Configuring and Managing DHCP
The first question many managers ask when presented with a request to install Windows Server 2003 DHCP is this: "Can't we just use our existing DHCP?" The answer to this question is both yes and no. If you are maintaining a legacy domain and WINS network, Windows Server 2003 can receive DHCP information from any DHCP server with which Windows NT 4.0 or Windows 2000 works. However, if you want to take advantage of the features of Active Directory and migrate away from the legacy WINS architecture, you need the Windows Server 2003 DHCP service.
The following sections discuss how to install and configure DHCP for a network.
Installing the DHCP Server Service
When you install Windows Server 2003, you have the ability to install DHCP as one of the optional services. To prepare for Exam 70-291, you need to know how to install DHCP on an existing server that does not already have DHCP installed.
Before you install DHCP, you must configure the server with a static IP address, as discussed in Chapter 1, "Configuring and Troubleshooting TCP/IP Addressing." After the DHCP server's network adapter is configured with a static IP address, you can go about the process of installing the DHCP service onto the server. To install the DHCP service on your server, perform the steps described in Step by Step 2.1.
Step By Step 2.1 Installing the DHCP Service
- Select Start, Settings, Control Panel, Add or Remove Programs.
- On the Add or Remove Programs page, click Add/Remove Windows Components to open the Windows Components Wizard.
- Select Networking Services, as shown in Figure 2.1.
Figure 2.1 DHCP is located in the Networking Services group in the Windows Component Wizard.
- Click the Details button to open the Networking Services window, shown in Figure 2.2.
- Select Dynamic Host Configuration Protocol (DHCP) and click OK.
Figure 2.2 You select the Dynamic Host Configuration Protocol (DHCP) option to install the DHCP server.
- Back in the Windows Components Wizard page, click Next to begin the installation.
- If you are prompted to supply the location of your Windows Server 2003 CD-ROM or installation files, provide the correct location. Windows installs the DHCP service files on your computer.
- When prompted that installation is complete, click Finish to close the Windows Components Wizard.
After you've installed the DHCP service, you next need to begin configuring the DHCP server so that it can service network clients. Before you can begin the configuration process, you first need to get an understanding of the types of DHCP scopes in Windows Server 2003.
Understanding DHCP Scopes
A scope is a range of IP addresses that are available for dynamic assignment to hosts on a given subnet. The scope for a particular subnet is determined by the network address of the broadcast DHCP request. In addition to address information, a scope can include a set of configuration parameters to be assigned to client computers when the address is assigned. This list of configuration parameters can include DNS servers, WINS servers, default gateways, the subnet mask, a NetBIOS scope ID, IP routing information, and WINS proxy information.
You should make the scope as large as you can. Later in the scope-creation process, you have the ability to exclude addresses, and you can also define reservations for particular addresses that exist within the scope.
Understanding DHCP Superscopes
The superscope type of scope was introduced to the Windows NT product family with Service Pack 2 for Windows NT 4.0. A superscope allows you to support a supernetted or multinetted network with a Windows Server 2003 DHCP server.
A supernetted network is a network that has multiple network addresses or subnets running on the same segment. This configuration is common in a network environment with more than 254 hosts on a subnet and in an environment in which certain hosts need to be isolated from the rest of the logical network for security or routing reasons. Superscopes support a local multinet or a multinet that is located across a router and configured to use the BOOTP forwarder service.
When to Use Supernetting
Visualize a large company that has been assigned the IP address block 18.104.22.168-22.214.171.124 by its ISP. The company occupies five floors in a building. On each of these floors are approximately 300 users, all on the same physical network. Traditional network design would have a routed backbone running between the floors, and each floor would be its own IP network. But there's one problem: There are too many users on these floors to be handled by a single Class C subnet. What are the alternatives?
You could place a router somewhere on each of the floors to further segment the network. This is an expensive and support-intensive solution and is generally considered to be impractical.
You could purchase a block of Class B addresses, but this could get costly and is generally very wasteful.
The last thing you could do is place multiple IP networks on the single-routed segment. In other words, you could create a supernet. This capability is supported by any of the routers on the market today, including the operating system-based routing services in Windows Server 2003, Novell NetWare, and any of the Unix flavors. So when you think about a supernet, think about a floor in a building with too many users for 254 IP addresses.
