Configuring Windows Server 2008 DHCP Servers Dynamic Host Configuration Protocol (DHCP) is an extremely powerful and popular mechanism by which IP addresses and other related network information are dynamically assigned to network clients when they are attached to a network. This provides significant reductions in terms of network management overheads, particularly on large networks, by avoiding the necessity to manually assign settings to each client. This chapter is designed to provide details on how to: Install, configure and manage a DHCP server on a Windows Server 2008 system using the graphical DHCP console tool. For details on performing similar tasks at the command prompt refer to the next chapter, entitled “Managing a Windows Server 2008 DHCP Server from the Command Line”. Installing the DHCP Server Role The first step in setting up a DHCP server on a Windows Server 2008 system is to install the DHCP Server feature on any servers which are required to provide the service. Before performing even this initial task, it is highly recommended that any systems designated to act as DHCP servers are assigned a static IP address. If the server is currently obtaining a dynamic IP address from another DHCP server, begin the installation process by assigning the system a static IP address. This can be achieved by launching the Server Manager and clicking View Network Connections. Right click on the network adapter on which the DHCP service is to be run and select Properties where either, or both the IPv4 or IPv6 address may be changed from automatically obtaining an IP address to specifying a static address. Once configured, exit from the properties dialog and network connections window leaving the Server Manager running. Installation of the DHCP Server Role is performed by selecting Roles from the tree in the left hand pane of the Server Manager tool. On the Roles page, click on the Add Role link to launch the Add Roles Wizard. Dismiss the welcome screen if it is displayed, and in the Select Server Roles screen select the check box next to DHCP Server before clicking the Next button, read the information provided and click Next again to proceed to the Network Connection Binding screen. It is within this screen that the DHCP server is associated with specific network adapters installed in the system. Select the network adapters for which the DHCP service will be provided and click Next. DHCP can be used not just to provide clients with an IP address, but also additional information such as the name of the parent domain (for example techotopia.com) and the IP addresses of both preferred and alternate DNS servers. If the DHCP server is required to provide these details for IPv4 clients, enter them into the Specify IPv4 DNS Server Settings page and click Next. On the IPv4 WIN Server Settings page, enter addresses of the Preferred and Alternate WINS servers if required. Otherwise, leave the WINS is not required for applications on this network option selected and proceed to the next configuration page. The next page allows initial DHCP scopes to be configured. A DHCP scope defines one or more ranges of IP addresses from which an IP address may assigned to a client and the duration of the IP address lease (6 days for wired clients and 8 hours for wireless clients). This may either be configured now, or at a later point in the configuration process. The topic of defining DHCP scopes is covered in the Defining DHCP Scopes section of this chapter. With the initial DHCP IPv4 configuration steps completed, the wizard subsequently moves on to the IPv6 settings. This is where a little background information is useful. Windows Server 2008 supports two modes of IPv6 DHCP operation, known as stateless and stateful. In stateful mode, clients obtain both an IP address and other information (such as DNS addresses) through the DHCPv6 server. In stateless mode, the clients receive only the non-IP address information from the DHCPv6 server. In this case, the IP address must be provided using some other mechanism, either by configuring of static IP addresses or through the implementation of IPv6 auto-configuration. On the Configure DHCPv6 Stateless Mode screen, select either stateful or stateless mode in accordance with your specific enterprise requirements. If stateless mode is selected the next screen will prompt for the IPv6 DNS information to be provided to clients. Enter the information and click on Next. If the DHCP is part of an Active Directory domain, the Authorize DHCP Server page will appear. Enter the credentials (either your own as shown, or alternate credentials via the Alternate Credentials button) necessary to authorize the new DHCP server. Alternatively, the authorization may be performed later by skipping this step by clicking on Next. Upon completion of the DHCP server configuration the summary screen will displayed similar to the one illustrated below: Assuming that the summarized configuration is correct, click on Install to complete the installation process. The wizard will display the progress of the DHCP Server Role installation before displaying a results screen confirming the successful installation. Once installation is complete, the DHCP Server may be managed locally or remotely using the DHCP console (Start All Programs Administrative Tools DHCP). Authorizing DHCP Servers in Active Directory If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool. If the DHCP server was not authorized during installation, invoke the DHCP console (Start All Programs Administrative Tools DHCP), right click on the DHCP to be authorized and select Authorize. To achieve the same result from the command prompt, enter the following command: netsh dhcp server serverID initiate auth In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed. Understanding DHCP Scope Types DHCP scopes are used to define ranges of addresses from which a DHCP server can assign IP addresses to clients. Scopes fall into Normal, Multicast and Super Scope categories as follows: Normal Scope - Allows A, B and C Class IP address ranges to be specified including subnet masks, exclusions and reservations. Each normal scope defined must exist within its own subnet. Multicast Scope - Used