DHCP is an essential service for any TCP/IP-based network that has more than a small number of clients. DHCP allows clients to boot up and automatically receive an IP address and other TCP/IP settings such as DNS servers, WINS servers, and the default gateway.
The following sections describe how to use the DHCP server provided with Windows 2000 Server. For more information about how DHCP works, see Chapter 13.
It's important to design the deployment of DHCP servers in a way that fits the network. Small, nonrouted networks can use a single DHCP server. If you have a larger network, you need to consider the subnets and routers in use, and you should also split the address space between two servers to provide fault tolerance. Use the following checklist as part of your planning:
If you're using WINS, you can often make the primary WINS server the secondary (20 percent) DHCP server, and the secondary WINS server the primary (80 percent) DHCP server.
Another method of protecting against DHCP server failure is to have a hot-backup. To do this, set up a DHCP server identically to the primary DHCP server, except with its own scope that encompasses 20 percent of the address space (or possibly less). Don't activate this server (it could be serving other roles that you don't want to slow down unless it's an emergency). If the primary DHCP server goes down, manually bring the backup server online by activating its scope. However, splitting the address range between two live servers is a superior solution because it provides automatic fault tolerance—no manual intervention is required.
Besides determining how to place the DHCP servers into the network structure, you also need to plan the IP address ranges you'll use, as well as which IP addresses to reserve or exclude from this pool of addresses. Use the following list to help plan the IP address ranges to use and exclude:
Consider switching all hosts with statically assigned IP addresses to DHCP assigned addresses. If any servers need unchanging addresses, create client reservations for the servers using DHCP (lease reservations are covered later in this chapter). This allows the servers to use an unchanging address and yet still have all TCP/IP options configured automatically through DHCP. It also makes it easier to track and manage IP addresses, and it will make your life much easier if your company ever needs to change its addressing, as might happen after a merger. The fewer static addresses, the better.
To install the DHCP service on a Windows 2000 Server computer, follow these steps:
You can also use the Configure Your Server Wizard to install the DHCP service and start the Create New Scope Wizard.
Figure 14-1. Installing the DHCP service.
Now you're ready to launch the DHCP Manager and create a new scope of IP addresses for the DHCP server to manage (a scope is a range of IP addresses that the DHCP server can manage). Before you do this, make sure you know which range of IP addresses is approved, which IP addresses need to be excluded for systems with static IP addresses, and which IP addresses need to be reserved for DNS or WINS servers.
To open DHCP Manager and create the new scope, follow these steps:
Real World
Scopes, Superscopes, and Multicast Scopes
A scope is simply the range of possible IP addresses on a network. To add more clients to a network where the scope is exhausted, you can add an additional scope as long as the scope doesn't belong to the same subnet as an existing scope. An excellent source of information on the complex subject of choosing subnet masks and other TCP/IP issues is Microsoft Windows 2000 TCP/IP Protocols and Services Technical Reference by Thomas Lee and Joseph Davies (Microsoft Press, 2000).
When you create multiple scopes, it's important to understand that clients from one logical subnet aren't able to obtain IP addresses from a different scope than the one they currently belong to, because the other scope is in a different logical subnet. If this is the behavior you want, great. However, if you want clients to be able to use addresses from other scopes, use a superscope.
A superscope is a collection of scopes grouped together into a single administrative whole. There are three primary reasons you might want to use superscopes:
When you create a superscope, you enable clients to obtain or renew leases from any scope within the superscope, even if they contain addresses from a different logical subnet.
A multicast scope is simply a scope of multicast addresses (class D addresses) that are then shared by many computers (members of the multicast group).
Figure 14-2. The Scope Name screen of the New Scope Wizard.
Figure 14-3. The IP Address Range screen of the New Scope Wizard.
Real World
Setting Lease Durations
Use longer leases for networks without redundant DHCP servers to permit more time to recover an offline DHCP server before clients lose their leases, or to minimize network traffic at the expense of less frequent address turnover. You can also use longer leases if scope addresses are plentiful (at least 20 percent available), the network is stable, and computers are rarely moved.
In contrast, scopes that support dial-up clients or mobile clients such as laptops or PDAs can have shorter leases and therefore function well with fewer addresses.
Lease durations are set in the scope's Properties dialog box. Scopes are listed in the DHCP administration console.
Real World
DHCP Options
There are four different levels at which you can configure DHCP options in a Windows 2000 DHCP server:
Set only the options you know you need. If you're uncertain about an option, leave it alone.