Understanding Multicasting and Multicast Scopes
Multicasting is the act of transmitting a message to a select group of recipients. This is in contrast to the concept of a broadcast, in which traffic is sent to every host on the network, or a unicast, in which the connection is a one-to-one relationship and there is only one recipient of the data.
Let's look at an example using an email message. If you send an email message to your manager, that email is a unicast message. If you send an email message to every user on the system, you have sent a broadcast. If you send an email message to a mailing list, you have sent a multicast message, which falls between a unicast message and a broadcast message. Teleconferencing and videoconferencing use the concept of multicasting, as does broadcast audio, in which the connection is from one source computer to a selected group of destination computers. At this time, only a few applications take advantage of multicasting, but with the growing popularity of multicast applications, we might see more multicast applications in the future.
The following are a few terms you need to understand before we discuss the Windows Server 2003 multicast capabilities:
- Multicast DHCP (MDHCP)—An extension to the DHCP standard that supports dynamic assignment and configuration of IP multicast addresses on TCP/IP-based networks.
- Multicast forwarding table—The table used by an IP router to forward IP multicast traffic. An entry in the IP multicast forwarding table consists of the multicast group address, the source IP address, a list of interfaces to which the traffic is forwarded (that is, the next-hop interfaces), and the single interface on which the traffic must be received to be forwarded (that is, the previous-hop interface).
- Multicast group—A group of member TCP/IP hosts configured to listen for and receive datagrams sent to a specified destination IP address. The destination address for the group is a shared IP address in the Class D address range (126.96.36.199-2188.8.131.52).
- Multicast scope—A scope of IP multicast addresses in the range 184.108.40.206-220.127.116.11. Multicast addresses in this range can be prevented from propagating in either direction (send or receive) through the use of scope-based multicast boundaries.
Windows Server 2003 makes use of the concept of a multicast scope. The DHCP service has been extended to allow the assignment of multicast addresses in addition to unicast (single-computer) addresses. A proposed IETF standard (RFC 2730), Multicast Address Dynamic Client Allocation Protocol (MADCAP), defines multicast address allocation. MADCAP (also known as MDHCP in Microsoft lingo) would allow administrators to dynamically allocate multicast addresses to be assigned in the same fashion as unicast addresses. The Windows Server 2003 DHCP multicasting capability also supports dynamic membership, which allows individual computers to join or leave a multicast group at any time. This is similar to registering to receive an Internet broadcast or joining and leaving an email mailing list. Group membership is not limited by size, and computers are not restricted to membership in any single group.
How do client computers join and leave a multicast group? The answer is via MDHCP and the MDHCP application programming interface (API). Client computers using MDHCP must be configured to use the MDHCP API. MDHCP assists in simplifying and automating configuration of multicast groups on a network, but it is not required for the operation of multicast groups or for the DHCP service. Multicast scopes provide only address configuration and do not support or use other DHCP-assignable options. MDHCP address configuration for client computers should be done independently of how the client computers are configured to receive their primary IP addresses. Computers using either static or dynamic configuration through a DHCP server can also be MDHCP clients.
Now that you have knowledge of the different types of scopes supported in Windows Server 2003, you can move forward to creating scopes on a DHCP server.
Creating a DHCP Scope
- Manage DHCP clients and leases.
- Manage DHCP scope options.
Now that you are familiar with the different types of scopes, you can create one. To create a standard DHCP scope, you perform the steps described in Step by Step 2.2.
Step By Step 2.2 Creating a DHCP Scope
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select New Scope from the context menu.
- Click Next to dismiss the opening page of the New Scope Wizard.
- On the first page of the wizard, the Scope Name page, enter a name and description for the new scope, as shown in Figure 2.3. You should make this name something that will allow you to easily identify this scope in the event that you have multiple scopes on the DHCP server. When you're done entering the information, click Next to continue.
Figure 2.3 You should enter an intuitive name and description for the new scope.
- On the next page of the wizard, the IP Address Range page, enter the IP address range and subnet mask that you need for the network, as shown in Figure 2.4. You can define the subnet mask by using the standard octet method (for example, 255.255.255.0) or by using the more router-centric mask length field (for example, 24 bits). When you're done entering the information, click Next to continue. If you need a refresher on subnet masks, refer to Chapter 1.
