DHCP for Windows Server 2008

Just another WordPress site

DHCP for Windows Server 2008

In this section I will look at Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol is a service that let’s you automatically provide network configuration to clients on your network In this video I will first look at what is dynamic Host configuration protocol or DHCP Once you understand what DHCP is I will look at the new features that Windows Server 2008 and Windows Server 2008 R 2 add to DHCP Next I will provide an overview for how the features work in DHCP After this I will look at how to install and configure DHCP on windows server 2008 R2 and also on look at installing DHCP on server core. Finally I will look at the DORA process The dora process is the process DHCP uses in IP version 4 to obtain an IP address. It is an important process to understand So what is Dynamic host configuration protocol or DHCP. DHCP has been around since the early 90’s. DHCP allows for dynamic allocation and management of network configuration. Picture this, a client computer starts up on a network It has no IP address, does not know where any servers are and can not communicate on the network. The client computer sends a message out on the network asking for the configuration for that network The dhcp server responses back with an IP address and other details the client will need to work on that network. For example dns servers and a default gateway. DHCP is the protocol used that allows you to use your computer on a foreign network or wireless hot spot. DHCP is very scalable allowing you to configure 100’s or even 1000’s of computer automatically. Using DHCP allows you centrally administer your network settings saving you from having to manually configure each client individually DHCP server for windows server 2008 and windows server 2008 R2 comes with some new features First there is support for IP version 6. When you launch the DHCP snap in, you will see one section for DHCP version 4 and a separate section for DHCP version 6. With DHCP for IP version 6 also comes support for stateless and stateful configuration To understand stateless configuration first understand you need to understand how IP version 6 can configure itself without a DHCP server When a IP version 6 computer or device starts up on an IP version 6 network, a discovery message is sent out on the network The discovery message is attempting to find the network prefix of that network. IP version 6 has a lot of improvements to automatic configuration As shown here, IP version 6 has already configure the interface ID part of it’s address shown in blue. This is taken from the mac address of the network card or generated randomly The green part of the IP address is the network ID which the client does not know. An IP version 6 router on the network responses back to the client with the network prefix for that network. The prefix is than combined with the client computer interface ID to make a complete IP address As you see the client now has complete routable IP version 6 address. This is all done with out a DHCP server on the network. This is called stateless configuration. Even if the client has a working IP address it does need other configuration information like dns servers This is where DHCP stateless configuration in windows server 2008 comes in to play After the computer has got it valid IP address, it than contacts a DHCP server for other configuration data. The DHCP server than responses with network configuration for that network. This is what you call stateless configuration The router provides the network prefix for that network while the DHCP server provides any other network configuration required for that network When the DHCP server is in stateful configuration mode, the client requests the network prefix This time the DHCP server responses with the network prefix or complete IP address, DNS servers and any other configuration information that are required. For stateless configuration to work on your network you need an IP version 6 compatible router. If your router does not support IP version 6 you will need to use stateful configuration on your network The next new feature is support for network access protection or NAP. NAP is part of a new toolset that controls access to the network This means you can set up your own internal security policy. If a computer does not meet the internal security policy, for example does not have windows updates on is not up to date with anti virus it will not be allow on the network, this helps to stop a computer infect with malware from being used on the

