Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

BIT_ITI310_offline_S15_S3_20160207193347890

advertisement 
Configuring Windows Server 2008 DHCP Servers
Dynamic Host Configuration Protocol (DHCP) is an extremely powerful and popular
mechanism by which IP addresses and other related network information are dynamically
assigned to network clients when they are attached to a network. This provides significant
reductions in terms of network management overheads, particularly on large networks, by
avoiding the necessity to manually assign settings to each client.
This chapter is designed to provide details on how to:
Install, configure and manage a DHCP server on a Windows Server 2008 system using
the graphical DHCP console tool. For details on performing similar tasks at the command
prompt refer to the next chapter, entitled “Managing a Windows Server 2008 DHCP
Server from the Command Line”.
Installing the DHCP Server Role
The first step in setting up a DHCP server on a Windows Server 2008 system is to install
the DHCP Server feature on any servers which are required to provide the service.
Before performing even this initial task, it is highly recommended that any systems
designated to act as DHCP servers are assigned a static IP address. If the server is
currently obtaining a dynamic IP address from another DHCP server, begin the
installation process by assigning the system a static IP address. This can be achieved by
launching the Server Manager and clicking View Network Connections. Right click on the
network adapter on which the DHCP service is to be run and select Properties where
either, or both the IPv4 or IPv6 address may be changed from automatically obtaining an
IP address to specifying a static address. Once configured, exit from the properties dialog
and network connections window leaving the Server Manager running.
Installation of the DHCP Server Role is performed by selecting Roles from the tree in the
left hand pane of the Server Manager tool. On the Roles page, click on the Add Role link
to launch the Add Roles Wizard. Dismiss the welcome screen if it is displayed, and in the
Select Server Roles screen select the check box next to DHCP Server before clicking the
Next button, read the information provided and click Next again to proceed to the Network
Connection Binding screen. It is within this screen that the DHCP server is associated
with specific network adapters installed in the system. Select the network adapters for
which the DHCP service will be provided and click Next.
DHCP can be used not just to provide clients with an IP address, but also additional
information such as the name of the parent domain (for example techotopia.com) and the
IP addresses of both preferred and alternate DNS servers. If the DHCP server is required
to provide these details for IPv4 clients, enter them into the Specify IPv4 DNS Server
Settings page and click Next.
On the IPv4 WIN Server Settings page, enter addresses of the Preferred and Alternate
WINS servers if required. Otherwise, leave the WINS is not required for applications on
this network option selected and proceed to the next configuration page.
The next page allows initial DHCP scopes to be configured. A DHCP scope defines one
or more ranges of IP addresses from which an IP address may assigned to a client and
the duration of the IP address lease (6 days for wired clients and 8 hours for wireless
clients). This may either be configured now, or at a later point in the configuration
process. The topic of defining DHCP scopes is covered in the Defining DHCP Scopes
section of this chapter.
With the initial DHCP IPv4 configuration steps completed, the wizard subsequently moves
on to the IPv6 settings. This is where a little background information is useful. Windows
Server 2008 supports two modes of IPv6 DHCP operation, known as stateless and
stateful. In stateful mode, clients obtain both an IP address and other information (such
as DNS addresses) through the DHCPv6 server. In stateless mode, the clients receive
only the non-IP address information from the DHCPv6 server. In this case, the IP address
must be provided using some other mechanism, either by configuring of static IP
addresses or through the implementation of IPv6 auto-configuration.
On the Configure DHCPv6 Stateless Mode screen, select either stateful or stateless
mode in accordance with your specific enterprise requirements. If stateless mode is
selected the next screen will prompt for the IPv6 DNS information to be provided to
clients. Enter the information and click on Next. If the DHCP is part of an Active Directory
domain, the Authorize DHCP Server page will appear. Enter the credentials (either your
own as shown, or alternate credentials via the Alternate Credentials button) necessary to
authorize the new DHCP server. Alternatively, the authorization may be performed later
by skipping this step by clicking on Next.
