Recipe14.1.Installing DHCP Server

Recipe 14.1. Installing DHCP Server

Problem

You want to install the DHCP Server service.

Solution

Using a graphical user interface

1. From the Control Panel, open the Add or Remove Programs applet.

2. Click Add/Remove Windows Components .

3. Double-click Network Services .

4. Check the box beside Dynamic Host Configuration Protocol (DHCP) .

5. Click OK .

6. Click Next .

7. Click Finish .

You can also install DHCP Server from the Manage Your Server wizard.

Using a command-line interface

First, create a file using a text editor such as Notepad with the following contents:

[netoptionalcomponents]
dhcpserver=1

Next, use the sysocmgr.exe utility with the following parameters (assuming the file you just created is named c:\dhcp_install.txt ):

> sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\dhcp_install.txt

Using VBScript

Unfortunately, there aren't any scripting APIs for installing the DHCP Server. One option would be to run the sysocmgr command from within a script.

Discussion

The DHCP Server service is an optional Windows Component, so you can install it using the Add or Remove Programs applet in the Control Panel. There are no configuration options when you install the DHCP Server, so installation is a breeze. After you've installed the service, you'll need to authorize the server, if you have an Active Directory environment, as described in Recipe 14.2.

If the server you installed DHCP on is multihomed (i.e., has multiple active network adapters), you'll want to make sure the correct network adapters are enabled for use by the DHCP Server. You can enable or disable adapters for use by DHCP Server by doing the following:

1. Open the DHCP snap-in.

2. In the left pane, click on the server node.

3. From the menu, select Action Properties .

4. Select the Advanced tab.

5. Click the Bindings button.

6. Make sure the interfaces where the DHCP Server should respond are checked.

7. Click OK until all dialog boxes are closed.

DHCP-enabled interfaces (from a client perspective) will not show up in the list of available interfaces; the DHCP Server will use only interfaces that have statically assigned IP addresses.

See Also

Recipe 2.4 and Recipe 14.2

Recipe 14.2. Authorizing a DHCP Server

Problem

You want to permit (i.e., authorize) a DHCP Server to process DHCP requests from clients . This is necessary only if the DHCP Server is a member of an Active Directory domain.

Solution

Using a graphical user interface

Windows 2000 DHCP Servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP Server has Service Pack 2 or higher installed.

1. Open the DHCP snap-in.

2. In the left pane, right-click on DHCP and select Add Server .

3. Type in the name of the DHCP Server you want to target and click OK .

4. Click on the server entry in the left pane.

5. Right-click on the server and select Authorize .

If the DHCP Server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP Server in Active Directory:

> netsh dhcp add server


<DHCPServerName>




<DHCPServerIP>

This example shows how to authorize the DHCP Server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

See the Introduction for more information on how to run the netsh command from within a script. The following script prints out the list of authorized DHCP Servers in Active Directory:

' ------ SCRIPT CONFIGURATION ------
strForestRootDN = "


<ForestRootDN>


"  ' e.g., dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
set objCont = GetObject("LDAP://CN=DhcpRoot,CN=NetServices,CN=Services," & _
                        "CN=Configuration," & strForestRootDN)
colDHCPServers = objCont.GetEx("dhcpServers")
for each strDHCPServer in colDHCPServers
   Wscript.Echo strDHCPServer
next

Discussion

Windows 2000 and Windows Server 2003-based DHCP servers that belong to an Active Directory domain must be authorized before they can give out leases to clients. This feature helps reduce the danger of a rogue Windows 2000 or Windows Server 2003 DHCP Server that an end-user sets up, perhaps unintentionally. A rogue DHCP Server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP Server service is enabled on a domain controller, it is automatically authorized. A DHCP Server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP Server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP Server, it will respond to client requests and give out leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, which can be found in the cn=NetServices,cn=Services,cn=Configuratation, <ForestRootDN> container. The relative distinguished name of these objects is the DHCP Server's IP address. There is also an object in the same container named cn=dhcpRoot , which is created after the first DHCP Server is authorized. It has an attribute named dhcpServers that contains all authorized servers. I enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP Servers. You, however, can delegate the rights to authorize a DHCP Server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.

2. In the left pane, expand the Configuration Container CN=Configuration CN=NetServices .

3. Right-click on CN=NetServices and select Properties .

4. Select the Security tab.

5. Click the Advanced button.

6. Click the Add button.

7. Use the object picker to select the DHCP Admins group.

8. Check the boxes under Allow for Create dHCPClass objects and Delete dHCPClass objects .

9. Click OK until all dialog boxes are closed.

10. Back in the left pane of ADSI Edit, right-click on CN=dhcpRoot (if you've previously authorized DHCP Servers) and select Properties .

11. Select the Security tab.

12. Click the Advanced button.

13. Click the Add button.

14. Use the object picker to select the DHCP Admins group.

15. Check the boxes under Allow for Write .

16. Click OK until all dialog boxes are closed.

Using a graphical user interface

You can quickly determine whether a DHCP Server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, that means it isn't authorized, if it is green, then it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

See Also

MS KB 279908 (Unexpected Results in the DHCP Service Snap-In After Using NETSH to Authorize DHCP), MS KB 300429 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000), and MS KB 303351 (How to Use Netsh.exe to Authorize, Unauthorize, and List DHCP Servers in Active Directory), MS KB 306925 (Cannot Authorize New DHCP Server in Active Directory), and MS KB 323360 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003)