Authorizing a DHCP Server

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags: ,


Problem

You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.

Solution

Using a graphical user interface

Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP server has Service Pack 2 or higher installed.
  1. Open the DHCP snap-in.
  2. In the left pane, right-click on DHCP and select Add Server.
  3. Type in the name of the DHCP server you want to target and click OK.
  4. Click on the server entry in the left pane.
  5. Right-click on the server and select Authorize.
If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

‘ The following script prints out the list of

‘ authorized DHCP Servers in Active Directory.

‘ —— SCRIPT CONFIGURATION ——

strForestRootDN = “<ForestRootDN>” ‘ e.g. dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

set objCont = GetObject(“LDAP://CN=DhcpRoot,CN=NetServices,CN=Services,” & _

“CN=Configuration,” & strForestRootDN)

colDHCPServers = objCont.GetEx(“dhcpServers”)

for each strDHCPServer in colDHCPServers

Wscript.Echo strDHCPServer

next

Discussion

Windows 2000 and Windows Server 2003based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows 2000 or Windows Server 2003 DHCP server that an end user sets up, perhaps even unintentionally.

However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP server service is enabled on a domain controller, it is automatically authorized. A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, in the cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The relative distinguished name of these objects is the IP address of the DHCP server. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP server is authorized. It has an attribute named dhcpServers that contains all authorized servers. We enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP servers. However, you can delegate the rights to authorize a DHCP server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

  1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.
  2. In the left pane, expand the Configuration Container CN=Configuration CN=Services CN=NetServices.
  3. Right-click on CN=NetServices and select Properties.
  4. Select the Security tab.
  5. Click the Advanced button.
  6. Click the Add button.
  7. Use the object picker to select the DHCP Admins group.
  8. Check the boxes under “Allow for Create dHCPClass objects” and “Delete dHCPClass objects.”
  9. Click OK until all dialog boxes are closed.
  10. Back in ADSI Edit, right-click on CN=dhcpRoot (if you’ve previously authorized DHCP Servers) and select Properties.
  11. Select the Security tab.
  12. Click the Advanced button.
  13. Click the Add button.
  14. Use the object picker to select the DHCP Admins group.
  15. Check the boxes under Allow for “Write for all properties.”
  16. Click OK until all dialog boxes are closed.

Using a graphical user interface

You can quickly determine whether a DHCP server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, it isn’t authorized; if the flag is green, it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s