Upon completion of the DHCP server configuration the summary screen will displayed
similar to the one illustrated below:
Assuming that the summarized configuration is correct, click on Install to complete the
installation process. The wizard will display the progress of the DHCP Server Role
installation before displaying a results screen confirming the successful installation. Once
installation is complete, the DHCP Server may be managed locally or remotely using the
DHCP console (Start  All Programs  Administrative Tools  DHCP).
Authorizing DHCP Servers in Active Directory
If a DHCP server is to operate within an Active Directory domain (and is not running on a
domain controller) it must first be authorized. This can be achieved either as part of the
DHCP Server role installation, or subsequently using either DHCP console or at the
command prompt using the netsh tool.
If the DHCP server was not authorized during installation, invoke the DHCP console
(Start  All Programs Administrative Tools DHCP), right click on the DHCP to be
authorized and select Authorize. To achieve the same result from the command prompt,
enter the following command:
netsh dhcp server serverID initiate auth
In the above command syntax, serverID is replaced by the IP address or full UNC name
of system on which the DHCP server is installed.
Understanding DHCP Scope Types
DHCP scopes are used to define ranges of addresses from which a DHCP server can
assign IP addresses to clients. Scopes fall into Normal, Multicast and Super Scope
categories as follows:
Normal Scope - Allows A, B and C Class IP address ranges to be specified
including subnet masks, exclusions and reservations. Each normal scope defined
must exist within its own subnet.
Multicast Scope - Used to assign IP address ranges for Class D networks.
Multicast scopes do not have subnet masks, reservation or other TCP/IP options.
Multicast scope address ranges require that a Time To Live (TTL) value be specified
(essentially the number of routers a packet can pass through on the way to its
destination).
Super Scope - Essentially a collection of scopes grouped together such that they
can be enabled and disabled as a single entity.
Configuring IPv4 Scopes Using the DHCP Console
New scopes on Windows Server 2008 can either be configured from the graphical DHCP
console, or from the command prompt using the netsh utility. To create a new scope in
the DHCP console (launched from Start  All Programs  Administrative Tools 
DHCP) click on the server name in left hand panel so that IPv4 and IPv6 categories are
listed in the main panel. Right click on the required IP version and select New scope from
the menu top invoke the New Scope Wizard. Click on Next to skip the welcome screen so
that the Scope Name dialog is displayed:
Enter a suitable name and description for the scope and press Next to proceed to the IP
Address Range screen. In this screen, enter the start and end addresses of the IP
address scope followed by the subnet mask, either in terms of bit length or in IP format
(for example 255.255.255.0 or 24 bits). Note that when the start and end addresses are
entered the subnet mask fields are filled in automatically, but may be changed manually if
required:
If the address range specified encompasses multiple subnets (for example 192.168.2.1
through to 192.168.3.254) the wizard will warn that the designated range is too large for a
single scope and provide the option to create a super scope made up of a number of
different scopes depending on how many subnets are contained within the range.
Assuming that all addresses in the scope range are on the same subnet, the wizard will
provide the option to specify exclusions within the scope. Exclusions are essentially
ranges of one or more IP addresses within the defined scope which are not available for
assignment to clients. Multiple exclusion ranges may be defined within a single scope by
using the Add button to add new ranges:
The next screen of the New DHCP Scope wizard relates to the topic of Lease Duration for
the IP addresses in the current scope. Lease duration refers to the amount of time an IP
address is assigned to a particular client computer or device. If the subnet on which the
DHCP server operates has a high turnover of clients then a short lease is recommended
(since the server will end up holding IP addresses for clients which are no longer
connected, potentially exhausting the pool of IP addresses). For subnets where the
connected clients are fairly stable, longer leases might be more appropriate. To define a
lease duration use the spin boxes provided, specifying the duration in units of days, hours
and even minutes (the default is 8 days):
The next screen provides the option to configure DHCP options (such as default gateway,
DNS and WINS servers) which will be provided to clients along with the dynamic IP
address. If the yes option is selected, the wizard will present a series of screens where
these options may be specified if required. On each screen enter the appropriate
information, or leave the page blank if the option is required (for example not all
configurations require a WINS server). If "no" is selected the wizard will skip to the
Activate Scope screen where, as the name suggests, the new scope may be activated.