Figure 2.4 Configuring the IP address range and subnet mask information defines the scope boundaries.
- On the next page of the wizard, the Add Exclusions page (see Figure 2.5), you can configure a range of IP addresses that will not be leased to client computers. These are typically addresses assigned to application servers, routers, printers, or other infrastructure equipment that requires static addresses. You can have multiple excluded IP addresses or ranges for each scope. When you're done entering the information, click Next to continue.
Figure 2.5 Configuring IP address exclusions allows you to prevent addresses within the scope from being leased out.
- On the next page of the wizard, the Lease Duration page, you can configure the amount of time for which a DHCP lease is valid, as shown in Figure 2.6. The default setting is 8 days and can be changed to any value between 1 minute and almost 1,000 days (999 days, 23 hours, 59 seconds, to be exact). For the average network, the default setting of 8 days is sufficient. In a network that has a large number of computers connecting at various locations, such as portable computers on wireless connections, you might want to reduce the lease duration. Conversely, in a network with clients that do not change location, you might consider increasing the lease duration to cut down on DHCP traffic on the network. When you're done entering the information, click Next to continue.
Figure 2.6 You should configure the lease duration that seems appropriate for the network.
- On the next page of the wizard, the Configure DHCP Options page, you are given the choice to configure additional options for your scope now or later. It is usually best to configure these options at the time of scope configuration, and thus you should do that now. Table 2.1, later in this chapter, presents the entire list of DHCP scope options that can be configured, although you will only be able to configure three of them at this time. Select Yes, I want to Configure These Options Now and click Next to continue.
Table 2.1. Common DHCP Scope Options
Specifies the offset of the client's subnet in seconds from UTC.
Specifies a list of IP addresses for routers on the client's subnet.
Specifies a list of RFC 868 time servers available to the client.
Specifies a list of name servers available to the client.
Specifies a list of DNS servers available to the client.
Specifies a list of RFC 1179 line printer servers available to the client.
DNS Domain Name
Specifies the domain name that the client should use when resolving hostnames via DNS.
All Subnets Are Local
Specifies whether the client can assume that all subnets of the IP network to which the client is connected use the same MTU as the subnet of the network to which the client is directly connected.
Specifies the broadcast address in use on the client's subnet.
Specifies a list of RFC 1001/1002 NBNS servers, listed in order of preference.
WINS/NBT Node Type
Allows NetBT clients, which can be configured as described in RFC 1001/1002.
NetBIOS Scope ID
Specifies the NetBT scope parameter for the client, as specified in RFC 1001/1002.
- On the next page of the wizard, the Router (Default Gateway) page, enter the default gateway for the network or the subnet that the scope serves, as shown in Figure 2.7. When you're done entering the information, click Next to continue.
Figure 2.7 If you configure multiple gateways, you need to ensure that you place them in preferred order from top to bottom.
- On the next page of the wizard, the Domain Name and DNS Servers page, configure the parent domain of which all DHCP clients should be made part as well as any number of DNS servers you require, as shown in Figure 2.8. It is recommended that you enter at least two DNS servers for your clients to use. If you need to resolve a server name to an IP address, you can enter the server's name and then click the Resolve button. Configuring the DNS service is discussed in Chapter 3, "Implementing and Managing DNS." When you're done entering the information, click Next to continue.
Figure 2.8 If you configure multiple DNS servers, you should ensure that you place them in preferred order from top to bottom.
- On the next page of the wizard, the WINS Servers page, enter the IP addresses of the network's WINS servers, as shown in Figure 2.9. WINS servers are used to convert NetBIOS names to IP addresses for legacy clients on the network. As in the Domain Name and DNS Servers page, you can use the Resolve button to resolve a hostname to an address. If a network is purely Windows 2000 or better, you do not need to have a WINS server on the network because Windows 2000, Windows XP, and Windows Server 2003 use DNS by default for all name resolutions. If you do have the need for WINS servers on a network, it is recommended that you enter at least two of them here. When you're done entering the information, click Next to complete the scope creation process.
Figure 2.9 WINS servers are not required for networks that use only Windows 2000, Windows XP, or Windows Server 2003 computers.
