Recipe14.2.Authorizing a DHCP Server


Recipe 14.2. Authorizing a DHCP Server

Problem

You want to permit (i.e., authorize) a DHCP Server to process DHCP requests from clients. This is necessary only if the DHCP Server is a member of an Active Directory domain.

Solution

Using a graphical user interface

Windows 2000 DHCP Servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP Server has Service Pack 2 or higher installed.


  1. Open the DHCP snap-in.

  2. In the left pane, right-click on DHCP and select Add Server.

  3. Type in the name of the DHCP Server you want to target and click OK.

  4. Click on the server entry in the left pane.

  5. Right-click on the server and select Authorize.

If the DHCP Server is not a member of an Active Directory domain, you will not see the Authorize option.


Using a command-line interface

The following command authorizes a DHCP Server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP Server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

See the Introduction for more information on how to run the netsh command from within a script. The following script prints out the list of authorized DHCP Servers in Active Directory:

' ------ SCRIPT CONFIGURATION ------ strForestRootDN = "<ForestRootDN>"  ' e.g., dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objCont = GetObject("LDAP://CN=DhcpRoot,CN=NetServices,CN=Services," & _                         "CN=Configuration," & strForestRootDN) colDHCPServers = objCont.GetEx("dhcpServers") for each strDHCPServer in colDHCPServers    Wscript.Echo strDHCPServer next

Discussion

Windows 2000 and Windows Server 2003-based DHCP servers that belong to an Active Directory domain must be authorized before they can give out leases to clients. This feature helps reduce the danger of a rogue Windows 2000 or Windows Server 2003 DHCP Server that an end-user sets up, perhaps unintentionally. A rogue DHCP Server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP Server service is enabled on a domain controller, it is automatically authorized. A DHCP Server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP Server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP Server, it will respond to client requests and give out leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, which can be found in the cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The relative distinguished name of these objects is the DHCP Server's IP address. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP Server is authorized. It has an attribute named dhcpServers that contains all authorized servers. I enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP Servers. You, however, can delegate the rights to authorize a DHCP Server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

  1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.

  2. In the left pane, expand the Configuration Container CN=Configuration

    Right-click on CN=NetServices and select Properties.

  3. Select the Security tab.

  4. Click the Advanced button.

  5. Click the Add button.

  6. Use the object picker to select the DHCP Admins group.

  7. Check the boxes under Allow for Create dHCPClass objects and Delete dHCPClass objects.

  8. Click OK until all dialog boxes are closed.

  9. Back in the left pane of ADSI Edit, right-click on CN=dhcpRoot (if you've previously authorized DHCP Servers) and select Properties.

  10. Select the Security tab.

  11. Click the Advanced button.

  12. Click the Add button.

  13. Use the object picker to select the DHCP Admins group.

  14. Check the boxes under Allow for Write.

  15. Click OK until all dialog boxes are closed.

Using a graphical user interface

You can quickly determine whether a DHCP Server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, that means it isn't authorized, if it is green, then it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

See Also

MS KB 279908 (Unexpected Results in the DHCP Service Snap-In After Using NETSH to Authorize DHCP), MS KB 300429 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000), and MS KB 303351 (How to Use Netsh.exe to Authorize, Unauthorize, and List DHCP Servers in Active Directory), MS KB 306925 (Cannot Authorize New DHCP Server in Active Directory), and MS KB 323360 (HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net