CHAPTER 11
348
DHCP/WINS/Domain Controllers
NOTE
Reservations can be assigned to IP addresses within either the included or excluded
IP address ranges defined within a scope’s address pool. This is especially handy
when split scopes are used on redundant DHCP servers to ensure that a system will
get the same IP address regardless of which DHCP server handles the request for an
IP address.
Configuring Reservation-Specific DHCP Scope Options
In some networking situations, there might be a requirement to provide specific DHCP
options to a subset of devices—for example, Voice over IP phones or mobile devices.
These devices might need to be segmented for security or functionality requirements. As
an example, a network administrator might not want these devices to receive a default
router or gateway scope option setting, to block these devices from accessing the Internet
or other networks. Windows Server 2008 R2 DHCP enables administrators to configure
specific DHCP options for specific systems, but they must be configured on a DHCP
scope reservation. So, essentially, the DHCP administrator will either need to know the
MAC address of the device, or take the lease and create a reservation before specific
options can be set. Setting reservation-specific DHCP options can be created by performing the following steps:
1. Open the DHCP console on the server to which you want to define reservationspecific DHCP options by clicking Start, All Programs, Administrative Tools, DHCP. If
prompted, click Continue to confirm the action.
2. When the DHCP console loads, expand the server to reveal the IPv4 node.
3. Expand an existing scope to reveal the Reservations node and select it to show any
existing reservations in the center or right pane.
4. Right-click an existing reservation in the center or right pane and select Configure
Options.
5. Select the desired DHCP options and configure the desired settings by checking on
the option and either entering the values or leaving the value blank. Click OK when
completed. If no options are checked, the reservation will maintain the options
defined in the scope or global DHCP server options settings.
DHCP Name Protection
Another new feature of the Windows Server 2008 R2 DHCP service is DHCP Name
Protection. DHCP Name Protection is a feature that ties in directly with DNS service to
prevent a system from registering or overwriting an existing name in the DNS zone for a
particular DNS domain. DHCP Name Protection is based on a new DNS resource record
type name DHCID. For more information on DHCID, review the RFC on DHCID. To enable
DHCP Name Protection on a Windows Server 2008 R2 system, perform the following steps:
1. Open the DHCP console on the server to which you want to enable DHCP Name
Protection by clicking Start, All Programs, Administrative Tools, DHCP. If prompted,
click Continue to confirm the action.
Enhancing DHCP Reliability
349
2. When the DHCP console loads, expand the server to reveal the IPv4 node.
tree pane and select Properties.
4. Select the DNS tab, and near the bottom of the window, click the Configure button
in the Name Protection section.
5. In the Name Protection window, check Enable Name Protection check box and click
OK.
6. Click OK again to save the settings to the IPv4 node. This will only enable Name
Protection on new scopes.
7. To enable Name Protection on existing scopes, expand the IPv4 node in the tree
pane to reveal all the IPv4 DHCP scopes.
8. Right-click the desired scope and select Properties.
9. Select the DNS tab, and near the bottom of the window, click the Configure button
in the Name Protection section.
10. In the Name Protection window, check the Enable Name Protection check box and
click OK.
11. Click OK again to save the settings to the IPv4 scope.
DHCP Network Access Protection Integration
Windows Server 2008 R2 DHCP includes support for Network Access Protection (NAP).
NAP is a service that can be implemented on a network that will define a policy that
clients must adhere to before they can be fully connected to the network. Network Access
Protection is configured within a Windows Network Policy Server, which is detailed in
Chapter 15, “Security Policies, Network Policy Server, and Network Access Protection.” To
enable DHCP Network Access Protection Integration on a Windows Server 2008 R2 DHCP
server, perform the following steps:
1. Open the DHCP console on the server to which you want to enable DHCP Network
Access Protection by clicking Start, All Programs, Administrative Tools, DHCP. If
prompted, click Continue to confirm the action.
2. When the DHCP console loads, expand the server to reveal the IPv4 node.
3. Right-click the IPv4 node and select Properties.
4. Select the Network Access Protection tab and click the Enable on All Scopes button.
5. Click Yes to confirm that the Network Access Protection settings will be overwritten
on all existing scopes.
6. In the lower section of the IPv4 Network Access Protection page, select the option
button that is appropriate to determine the action the DHCP server will perform
when a Network Policy Server is unreachable, such as Restricted Access, and click OK
to save the settings.
7. If Network Access Protection will only be enabled on a single IPv4 scope, right-click
the desired scope and select Properties.
11
3. To enable DHCP Name Protection on all IPv4 scopes, right-click the IPv4 node in the
350
CHAPTER 11
DHCP/WINS/Domain Controllers
8. In the Scope Properties window, select the Network Access Protection tab and click
the Enable for This Scope option button. If necessary, specify the NAP profile that
will be used, if the default profile will not be used. Click OK to complete this task.
