DHCP server authorization - how does it work?

[Guest]

In an AD environment, a DHCP server must be authorized before giving out
leases. But *how* is it enforced? I suspect there is some interaction between
the network stack and domain controllers, but I am not sure. Any information
is appreciated.

 

[Brian Desmond [MVP]]

David-

I'm going to make an educated guess here as I've never used Windows DHCP in
an Ad environment.

I believe that all this authorization does is allow a member server (one
that is joined to the domain) to send DHCP packets. Fundamentally, there is
no way for a DC to prevent a server form being given an IP ont he subnet and
answering DHCp requests...

--
--Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

www.briandesmond.com

 

[Herb Martin]

In an AD environment, a DHCP server must be authorized before giving out
leases. But *how* is it enforced? I suspect there is some interaction between
the network stack and domain controllers, but I am not sure. Any information
is appreciated.

Two ways: One member servers check for the list at
the DC, and those (DHCP servers) who recognize that
authorization is invoked (by the domain having the list)
send out DHCP_INFORM message which non-Domain
Win2000+ DHCP servers will respect IF they receive
them (which usually means if they are on the same subnet
since it is a broadcast.)

[I had previously thought it might be a multicast.]

Google: [ dhcp authorization domain site:microsoft.com ]
<
http://www.microsoft.com/resources/...ocs/en-us/sag_dhcp_imp_authorizingservers.asp >

 

[Guest]

Put it this way:

If I use the DHCP server that comes with Windows (from control panel ->
add/remove programs), *then* it needs authorization.

What if I install a third-party DHCP server software on a member server, or
even on a DC? What stops this server software from giving out leases?

Thanks.

 

[Ryan Hanisco]

Nothing at all if it is on the same subnet. The clients are actually
responsible for sending out broadcasts to locate a DHCP server and the first
to respond wins.

With VLANs and multiple subnets, your IP Helper lines in the routers/
switches will direct DHCP requests to specific servers.

 

[ptwilliams]

I think there's an RFC that supports the authorisation thing. So any
compliant DHCP servers will respect the DS authorisation required aspect.

However, I'm sure there are also servers that don't respect this aspect of
the service and therefore, as Ryan stated, simply respond regardless.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Nothing at all if it is on the same subnet. The clients are actually
responsible for sending out broadcasts to locate a DHCP server and the first
to respond wins.

With VLANs and multiple subnets, your IP Helper lines in the routers/
switches will direct DHCP requests to specific servers.

 

[Josh Davis]

In an AD environment, a DHCP server must be authorized before giving out
leases. But *how* is it enforced? I suspect there is some interaction between
the network stack and domain controllers, but I am not sure. Any information
is appreciated.

Thats Not correct. A windows DHCP server will hand out ip/s to any
requesting client. AD has no control in checking to see if the client
is either valid or not.

When a client that is configured for dhcp comes up on the network it
does a broadcast. The traffic takes place on udp ports 67 and 68. If
you have a network tool such as ethereal you can see the traffic.

Dhcp works on the principle of first come first served. IF for example
you had a windows DHCP server configured to hand out ips in the range
of 172.16.1.50 to 172.16.1.254 to your clients and there just happened
to be another dhcp server on the same subnet for example one of those
cheezy routers that have dhcp turned on by default configured for the
192.168.x.x subnet

There is a >90% chance that your clients will get assigned a valid ip
but not from the DHCP server you taught was handing out ip's....

Josh.