network Lastly DHCP for windows server 2008 also support server core. If you install DHCP on server core you will need to administer it by the command line or via a snap in on anther computer Running DHCP on server core helps reduce the attack surface of that server To start using DHCP you need to create a scope A scope defines a range of IP addresses that can be given out on a network. With the IP address you can also give out additional settings like DNS servers. If you create multiple scopes you can also set different configuration on your network. For example you could assign half your network to use one gateway and the other half to use a different gateway Using scopes you can also exclude IP addresses from being used. For example, if on your network you have IP address you don’t want the DHCP server to allocate to a client computer you can exclude the IP addresses Using scopes you can also reserve an IP address so that the same computer always gets the same IP address. Doing this allows you to have central control over the allocation of your IP addresses. In order to start using DHCP it needs to be activated in active directory Activation stops unauthorized DHCP servers from starting up on your network. This also apply to scopes that you create. This allows you to configure your scope and only active it once you feel it is ready. Now that you have a basic understanding of DHCP, let’s have a look how to install and configure DHCP for windows server 2008 To install dhcp, go to the start menu and run server manager from administrative tools From here, select roles on the left hand side and than select the option add roles from the right hand side. Once you skip the welcome screen, select DHCP server from the list of roles. You will now be asked a few questions about the install Firstly you need to set the IP version 4 address you wish to bind to the DHCP server. The dhcp server will listen and send responses on this interface. On the next screen you need to enter in a DNS server on your network. You can press the validate option to check this dns setting is correct Any settings that you set in the install wizard you can change or add additional settings after the install. If you are not sure of a setting leave it blank and configure it after the install. On the next screen you can set a WINS server if you are using one WINS is Microsoft’s name resolution solution before Microsoft switched to DNS when windows server 2000 was introduced. Your network may or may not have a WINS server. If you not sure leave it blank, you can always add it in later The next screen allows you to add DHCP scopes A scope is simply a group of IP addresses which can be given out to your clients. I will leave this blank as I will add some scopes later on using the dhcp snap in. The next screen enables IP version stateless mode or disables it. If you do not have a router on your network that can not advertise IP version 6 network ID’s you will need to disable stateless mode for this server. With stateless mode disabled, the DHCP server will advertise the network ID for your clients With IP version 6 you will need to enter the IP address for your dns server. IP addresses in version 6 are difficult to remember and easy to mistype. To get around this I will open a command prompt and ping dc3 which is my domain controller and dns server. The output from the command I will pipe to clip. Clip copies the output in the clipboard If I now open notepad I can paste the output into notepad, find the IP address in the ping command and than copy it. From here I can paste it into the preferred dns server address Again if I press the validate button I can confirm that the dns server is valid On the last screen of the wizard you can provide credentials to authorize the dhcp server in active directory. A dhcp server will need to be authorized in active directory before you can use it on your network. I will activate it now using the current credentials, if you are not sure you can skip this step and do it later Once I press install the DHCP server will start installing. The process usually takes about five minutes depending on the speed of your computer. I have accelerated time to the end so we don’t have to wait. Once finished I need to configure the DHCP server To do this, run the DHCP snap in under administrative tools under the start menu. If I expand the

dhcp server you will see it is divided into two parts, the IP version 4 part and the IP version 6 part. If I right click on DHCP right at the top you see I have the option to manage authorized servers In this screen I can authorize a server or unauthorize a server. Remember if a DHCP server is not authorized in active directory it will not be able to allocate IP addresses to your clients. If I right click the dhcp server I can select add or remove bindings. This allows me to decide which IP addresses the server will allocate and respond to requests on. Notice that there is a IP version 4 tab and a IP version 6 tab. If I right click on the server again, you will notice I have the option to unauthorize the server and I can backup and restore the DHCP database. Under all tasks I can stop, start, pause and restart the DHCP service. At the bottom of the menu I can select the properties for the DHCP server This properties section controls where the database is store and where the backup databases will be stored. If I select IP version 4 and than select server options you will notice there are two settings in here already. These are the settings I entered during the setup wizard. Since these are server options these settings will be applied to all IP addresses allocated from this DHCP server. If I right click on IP version 4, you will notice the first option display statistics. This gives us a quick run down of how the server is doing Notice the options down the bottom in use and available. If you have clients that can not access the network, it is a good idea to check this to make sure that you have not run out of IP addresses To make this DHCP server useful, I need to allocate a scope which is basically a collection of IP addresses that can be allocated to clients To do this, right click IP version 4 and select new scope. After the welcome screen you will need to enter in a name and a description if you wish for the new scope. On the next screen you need to enter in the start IP address and end IP address you wish to allocate in this scope. In this case I will allocate the first 100 IP addresses from the 10 network You can also set a subnet mask a the bottom if you need to On the next screen you can enter in exclusions Any IP addresses in here will not be allocated to any clients. Think of the scope as a pool of IP address and you are removing some of them from the pool. The rest of the pool will dynamically be allocated to the clients as needed. In this case I will reserve the first 10 IP addresses for my servers On the lease duration screen you can set how long the client will have the IP address before it will lose it. The client will attempt to renew it’s the lease of the IP address before this time ends. In this case 8 days. If it is successful then the client will be able to use the lease for anther 8 days. As long a the clients keeps renewing the lease before it expires they can use the same IP address If the lease expires the DHCP server may allocate the IP address to someone else before the client asks for it back. In this case the client will simply get anther IP address from the pool On the next screen you have the option to configure common DHCP options for your new scope. You can do this manually, but it is easier to do it using the wizard. The first common option is the default gateway for your network. On the next screen you can enter in the default domain suffix for your network in this case test dot local. On this screen you can also enter in the IP address or computer name for your DNS servers. You may remember seeing some DNS settings in the server options section. These settings will replace the server settings. On this screen you can enter the IP address for your WINS server if you have one. I don’t have one on this next so I will skip this screen The last option gives you the choice to activate your scope now. All scopes must be activate before they can start to issue out IP addresses If you have not finished setting up the dhcp scope, select no, you can always active it later. Once I press finish you will notice the new scope has been added. If I select it I can now select a few different folders The first folder, address pool tells me which IP addresses are available for clients and which IP addresses have been excluded. The address leases section shows you which IP addresses are currently being used by clients If you ever need to know the mac address of a client you can find it in here The reservation section allows you to reserve an IP address for a particular computer. In other words that computer will always get the same IP address. If I right click reservations