Once activated the wizard may be closed. The new scope is now defined and active.
Configuring DHCP Reservations
DHCP reservations provide a mechanism by which IP addresses may be permanently
assigned to a specific client based on the MAC address of that client.
The MAC address of a Windows client can be found running the ipconfig /all command.
For Linux systems the corresponding command is ifconfig -a. Once the MAC address
has been identified, the reservation may be configured using either the DHCP console or
at the command prompt using the netsh tool. One important point to note is that ifconfig
displays the MAC address delimited by colons (:), for example 06:EC:E6:11:47:BD. When
entering the MAC address into the New Reservations dialog on Windows the colons will
need to be replaced with dashes (-), for example 06-EC-E6-11-47-BD. Failure to do this
will result in a warning dialog stating that the Unique identifier you have entered may not
be correct.
To configure reservation using the DHCP console, select Start -> All Programs ->
Administration Tools -> DHCP and select the DHCP server and unfold the appropriate
scope from the tree in the left panel. Within the scope sub-list, select Reservations as
illustrated below:
Right click on Reservations and choose New Reservation... from the menu to launch the
New Reservation dialog:
Begin by entering a name for the reservation followed by the IP address from the
currently selected scope which is to be reserved for the client together with the MAC
address of the client (or more specifically the network adapter of the client). Finally
specify whether the reservation is to be made for BOOTP or DHCP clients, or both. Once
the information has been entered click the Add button. When all reservations have been
entered click Cancel to close the dialog.
To add a reservation using netsh the following syntax is used:
netsh dhcp server \\servername scope subnetID add reservedip IPaddress MacAddress
ReservationName Comment
For example the following command reserves an IP address for a specific MAC address
(note that the MAC address must be entered without any delimiters):
C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 add
reservedip
192.168.2.12 0013720B1457 "CEO Printer" "Printer in Exec Suite"
Changed the current scope context to 192.168.2.0 scope.
Command completed successfully.
To list the current reserved IP addresses for a particular scope the following netsh
command may be used:
C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 show
reservedip
Changed the current scope context to 192.168.2.0 scope.
===============================================================
Reservation Address Unique ID
===============================================================
192.168.2.10
192.168.2.11
192.168.2.12
-
00-0b-db-18-a0-db06-ec-e6-11-47-bd00-13-72-0b-14-57-
No of ReservedIPs : 3 in the Scope : 192.168.2.0.
Command completed successfully.
Configuring Windows Server 2008 NAP DHCP Enforcement
Network Access Protection (NAP) is a system designed to protect networks from clients
which are not deemed to be secure or healthy (to use Microsoft's terminology). When
NAP is implemented, clients without the required level of "health" are directed to a
remediation server where the necessary updates may be obtained to bring the system
into compliance with the Network Access policy of the network. In addition, the user may
also be directed to a web page providing details of why access to the network has been
declined and outlining the steps necessary to remedy the problem.
One way to implement NAP is to integrate it with DHCP so that the NAP policies can be
enforced whenever a client attempts to lease or renew an IP address. One point to note
before implementing such a configuration is that NAP enforcement will only take place for
clients which obtain an IP address via DHCP. Clients with static IP addresses will not be
subject to NAP enforcement.
The subject of Network Access Protection is large, and as such, much of the detail is
beyond the scope of this chapter. In fact entire books could, and probably will, be written
on the subject. The objective of this chapter, therefore, is to focus solely on the
integration of NAP into DHCP. Once the steps outlined in this chapter are complete it will
be necessary to either configure the Windows Security Health Validator (WSHV), or to
install and configure other suitable system health agents (SHAs) and system health
validators (SHVs).
NAP Enforcement for DHCP involves a DHCP Network Access Protection (NAP)
enforcement server component, a DHCP enforcement client component, and Network
Policy Server (NPS).