- On the next page of the wizard, the Activate Scope page (see Figure 2.10), you are given the option to active the configured scope now or later. In most cases you want to activate the scope right away. Select Yes, I Want to Activate This Scope Now and click Next to activate the configured scope.
Figure 2.10 You typically want to activate the scope immediately after configuring it.
- Click Finish to close the New Scope Wizard. Note that the DHCP won't issue any IP address from your new scope unless it has already been authorized in Active Directory, which we discuss a little bit later in this chapter.
Configuring Scope Properties
- Manage DHCP clients and leases.
- Manage DHCP scope options.
- Manage reservations and reserved clients.
After you've created a scope, you might want to modify its properties. To modify a scope's properties, you perform the steps described in Step by Step 2.3.
Step By Step 2.3 Configuring a DHCP Scope's Properties
- Right-click the scope and select Properties from the context menu.
- The Properties dialog box opens, as shown in Figure 2.11.
Figure 2.11 You can use the Scope Properties dialog box to change scope properties after you create a scope.
- On the General tab, change the scope name, IP address range, lease duration, and scope description if you want to.
- If you want to change the options on the DNS tab, do so now. The options on the DNS tab are discussed later in this chapter, in the section "Configuring DHCP for DNS Integration."
- On the Advanced tab, select options related to BOOTP clients, as shown in Figure 2.12. If you have BOOTP clients on your network, select either the BOOTP Only option or the Both option, depending on your network configuration. The default setting is DHCP Only. Click OK to close the Scope Properties dialog box after you make your changes.
Figure 2.12 You can configure the scope to service BOOTP clients on the Advanced tab of the Scope Properties dialog box.
- To view the address pool and configured exclusion ranges, click the Address Pool node of the DHCP console, as shown in Figure 2.13.
Figure 2.13 You can quickly view all configured scope ranges and exclusion ranges from the Address Pool node.
- To add a new exclusion range, right-click Address Pool and select New Exclusion Range from the context menu. The Add Exclusion window appears (see Figure 2.14). Click Add after you enter your new exclusion range.
Figure 2.14 You can add a new exclusion range to a configured DHCP scope by using the Add Exclusion dialog box.
- To view the addresses that have been leased, click the Address Leases node, as shown in Figure 2.15. (Of course there won't be any leases shown here until you authorize the DHCP server, as discussed later in this chapter, in the section "Authorizing a DHCP Server in Active Directory.")
Figure 2.15 You can view all active scope leases from the Address Leases node.
- If you want to manually revoke an active client lease, right-click it in the right pane of the Address Leases node and select Delete from the context menu.
- To view the configured reservations, click the Reservations node of the DHCP console.
- You can configure a new address reservation by right-clicking Reservations and selecting New Reservation from the context menu. You can configure a reservation for any device that you want to have a DHCP-assigned IP address that never expires. Configure the reservation as shown in Figure 2.16 and click Add to add it. Click Close to close the New Reservation input box after you're done configuring reservations for this scope. After you've configured a reservation, you can see it in the Reservations node of the DHCP console, as shown in Figure 2.17.
- You can view existing scope options by clicking the Scope Options node, as shown in Figure 2.18.
Figure 2.16 You can configure a new DHCP reservation, which is typically done for printers and other static infrastructure devices.
Figure 2.17 You can view all scope reservations from the Reservations node.
Figure 2.18 The Scope Options node lists all currently configured scope options.
- To configure a new scope option, right-click the Scope Options node and select Configure Options from the context menu. Configure the options in the Scope Options window (see Figure 2.19). Table 2.1 lists the common DHCP options available for configuration. Table 2.2 explains the Microsoft-specific DHCP options that are available for configuration.
Figure 2.19 You can configure extra scope options from the Scope Options dialog box.
Some of the more common DHCP scope options are presented in Table 2.1.
There is a provision in DHCP for manufacturer-specific DHCP options to be configured. You can select these options by opening the DHCP management console and selecting the scope for which to configure options, as described in Step by Step 2.3. Selecting the Advanced tab allows you to select Microsoft Options from the drop-down list in the Vendor Class window. Table 2.2 shows the manufacturer options that are defined by Microsoft.