you can select the option new reservation First I need to enter in the name of the reservation and the IP address I wish to reserve. You are free to enter in any IP address here The IP address may be in a scope or exclusion range. In order to complete the reservation you need the mac address of the network card for the client computer. If you do not have this, you can run the command getmac from the command prompt. Just enter in the getmac slash s followed by the computername. I will pipe the output to the clip command so I can paste it in notepad. Once I have pasted the output in notepad I can copy the mac address and than paste it into the reservation screen Press the add button and the reservation has been added. This Workstation will now always get the same IP address (consider adding an additional option in the server options in the during editing) Under the scope options section you will notice the option new scope wizard. Notice below it the sever options. All scopes will get the settings in server options. If there is the same setting in scope option this will override the scope options. If I want to add additional options, right click scope options and select configure options. Here you can see there are a lot of options you can add, just tick the one you want, for example wins and enter in the details an press o.k If I select the section IP v6 you will notice it has server options just like the IP version 4 section. You will notice the IP version 6 section is very simpler to IP version 4 If I right click IP version 6 and select properties, you will notice I can set options on how often to update statistics and enable DHCP logging if required. On the dns tab you can have the DHCP server automatically update the dns server when it allocates an IP address. You will learn more about DNS later in the course The advanced tab allows you to set the audit path and configure the bindings. To allow the DHCP server to automatically up date the dns server you may need to configure some credentials. You can do this with the credentials button at the bottom on the screen To start allocating IP addresses I need to create a new scope. Right click IP version 6 and select new scope. The wizard starts off much the same as the IP version 4 wizard, enter in the name and description if you like On the network screen you will need to enter in the network prefix for your IP addresses This will be for all IP addresses allocated from this scope. I will enter in a prefix starting with FD00 followed by double colon which is a valid private IP address. On the next screen you can again add exclusions if you want certain IP addressees not be added to the pool of IP addresses. I will just press next on this screen On the next screen you can set how long the lease will last on the client computer. The defaults work well so I will just press next here. On the last screen you have the option to active the scope now or switch create it disabled. I leave it on yes and press finish Now that I have created a IP version 6 scope, if I select the option display statistics you can see that I now have lot of free IP addresses. As you can see each network ID in IP version 6 gives you unbelievable amount of free IP addresses If I select the IP version 6 scope you will notice you have the same options as IP version 4. The structure and layout and options are much the same for each section. The biggest difference between the sections is the format of the IP addresses. You will find that DHCP for windows once installed is easy to use and mange If you are planning to install DHCP on server core, you will need to install it from the command line using the command o c setup DHCP Server Core. As you can see, the only sign the operating system is doing something is the brief period where the command prompt pauses. To confirm that DHCP for server core is installed, run the command o c list O c list will show all the components that are installed on that server. At the top I you can see that server core is installed Once DHCP for server core is installed, you will need to configure it. You can do this either with the remote admin tool or from the command line using the tool netsh. For example if you want to backup the configure using the net s h command you would run net s h dhcp server dump and redirect the output to a file. This file could than be back up and restored later if you needed IP version 4 of DHCP uses what is called the DORA process to obtain IP configuration from the network. The first step in DORA is Discover In this step the Client sends a broadcast on the network that all clients on the network

can receive. With IP version 6 broadcasts are a thing of the past, so make sure you understand the DORA process only applies to IP version 4 On this particular network there are 2 DHCP servers and both will receive the broadcast from the client and both servers may decide to response to clients request. The response will be an Offer packet. The client now sends a request packet back to the DHCP server that it first received an offer packet from. The DHCP server responses back with an ack packet telling the client it can use the IP address For a client to receive and start using an IP version 4 address, it must complete all steps in the DORA process In summary, remember when you install a DHCP server you must authorize it in active directory If your server is on a large enterprise network you may need to contact someone in the enterprise admin group to authorize the server for you Being an administrator on a server will not give you enough access to authorize a DHCP server in active directory Once you have installed and configured dhcp it pretty much runs itself. Just remember it is not a bad idea to backup your DHCP database Starting with Windows Server 2000, DHCP will attempt to ping an IP address before it allocates it which helps stop DHCP allocating an IP addresses that is already is use. When you lose the database you lose all your configuration including any reservations that you may have created. Make sure you backup DHCP regularly