to assign IP address ranges for Class D networks. Multicast scopes do not have subnet masks, reservation or other TCP/IP options. Multicast scope address ranges require that a Time To Live (TTL) value be specified (essentially the number of routers a packet can pass through on the way to its destination). Super Scope - Essentially a collection of scopes grouped together such that they can be enabled and disabled as a single entity. Configuring IPv4 Scopes Using the DHCP Console New scopes on Windows Server 2008 can either be configured from the graphical DHCP console, or from the command prompt using the netsh utility. To create a new scope in the DHCP console (launched from Start All Programs Administrative Tools DHCP) click on the server name in left hand panel so that IPv4 and IPv6 categories are listed in the main panel. Right click on the required IP version and select New scope from the menu top invoke the New Scope Wizard. Click on Next to skip the welcome screen so that the Scope Name dialog is displayed: Enter a suitable name and description for the scope and press Next to proceed to the IP Address Range screen. In this screen, enter the start and end addresses of the IP address scope followed by the subnet mask, either in terms of bit length or in IP format (for example 255.255.255.0 or 24 bits). Note that when the start and end addresses are entered the subnet mask fields are filled in automatically, but may be changed manually if required: If the address range specified encompasses multiple subnets (for example 192.168.2.1 through to 192.168.3.254) the wizard will warn that the designated range is too large for a single scope and provide the option to create a super scope made up of a number of different scopes depending on how many subnets are contained within the range. Assuming that all addresses in the scope range are on the same subnet, the wizard will provide the option to specify exclusions within the scope. Exclusions are essentially ranges of one or more IP addresses within the defined scope which are not available for assignment to clients. Multiple exclusion ranges may be defined within a single scope by using the Add button to add new ranges: The next screen of the New DHCP Scope wizard relates to the topic of Lease Duration for the IP addresses in the current scope. Lease duration refers to the amount of time an IP address is assigned to a particular client computer or device. If the subnet on which the DHCP server operates has a high turnover of clients then a short lease is recommended (since the server will end up holding IP addresses for clients which are no longer connected, potentially exhausting the pool of IP addresses). For subnets where the connected clients are fairly stable, longer leases might be more appropriate. To define a lease duration use the spin boxes provided, specifying the duration in units of days, hours and even minutes (the default is 8 days): The next screen provides the option to configure DHCP options (such as default gateway, DNS and WINS servers) which will be provided to clients along with the dynamic IP address. If the yes option is selected, the wizard will present a series of screens where these options may be specified if required. On each screen enter the appropriate information, or leave the page blank if the option is required (for example not all configurations require a WINS server). If "no" is selected the wizard will skip to the Activate Scope screen where, as the name suggests, the new scope may be activated. Once activated the wizard may be closed. The new scope is now defined and active. Configuring DHCP Reservations DHCP reservations provide a mechanism by which IP addresses may be permanently assigned to a specific client based on the MAC address of that client. The MAC address of a Windows client can be found running the ipconfig /all command. For Linux systems the corresponding command is ifconfig -a. Once the MAC address has been identified, the reservation may be configured using either the DHCP console or at the command prompt using the netsh tool. One important point to note is that ifconfig displays the MAC address delimited by colons (:), for example 06:EC:E6:11:47:BD. When entering the MAC address into the New Reservations dialog on Windows the colons will need to be replaced with dashes (-), for example 06-EC-E6-11-47-BD. Failure to do this will result in a warning dialog stating that the Unique identifier you have entered may not be correct. To configure reservation using the DHCP console, select Start -> All Programs -> Administration Tools -> DHCP and select the DHCP server and unfold the appropriate scope from the tree in the left panel. Within the scope sub-list, select Reservations as illustrated below: Right click on Reservations and choose New Reservation... from the menu to launch the New Reservation dialog: Begin by entering a name for the reservation followed by the IP address from the currently selected scope which is to be reserved for the client together with the MAC address of the client (or more specifically the network adapter of the client). Finally specify whether the reservation is to be made for BOOTP or DHCP clients, or both. Once the information has been entered click the Add button. When all reservations have been entered click Cancel to close the dialog. To add a reservation using netsh the following syntax is used: netsh dhcp server \\servername scope subnetID add reservedip IPaddress MacAddress ReservationName Comment For example the following command reserves an IP address for a specific MAC address (note that the MAC address must be entered without any delimiters): C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 add reservedip 192.168.2.12 0013720B1457 "CEO Printer" "Printer in Exec Suite" Changed the current scope context to 192.168.2.0 scope. Command completed successfully. To list the current reserved IP addresses for a particular scope the following netsh command may be used: C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 show reservedip Changed the current scope context to 192.168.2.0 scope. =============================================================== Reservation Address Unique ID =============================================================== 192.168.2.10 192.168.2.11 192.168.2.12 - 00-0b-db-18-a0-db06-ec-e6-11-47-bd00-13-72-0b-14-57- No of ReservedIPs : 3 in the Scope : 192.168.2.0. Command completed successfully. Configuring Windows Server 2008 NAP DHCP Enforcement Network Access Protection (NAP) is a system designed to protect networks from clients which are not deemed to be secure or healthy (to use Microsoft's terminology). When NAP is implemented, clients without the required level of "health" are directed to a remediation server where the necessary updates may be obtained to bring the system into compliance with the Network Access policy of the network. In addition, the user may also be directed to a web page providing details of why access to the network has been declined and outlining the steps necessary to remedy the problem. One way to implement NAP is to integrate it with DHCP so that the NAP policies can be enforced whenever a client attempts to lease or renew an IP address. One point to note before implementing such a configuration is that NAP enforcement will only take place for clients which obtain an IP address via DHCP. Clients with static IP addresses will not be subject to NAP enforcement. The subject of Network Access Protection is large, and as such, much of the detail is beyond the scope of this chapter. In fact entire books could, and probably will, be written on the subject. The objective of this chapter, therefore, is to focus solely on the integration of NAP into DHCP. Once the steps outlined in this chapter are complete it will be necessary to either configure the Windows Security Health Validator (WSHV), or to install and configure other suitable system health agents (SHAs) and system health validators (SHVs). NAP Enforcement for DHCP involves a DHCP Network Access Protection (NAP) enforcement server component, a DHCP enforcement client component, and Network Policy Server (NPS). Installing the Network Policy Server The first step in integrating DHCP and NAP is to install the Network Policy Server role on the system. This is achieved by starting the Server Manager, selecting Roles from the left hand pane and clicking on Add Roles. In the Add Roles wizard select the check box next to Network Policy and Access Services and then click Install to continue the installation process. Alternatively, the role may be installed from the command prompt using the servermanagercmd tool as follows: servermanagercmd -install npas Configuring NAP in the NAP console With the Network Policy Server role installed the next step is to configure NAP. Begin by launching the Network Policy console (Start All Programs Administration Tools Network Policy Server). Once loaded, select Dynamic Host Configuration Protocol as the Network connection method and either accept the default policy name of NAP DHCP, or enter a new name for the policy: With these settings configured, click Next to display the NAP Enforcement Servers screen. If the DHCP Server is running on the local computer this screen can be skipped. On the other hand, the DHCP servers are running on one or more remote servers, they must each have the Network Policy Server role installed and be configured as a RADIUS proxy to forward connection requests to the local NPS server. Click the Add... button and enter the name and IP address of the remote DHCP Server and either manually enter or generate a shared secret, which will need to be entered into the NAP DHCP policy of any remote DHCP servers. Repeat this process for each remote DHCP server before clicking on Next to proceed to the DHCP Scopes screen: If network client health is to be enforced for all IP addresses allocated by the DHCP server then no scopes need to be defined here. If, on the other hand, NAP enforcement is only required for certain IP address ranges, define the scopes here. On the next screen enter specific machines and users which are to be granted or denied access. The NAP Remediation Server settings page allows the addresses of Remediation Servers to be specified, where clients may obtain the necessary updates to reach NAP compliance. It is also possible to specify a web page URL which displays information to the user about how to bring their computers into compliance with the defined policy. When the appropriate information has been entered, click Finish to complete this phase of the configuration. Configuring DHCP Server NAP Settings The NAP settings associated with a DHCP sever can be configured either on a serverwide (global) or per-scope basis. To configure global settings for a DHCP server, open the DHCP console (Start -> All Programs -> Administration Tools -> DHCP) and unfold the tree in the left panel for the required DHCP server. Right click on IPv4, select Properties and select the Network Access Protection tab as illustrated in the following figure: Within this screen, Network Access Protection settings on all scopes can be enabled or disabled using the two buttons. Further, the default behavior of the DHCP server when the Network Policy Server (NPS) is unreachable may also be configured. In Full Access mode, all DHCP clients are given full and unrestricted access to the network (essentially behaving as though NAP enforcement is not implemented). Restricted Access allows clients to access resources only on the server to which they are connected. The rest of the network is off limits until the NPS server comes back online. Finally, Drop Client Packet prevents all client access to the network. Configuring NAP Settings for Scopes The NAP settings for specific scopes can also be accessed and modified using the DHCP console. Once the DHCP console is running (as outlined in the preceding section), unfold the required server from the left hand panel then unfold the IPv4 entry so that currently configured scopes are listed. Right click on the required scope entry, select Properties and click on the Network Access Protection tab: Enable or disable NAP for the select scope using the appropriate selections in the property panel. If NAP is to be enabled for the scope, either elect to use the default NAP profile, or specify the name of a pre-existing custom profile. Once the settings are configured, click OK.