Table 2.2. Microsoft-Specific DHCP Options
Microsoft Disable NetBIOS
This option can be used to selectively enable or disable NetBT for DHCP-enabled computers running Windows.
Microsoft Release DHCP Lease on Shutdown
This option can be used to control whether DHCP-enabled computers running Windows send a release for their current DHCP lease to the DHCP server when shutdown occurs.
Microsoft Default Router Metric Base
This value is a specified router metric base to be used for all default gateway routes.
Authorizing a DHCP Server in Active Directory
For security reasons, a new DHCP server must be authorized in Active Directory before it can assign IP addresses by an administrator with Enterprise Admin credentials. This prevents unauthorized DHCP servers from running on the network. One of the nastiest things a troublemaker can do is to put up a rogue DHCP server and have it issue addresses that conflict with infrastructure devices' addresses. The nice thing about this feature is that if you are running Windows 2000 or better client computers and they are using Active Directory, the computers will not accept DHCP addresses from an unauthorized server. To authorize a DHCP server in Active Directory, you perform the steps described in Step by Step 2.4.
Step By Step 2.4 Authorizing a DHCP Server in Active Directory
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select Authorize from the context menu.
- The authorization process might take some time, depending on network conditions. Refresh the DHCP console by pressing F5, and you should see the window shown in Figure 2.20. When authorization is complete, the status is shown as Active and the server is ready to issue addresses when it receives DHCP requests. Note also that the status arrow on the server itself is now pointing up instead of down as before.
Figure 2.20 When a DHCP server is authorized, DHCP server scope information shows up in the right pane of the DHCP console window.
Windows Server 2003 and Windows 2000 Server DHCP servers that are not authorized do not provide DHCP services to network clients. These unauthorized servers also check every five minutes to see if their authorization status has changed, thus allowing them to begin servicing clients.
You have now installed, configured, and authorized a Windows Server 2003 DHCP server. We next examine configuring DHCP for DNS integration.
Configuring DHCP for DNS Integration
One of the keys to effectively implementing an Active Directory environment is the capability for Windows 2000 and Windows XP workstations using DHCP to be automatically registered in DNS. You can set the following settings for DNS integration (see Step by Step 2.5):
- Dynamically Update DNS A and PTR Records Only If Requested by the DHCP Clients—This is the default behavior of the Windows Server 2003 DHCP server, and it causes the DHCP server to register and update client information with the authoritative DNS server of the zone in which the DHCP server is located, according to the DHCP client's request. The DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server will accommodate the client's request for handling updates to its name and IP address information in DNS. This selection requires the Enable Dynamic DNS Updates According to the Settings Below option to be selected.
- Always Dynamically Update DNS A and PTR Records—When this option is selected, the DHCP server will always update the client's fully qualified domain name (FQDN), IP address, and both the A and PTR resource records, regardless of whether the client has requested to perform its own updates. This selection requires the Enable Dynamic DNS Updates According to the Settings Below option to be selected.
- Discard A and PTR Records When Lease Is Deleted—This option, which is selected by default, instructs the DHCP server to cause the DNS server to delete the client's A and PTR records when the lease has expired or otherwise has been deleted. This selection requires the Enable Dynamic DNS Updates According to the Settings Below option to be selected.
- Dynamically Update DNS A and PTR Records for DHCP Clients That Do Not Request Automatic Updates—This option allows legacy clients, such as Windows NT 4.0 and Windows 9x clients, to participate in DNS dynamic updates. This selection requires the Enable Dynamic DNS Updates According to the Settings Below option to be selected.
Because DNS dynamic updating is controlled by the DHCP server, you will need to perform all of the applicable DNS configuration from the DHCP console. The DHCP server automatically updates any DNS server configured as part of the server's TCP/IP network properties. It is important to be sure that the primary DNS server is configured as one of the DNS servers because any updates sent to it will be propagated to the rest of the DNS servers for that domain. However, the DNS server in question must support DDNS. DNS is discussed in more detail in Chapter 3. The Windows Server 2003 DNS server supports these updates, as do a number of other DNS servers.
To configure a DHCP server for DNS integration, you perform the steps described in Step by Step 2.5.
Step By Step 2.5 Configuring DHCP for DNS Integration
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select Properties from the context menu. Select the DNS tab of the DHCP Server Properties dialog box, as shown in Figure 2.21.
