its database for that clientwhich is identified using the MAC address of the network cardand thus always will receive the same IP address from the DHCP server.

To create a new reservation, right-click Reservations under the appropriate scope in the lefthand pane and select New Reservation. The New Reservation screen will appear. Here, enter a friendly name for this reservation as a reference, and then the IP address to reserve. Then, enter the MAC address of the network card inside the computer that you want to have the reserved address. (You can see this from the command line by issuing the ipconfig /all command and looking for the physical adapter address, or through the Control Panel and Network Connections by right-clicking the adapter and selecting Status.) Enter a description of the reservation if you want, and then click OK.

Figure 11-9 shows the reservations screen.

11.1.6. Understanding Classes

Classes are ways to distinguish between different systems and users for the purposes of assigning or allowing different options for them. Two types of classes are available within DHCP: vendor classes, which are set by the manufacturer and cannot be edited; and user classes, which are set at the client level on client computers and can be edited and used by administrators. Vendor classes can be used to send all computers matching a certain class a specific set of DHCP optionsfor example, to configure members of that class with a different set of DNS servers of gateways. And with

the Windows Server 2003 vendor classes, you can offer specific systems the option of disabling NetBIOS, releasing its lease upon shutdown, and defining a metric for routing requests quickly and efficiently to network gateways.

User classes are set by administrators and are used to group users via means that aren't available via the vendor class. For example, you can set a user class for "Charlotte office" and another for "Raleigh office," for use in segregating the different groups to different IP resources. Identical classes need to be set on the client and on the DHCP server.

With user classes, it's possible to use predefined classes that can be used to support groups of clients with special needs, such as clients using the older BOOTP protocol, or clients connecting through the Routing and Remote Access Service. User classes really are meant for larger networks that need to manage DHCP option assignments based on different computer criteria and to assign and override the standard option assignments at the server, scope, or reservation level.

To create a user class on the server, follow these steps:

1. Open the DHCP administrator console.

2. Right-click the DHCP server and select Define User Classes from the pop-up context menu.

3. The DHCP User Classes dialog box appears. Click the Add button.

4. The New Class box appears, as shown in Figure 11-10.

5. Enter a name for the new class; this should be identical to the name you will use on a client. Also, enter a friendly description for your purposes if you want.

6. Enter the ASCII text of the class by clicking under the word ASCII and typing text. The binary version of what you type will be generated automatically.

7. Click OK.

   Figure 11-10. The New Class box

The new class has been created. Now, configure the DHCP options to send only to this class:

1. Under the server node in the left pane on the DHCP administrator console, right-click Scope Options and select Configure Options.

2. Navigate to the Advanced tab.

3. Under User Class, select the new class ID you just configured.

4. Finally, under Available Options, select the options you want to configure and enter the values for those options.

5. Click OK when you've finished.

Now the scope is configured to send certain options to your new class. On each client computer that will be members of that class, issue the following command:

ipconfig /setclassid "Local Area Connection" "Name of New User Class"

You will receive a message indicating the assignment was successful.

11.1.7. Superscopes

A superscope is a collection of scopes that can service requests from clients from multiple subnets over the same physical layer medium. By configuring a DHCP server with a superscope that encompasses several smaller scopes, you can provide DHCP service to multiple subnets simultaneously. Use superscopes when you need to provide leases to clients on more than one subnet with one DHCP server.

To begin configuring a superscope, follow these steps:

1. Load the DHCP administrator console.

2. Then, right-click the DHCP server node and select New Superscope from the pop-up context menu. Click Next off the introductory screen for the wizard.

3. Enter the name of the new superscope you're creating, and then click Next.

4. From the Available Scopes list, select the scopes to include in this new superscope. You can hold down the Ctrl button and click to select multiple scopes.

5. Click Next and confirm your settings. Then, click Finish.

The superscope is now active.

11.1.8. Conflict Detection

To ensure that one IP address is not leased to two different clients, the Windows Server 2003 DHCP service includes a conflict detection mechanism which involves a ping test to verify an IP address isn't in use before it is leased to a client.

You can verify that this feature is enabled, which you might want to do if you need to rebuild your DHCP server and ensure that when you bring the server back up it won't lease IP addresses currently in use. To do so, right-click the server name in the DHCP management console, select Properties, and navigate to the Advanced tab. Find the option called Conflict Detections Attempt, and set it to any value greater than 0 but less than 2 (performance issues arise with greater values). This number specifies the number of ping attempts the DHCP server will make before issuing an address.

11.1.9. DHCP Implications for DNS

The Windows Server 2003 DNS service supports updates from DHCP clients so that name-to-IP mappings continue to be accurate through the release and renewal process. On clients, you can configure this behavior by opening the properties of the local area connection (on Windows XP, you can find a list of network connections from the Connect to menu on the Start menu; in Windows 2000, this is done through the Network & Dial-up Connections applet in the Control Panel). Once you are inside the properties sheet, navigate to the DNS tab. At the bottom of the screen, select the option to Register this connection's addresses in DNS, as shown in Figure 11-11. This will instruct the client to transmit an updated A record to the primary DNS server.

If you want the DHCP server to handle these updates instead of the client, the first step is to make your DHCP server computer object a member of the DnsUpdateProxy group within Active Directory. If you have gone through the process of authorizing your DHCP server (described earlier in this chapter), this step has been completed automatically. If you haven't gone through this process, look at the DHCP administrators consoleright-click the DHCP server node and click Properties. Navigate to the DNS tab, which is shown in Figure 11-12.

Here, you can instruct the DHCP service to automatically update DNS records for its clients at all times or only in instances where the client requests the update be pushed to the DNS server. You also can tell the service to expire the A records for a client when its current lease expires, and you can enable updates for clients that are unable to dynamically update their own records in DHCP.