Installing the Network Policy Server
The first step in integrating DHCP and NAP is to install the Network Policy Server role on
the system. This is achieved by starting the Server Manager, selecting Roles from the left
hand pane and clicking on Add Roles. In the Add Roles wizard select the check box next
to Network Policy and Access Services and then click Install to continue the installation
process.
Alternatively, the role may be installed from the command prompt using the
servermanagercmd tool as follows:
servermanagercmd -install npas
Configuring NAP in the NAP console
With the Network Policy Server role installed the next step is to configure NAP. Begin by
launching the Network Policy console (Start  All Programs  Administration Tools 
Network Policy Server). Once loaded, select Dynamic Host Configuration Protocol as the
Network connection method and either accept the default policy name of NAP DHCP, or
enter a new name for the policy:
With these settings configured, click Next to display the NAP Enforcement Servers
screen. If the DHCP Server is running on the local computer this screen can be skipped.
On the other hand, the DHCP servers are running on one or more remote servers, they
must each have the Network Policy Server role installed and be configured as a RADIUS
proxy to forward connection requests to the local NPS server. Click the Add... button and
enter the name and IP address of the remote DHCP Server and either manually enter or
generate a shared secret, which will need to be entered into the NAP DHCP policy of any
remote DHCP servers.
Repeat this process for each remote DHCP server before clicking on Next to proceed to
the DHCP Scopes screen:
If network client health is to be enforced for all IP addresses allocated by the DHCP
server then no scopes need to be defined here. If, on the other hand, NAP enforcement is
only required for certain IP address ranges, define the scopes here.
On the next screen enter specific machines and users which are to be granted or denied
access. The NAP Remediation Server settings page allows the addresses of Remediation
Servers to be specified, where clients may obtain the necessary updates to reach NAP
compliance. It is also possible to specify a web page URL which displays information to
the user about how to bring their computers into compliance with the defined policy.
When the appropriate information has been entered, click Finish to complete this phase
of the configuration.
Configuring DHCP Server NAP Settings
The NAP settings associated with a DHCP sever can be configured either on a serverwide (global) or per-scope basis. To configure global settings for a DHCP server, open
the DHCP console (Start -> All Programs -> Administration Tools -> DHCP) and unfold
the tree in the left panel for the required DHCP server. Right click on IPv4, select
Properties and select the Network Access Protection tab as illustrated in the following
figure:
Within this screen, Network Access Protection settings on all scopes can be enabled or
disabled using the two buttons. Further, the default behavior of the DHCP server when
the Network Policy Server (NPS) is unreachable may also be configured. In Full Access
mode, all DHCP clients are given full and unrestricted access to the network (essentially
behaving as though NAP enforcement is not implemented). Restricted Access allows
clients to access resources only on the server to which they are connected. The rest of
the network is off limits until the NPS server comes back online. Finally, Drop Client
Packet prevents all client access to the network.
Configuring NAP Settings for Scopes
The NAP settings for specific scopes can also be accessed and modified using the DHCP
console. Once the DHCP console is running (as outlined in the preceding section), unfold
the required server from the left hand panel then unfold the IPv4 entry so that currently
configured scopes are listed. Right click on the required scope entry, select Properties
and click on the Network Access Protection tab:
Enable or disable NAP for the select scope using the appropriate selections in the
property panel. If NAP is to be enabled for the scope, either elect to use the default NAP
profile, or specify the name of a pre-existing custom profile. Once the settings are
configured, click OK.
Related documents
DHCP Security Analysis
DHCP Security Analysis
Configuring DHCP Scopes and Options
Configuring DHCP Scopes and Options
Windows 2000 DHCP Installation and Configuration
Windows 2000 DHCP Installation and Configuration
Basic Server Roles: File Services Role: The File Services Role has
Basic Server Roles: File Services Role: The File Services Role has
A Practical Guide to Red Hat® Linux® College Edition
A Practical Guide to Red Hat® Linux® College Edition
attachment
attachment
VMWare Networking
VMWare Networking
Configure a Scope on a Windows 2012 DHCP Server
Configure a Scope on a Windows 2012 DHCP Server
check out the paper
check out the paper
Download
advertisement