Figure 2.21 You can configure DDNS options on the DNS tab.
- To enable DHCP integration with DNS, ensure that the Enable Dynamic DNS Updates According to the Settings Below check box is selected.
- Select to have the DHCP server update A and PTR records when requested or to always update A and PTR records.
- To help keep the DNS database clean and consistent, allow the DHCP server to cause expired leases to lead to A and PTR record deletion.
- If there are legacy clients on the network, ensure that dynamic updating is configured for them.
- If you are using secure dynamic updates, you should consider configuring a dedicated network user account for dynamic updating. You can enter the account credentials by switching to the Advanced tab of the DHCP Server Properties dialog box, as shown in Figure 2.22.
Figure 2.22 You need to click the Credentials button to enter the account username and password for DDNS.
- Click the Credentials button to open the DNS dynamic update credentials window, which is shown in Figure 2.23.
Figure 2.23 You need to enter the dynamic updates account credentials on the DNS dynamic update credentials dialog box.
- Enter the domain user account name, domain, and password in the DNS dynamic update credentials dialog box. Click OK to accept the credentials or Cancel to avoid entering credentials at this time.
- Click OK to close the DHCP Server Properties dialog box.
DHCP option code 81 is required in order to make dynamic update work. Let's look at two examples that explain the basic dynamic update process.
The first example looks at a Windows 2000 Professional client computer that has requested a DHCP lease from a Windows Server 2003 DHCP server configured with the default options:
- During the DHCP lease negotiation process, the Windows 2000 Professional client sends a DHCPREQUEST message. By default, the client includes DHCP option 81 in this message, informing the DHCP server that it is requesting that its PTR record be registered in DNS by the DHCP server. The client will be responsible for registering its A record on its own.
- The DHCP server replies with a DHCPACK message, granting the requested DHCP lease. This message includes DHCP option 81. With the default DHCP server settings, the DHCP server informs the client that it will register the PTR record and that the client will be responsible for registering the A record in DNS.
- The client registers its A record, and the DHCP server registers the client's PTR record in DNS.
The second example looks at a Windows NT 4.0 Workstation client computer that has requested a DHCP lease from a Windows Server 2003 DHCP server configured with the default options:
- During the DHCP lease negotiation process, the Windows NT 4.0 Workstation client sends a DHCPREQUEST message. DHCP option 81 is not included in this message.
- The server returns a DHCPACK message to the client, granting its DHCP lease request.
- The DHCP server updates the DNS server with the client's A and PTR records.
Configuring and Implementing a DHCP Relay Agent
- Manage DHCP Relay Agent.
Today, most networks that use DHCP are routed. As discussed previously, DHCP messages are broadcast messages. By default, nearly all routers do not pass broadcast traffic in the interest of reducing overall network traffic levels. Fortunately, you can get around this design limitation by configuring a DHCP relay agent to pass BOOTP messages across routers.
There are three basic configurations in which you can set up a DHCP relay agent. The first involves entering the IP address or addresses of the DHCP server(s) into the router itself, instructing it to pass DHCP messages to a specified IP address for action. The second method involves using the Windows Server 2003 Routing and Remote Access Service (RRAS) component as a router (in the place of a hardware-based router) and configuring the DHCP relay agent within it. The third solution, and the one that we examine in this section, is to use a Windows Server 2003 computer located on a subnet without a DHCP server to act as a DHCP relay agent. This option requires the use of the RRAS components, but it does not involve the creation or configuration of a router as the second solution would. What's important to understand is that the server providing the DHCP relay agent service does not have to be dedicated to that purpose; it could be a file server, print server, or any other type of Windows Server 2003 (or Windows 2000 Server) server on that subnet. Figure 2.24 shows how this arrangement would look on a network.
Figure 2.24 The DHCP relay agent allows clients on the other side of a router to communicate with the DHCP server.
In Step by Step 2.6, you enable the DHCP relay agent on a Windows Server 2003 computer. This exercise assumes that you have not previously configured and enabled RRAS on the computer.
Step By Step 2.6 Configuring a DHCP Relay Agent
- Select Start, Programs, Administrative Tools, Routing and Remote Access to open the Routing and Remote Access console, which is shown in Figure 2.25. (If you've previously configured and enabled RRAS, you can skip to Step 7.)