Figure 14-4. The Domain Name And DNS Servers screen of the New Scope Wizard.
After you set up the DHCP server and create the scopes, you must authorize the server to give leases and activate the scopes. (If installed on a domain controller, the DHCP server is authorized automatically when you add the server to the DHCP Manager console.)
Authorizing a DHCP server is an important step that Windows 2000 Server provides to reduce the occurrence of unauthorized (rogue) servers set up to hand out false IP addresses to clients. Although rogue DHCP servers that use UNIX or a hardware-based DHCP server could still be set up, Windows 2000-based DHCP servers can't be used without authorization (which also means no Windows 2000 DHCP servers in a workgroup).
To authorize the DHCP server after installing the service, follow these steps:
To activate a scope, right-click the scope in the console tree, and then choose Activate from the shortcut menu.
Don't activate a scope until you finish selecting all the options you want. Once you activate a scope, the Activate command on the menu changes to Deactivate.
Don't deactivate a scope unless you're permanently retiring the addresses from the network. If you want to temporarily disable a scope, adjust the exclusions for the scope instead. This permits existing clients to keep their addresses while preventing any further leases in the scope.
Reservations are handy items that you can use instead of static IP addresses (which require you to create exclusions in the DHCP scope) for all hosts that need to maintain a specific IP address, such as DNS and WINS servers (DHCP servers actually do need static IP addresses). Using reservations instead of static addresses guarantees that a server has a consistent IP address, while also providing the ability to recover the IP address in the future if the server is decommissioned or moved.
To add an address reservation to a scope, follow these steps:
When reserving an address for a client, make the reservation on all DHCP servers that potentially service that client.
Figure 14-5. The New Reservation dialog box.
To obtain the MAC address, go to the client computer (or make a remote desktop connection) and type ipconfig /all at the command prompt. The MAC address is listed as the physical address. Leave out the dashes when entering the MAC address in step 3 in the preceding procedure.
Microsoft Windows XP and Windows 2000 clients automatically update their forward lookup records with the DNS server after obtaining a new IP address from a DHCP server. No DHCP-DNS interaction is required for this behavior. However, Windows XP and Windows 2000 clients explicitly request that the DHCP server update their reverse lookup (PTR) records on the DNS server, which requires communication between the DHCP and DNS servers.
Earlier clients such as Windows Me, Windows 98, and Windows NT clients can't update their resource records themselves, so the DHCP server does it for them—if you turn on this feature (which is recommended). When this feature is enabled, the DHCP server updates an earlier client's forward and reverse lookup records when the client obtains a new IP address.
To enable earlier clients to function properly with DHCP and dynamic DNS, use the following procedure:
Figure 14-6. The DNS tab of the Properties dialog box for a DHCP scope.
This enables the DHCP server to update DNS records for clients, based on the following settings (select the Enable Updates For DNS Clients That Do Not Support Dynamic Update check box, which isn't selected by default):
The Windows 2000 DHCP server might not be able to properly update DNS records for legacy clients if the DNS server isn't a Windows 2000 DNS server. However, the specifications are published in the RFC draft document "Interaction Between DHCP and DNS," so it's inevitable that other DNS servers will eventually work this way. Until then, use the all-Microsoft solution if dynamic DNS updates for earlier clients are important on your network.
It's vital that computers are able to obtain and keep IP addresses: without an IP address a computer can't communicate on a network or connect to the Internet. Most computers won't lose network connectivity immediately if the DHCP server goes down, but new computers, returning laptops, or little-used systems that haven't recently logged on might not be able to obtain network access until the DHCP server is working properly.
To help prevent these unhappy events, you should use redundant DHCP servers. The following sections show how to set up redundant servers using the traditional method of splitting the addresses between two servers, as well as the more complex, high-performance method of setting up a DHCP server cluster.
To employ two DHCP servers for load balancing and redundancy, use the following procedure:
Figure 14-7. Creating a new superscope.
You can delete a superscope without affecting the member scopes by selecting the superscope and pressing Delete. However, deactivating a superscope deactivates all member scopes as well.
If you have a routed network with DHCP relay agents or routers that forward DHCP broadcasts between the physical subnets, you can use DHCP servers on other subnets as secondary servers. However, unless the DHCP server has at least one scope with available addresses from the client's own subnet, the client isn't able to obtain or renew an IP address lease. To make sure this doesn't happen, create two superscopes on each server, one for each logical subnet. Thus, each server owns 80 percent of the address pool for its local sub-net, and 20 percent of the address pool for the other DHCP server's local subnet.
