Authorizing a DHCP Server in Active Directory

Windows 2000 introduces many new features designed to increase network security. One of these new features is the detection of rogue DHCP servers on the network. Before a DHCP server can begin leasing IP addresses to DHCP clients , it must first be authorized to do so within Active Directory. This eliminates the possibility of someone adding a Windows 2000 DHCP server to the network that hasn't been approved by the appropriate authority. Any DHCP server that hasn't been authorized is detected and the DHCP service will fail to start.

Detection of rogue servers eliminates the possibility of a Windows 2000 DHCP server with inaccurate IP addressing information being introduced onto a network. However, this feature applies only to Windows 2000 DHCP servers. A Windows NT 4.0 rogue server would not be detected.

Authorizing the DHCP Server

A DHCP server can be authorized through the DHCP management console by an member of the Enterprise Admins group . To authorize a DHCP server, perform the following steps:

1. Click Start, point to Programs, Administrative Tools, and click DHCP.

2. Within the DHCP management console, right-click the DHCP server and click Authorize.

3. Once authorized, the DHCP server can respond to client requests for IP address parameters.

If a DHCP needs to be removed from the network, you should unauthorize the server so it no longer has the capability to lease IP addresses to clients. To do so, right-click the DHCP server within the DHCP console and select the Unauthorize option. Click Yes to confirm your actions. The DHCP server will then be removed from Active Directory.

Because the detection of rogue servers is new in Windows 2000, be prepared to answer at least one question pertaining to the authorization of DHCP servers. Note that only enterprise admins can authorize a DHCP server.