Figure 2.25 The Routing and Remote Access console is initially empty.
- Right-click the server name and select Configure and Enable Routing and Remote Access from the context menu. The Routing and Remote Access Server Setup Wizard appears. Click Next to dismiss the opening page.
- On the Configuration page of the wizard, shown in Figure 2.26, select the Custom Configuration option and click Next to continue.
- On the Custom Configuration page of the wizard, shown in Figure 2.27, select the LAN routing option and click Next to continue.
- When the summary page is displayed, review your selections and then click Finish to continue.
- You are prompted to start RRAS. Click Yes to start the service.
- Back at the Routing and Remote Access console, expand the following nodes: Routing and Remote Access, ServerName, IP Routing, and General, as shown in Figure 2.28.
Figure 2.26 You need to specify a custom configuration in order to perform a basic DHCP relay agent setup.
Figure 2.27 The LAN routing option is the bare minimum you need to support later installation of the DHCP relay agent.
Figure 2.28 You need to add the DHCP relay agent from the General node.
- Right-click the General node and select New Routing Protocol from the context menu. This opens the New Routing Protocol dialog box.
- From the New Routing Protocol dialog box, shown in Figure 2.29, select DHCP Relay Agent. Click OK to confirm your configuration.
Figure 2.29 You can add the DHCP relay agent in addition to standard IP routing protocols.
- To select a network interface for the DHCP relay agent to run on, right-click the DHCP Relay Agent node in the RRAS console and select New Interface from the context menu.
- On the New Interface for DHCP Relay Agent page, shown in Figure 2.30, select the network interface that you want to be available for the DHCP relay agent. Click OK to continue. The DHCP Relay Properties dialog box, shown in Figure 2.31, opens.
Figure 2.30 You need to select one or more installed network adapters for use by the DHCP relay agent.
Figure 2.31 You need to configure the maximum hop count and length of delay time for the DHCP relay agent.
- In the DHCP Relay Properties dialog box, configure the required values for hop-count threshold and boot threshold. The default value for each of them is 4. Click OK to confirm your settings.
- The last configuration you need to perform is to assign the DHCP server IP addresses to which the DHCP relay agent forwards DHCP messages. Right-click the DHCP Relay Agent node in the RRAS console and select Properties to open the DHCP Relay Agent Properties dialog box, which is shown in Figure 2.32. Enter one or more remote DHCP servers into the list and click OK to confirm your settings.
Figure 2.32 You need to provide one or more remote DHCP servers to which the DHCP relay agent can forward DHCP messages.
Configuring Security for DHCP
Although there are no administrative tasks that outwardly appear that they will help secure your DHCP infrastructure, there are some best practices and other actions that you can follow that will provide a more secure (and thus, more reliable) DHCP implementation in your environment. We briefly examine them here:
- Use the 80/20 address allocation rule—Use DHCP servers in pairs to provide leases to each of your network subnets. One server should be configured with 80 percent of the available addresses (in a scope) on it, and the other server should have a corresponding scope configured with the remaining 20 percent of the available addresses. The scopes should be balanced between the two servers such that each server has approximately the same number of 80-percent scopes (its own scopes) and 20-percent scopes (scopes that belong to the other server). By using this configuration, you can ensure that leases will still be made available to clients requesting them in the event a single server is under a DoS attack.
- Create and use DHCP server clusters—By enabling a DHCP server cluster, you remove a single server as a single point of failure (SPOF). By having two (or more) servers in a cluster acting a single DHCP entity, a failure of a single server (or multiple servers depending on your configuration) will not result in a failure to provide leases to clients. Clustering can be expanded on by creating two clusters and implementing the 80/20 address allocation rule for maximum redundancy.
- Examine the DHCP audit logs regularly—Ensure that audit logging is enabled, as shown in Figure 2.33. The audit logs are stored in the location defined on the Advanced tab, which was shown in Figure 2.22. The location is %systemroot%\system32\dhcp\ by default.
- Harden servers—You can get detailed information and assistance on hardening Windows Server 2003 servers from the Windows Server 2003 Security Guide.
Figure 2.33 DHCP audit logging is enabled from the General tab of the DHCP server Properties dialog box.