Although splitting the address space between two DHCP servers is an adequate way to provide redundancy and load balancing, an even more powerful solution is to set up the DHCP service to run on a Windows 2000 Server cluster. The members of the cluster equally share the DHCP service workload, and if one of the servers fails, the other servers continue to provide addresses to clients as if nothing had happened. Instead of an address space split between servers, each server in the cluster has access to the complete address space.
Using the Windows 2000 Cluster service is discussed in detail in Chapter 16, but the basic steps to get a DHCP server up and running in a cluster are as follows:
Microsoft recommends that you postpone creating DHCP scopes until the DHCP service is set up with the cluster, as described in the following steps.
Right-click the group to which the DHCP resource belongs and choose Move Group from the shortcut menu to verify that the resource has been properly created on the cluster. If the group moves properly, the resource setup is fine.
The DHCP snap-in, shown in Figure 14-8, provides a single point from which to administer all the properties and functionality of the DHCP servers.
To add a DHCP server to the list of managed servers, right-click DHCP in the console tree and then choose Add Server from the shortcut menu. Select the server you want to add to the console and click OK.
Figure 14-8. The DHCP snap-in.
Modify a scope's properties by right-clicking the scope in the console tree and choosing Properties from the shortcut menu. This displays the Scope Properties dialog box shown in Figure 14-9.
Figure 14-9. The General tab of the Properties dialog box for a DHCP scope.
Deactivate a scope by right-clicking the scope and choosing Deactivate from the shortcut menu. To return the scope to use, right-click the scope again and choose Activate.
To temporarily stop distribution of leases from a scope, adjust the exclusion range so that no new addresses are available rather than deactivating the scope. This avoids forcing clients currently using addresses in the scope to prematurely obtain a new IP address from a different DHCP server or a different scope.
Exclude a range of IP addresses from a scope by right-clicking the Address Pool folder under the appropriate scope and choosing New Exclusion Range from the shortcut menu. Type the range of addresses you want to exclude and then click Add.
To enable server-based conflict detection so that the DHCP server checks an IP address before leasing it, verifying that the address isn't already in use, right-click the DHCP server in the console tree and choose Properties from the shortcut menu. Click the Advanced tab, and then set the Conflict Detection Attempts number to 1. Don't increase this number beyond 2; this results in additional searches and needlessly increases the time it takes a client to obtain an IP address.
Windows XP and Windows 2000 clients automatically verify that the IP address offered by the DHCP server is available before accepting it, so conflict detection is useful only for earlier clients. In the interest of conserving network bandwidth and reducing client startup times, leave this option disabled unless you're having problems with duplicate IP addresses, as might be the case if you have undocumented static IP addresses on the network.
If you have a routed network, deploy DHCP servers on both sides of routers to maximize reliability and minimize bandwidth usage. However, there are instances in which you want to allow DHCP to work across a router; for example, you might want to place a secondary DHCP server on the other side of a router. Or, if the connection is very reliable and fast, as might be the case with a partitioned local network or municipal area network (MAN), you might want to simply allow clients to cross the router to reach a DHCP server.
You can configure most routers manufactured in the last several years to pass DHCP broadcasts (they're BOOTP-compliant), but if the router doesn't support forwarding DHCP broadcasts, you can set up a server running Windows 2000 Server as a DHCP relay agent using the following procedure:
Figure 14-10. Setting up a DHCP relay agent.
To make a Windows NT 4 system into a DHCP relay agent, open the Network tool in Control Panel, click the Protocols tab, double-click the TCP/IP protocol item, click the DHCP Relay tab, click Add, and then type the IP address for the DHCP server on another subnet. The Windows NT system must be a member of the subnet containing the clients you want to forward to a DHCP server on another subnet and can't actually be a router itself.
It occasionally happens that you need to move the DHCP service from one computer to another, perhaps because of a hardware upgrade (or failure) on the existing server. To prevent an interruption in the dispersing of leases, be sure there is a secondary DHCP server available during the transition.
To move a DHCP server database from one computer to another, use the following procedure:
Figure 14-11. Stopping the DHCP Server service.
On any Windows computer without a static IP address, you can run a command-line utility to release, renew, or verify the client's address lease. At a command prompt (or in the Run window), use one of the following commands:
The Ipconfig program is useful when troubleshooting problems because it displays every detail of the current TCP/IP configuration. You can find more troubleshooting information in Chapter 38.