Access DHCP Activity Logs
Windows Server 2008 R2 DHCP service includes much more logging than in previous
versions. All configuration changes to a DHCP server will be logged on the system’s event
logs, under the DHCP logs. Also, there is a new DHCP activity log that is stored in the
%systemroot%\system32\DHCP folder by default. This location can be changed on a
scope-by-scope basis by configuring the audit log file path location from the protocol
Properties Advanced page of the desired protocol (IPv4 or IPv6). One log will be created
for each day of the week and will be named DhcpSrvLog-Mon.log for Monday for IPv4
activity and DhcpV6SrvLog-Mon.log for IPv6 activity. This log can be accessed on the
local DHCP server by opening the desired file with Notepad, although the Microsoft
DHCP Server team has created a DHCP Server Events Tool MMC snap-in, which can be
downloaded and installed, that will allow for simple and quick review of the DHCP activity logs. For more information on this tool and to locate the download, review the information located on the DHCP Server team site at http://blogs.technet.com/teamdhcp. To
access the DHCP event logs, open the Event Viewer from the Administrative Tools menu,
expand Applications and Services Logs, expand Microsoft, expand Windows, and select
the DHCP-Server node. Within this folder is the FilterNotifications log, which logs entries
for any action that was taken, based on an enabled link layer filter. The other log in the
DHCP-Server node is the operational log, which logs any and all changes to the DHCP
configuration of the server.
Implementing Redundant DHCP Services
The previous sections of this chapter detailed features that provide Windows Server 2008
R2 DHCP administrators with the ability to gain tighter control over DHCP address
resources and DHCP client configurations, as well as tighter monitoring through increased
logging. The next few sections of this chapter present some important information for
DHCP administrators to consider when deploying DHCP services when a redundant
configuration is required.
DHCP administrators who recognize the need to provide redundancy for DHCP have been
challenged for many years and have had to implement manual configurations to provide
any level of redundancy. Many of these implementations lacked certain functionality and
required network resources that were not always readily available, such as a suitable
second server to deploy DHCP services on. DHCP services redundancy can be achieved by
either deploying multiple DHCP servers running overlapping or split scopes or by deploying clustered DHCP services. Many organizations do not have the administrative support
Implementing Redundant DHCP Services
DHCP Split Scope
A DHCP scope is primarily defined by an address pool that contains the IP addresses that
will be made available to DHCP clients. Within a scope, there is usually an included and
excluded IP address list as well as DHCP scope options, such as default gateway and DNS
server options, which will be delivered to clients receiving a DHCP IP address lease. A
scope also contains IP address reservations and other general scope properties that enable
administrators to define how the DHCP server will deal with Dynamic DNS registration
for DHCP leases, audit log path settings, Name Protection settings, and much more. When
redundancy is required for DHCP services, and deploying DHCP services on a cluster is
not a viable option, DHCP administrators will deploy multiple DHCP servers set up in a
split-scope configuration.
A DHCP split scope is a range of IP addresses available for DHCP IP address leases that are
logically split between two or more DHCP servers. The IP address pool is the same on both
servers, and the defining configuration for a split scope is the excluded IP range. For
example, suppose a DHCP administrator was given an address pool of 192.168.1.1 to
192.168.1.254. On a split-scope configuration, both DHCP servers would have this range
defined in the scope, but on the first DHCP server, there would be an excluded address
range of 192.168.1.1 to 192.168.1.100; this means that the first DHCP server would lease
addresses 192.168.1.101 to 192.168.1.254. The second DHCP server would also have
192.168.1.1 to 192.168.1.254 defined in the included address pool, but the excluded
address range would be 192.168.1.101 to 192.168.1.254. With this configuration, the
second DHCP server would lease addresses from 192.168.1.1 to 192.168.1.100. With a splitscope configuration, if a single DHCP server becomes unavailable, the secondary DHCP
server can still provide DHCP leases on the network to which the split scope applies.
Historically, a split-scope configuration needed to be manually created by DHCP administrators, but starting with Windows Server 2008 R2, Microsoft now includes a DHCP SplitScope Configuration Wizard. This wizard allows a DHCP administrator to take an existing
scope on the primary DHCP server and run the wizard to duplicate the scope on a designated secondary DHCP server and define how the addresses will be split among the two
servers. This wizard will make the necessary changes to both of the DHCP servers, leaving
less room for user error. But before the DHCP Split-Scope Configuration Wizard can be
run, a DHCP administrator must consider how the scope will be split, and the following
section describes three common split-scope configurations that should be considered. The
process of splitting an existing DHCP scope is detailed later in this chapter.
Examining the 50/50 Split-Scope Configuration
The 50/50 split-scope configuration includes two DHCP servers, in which each DHCP
server is configured with the same address range for the address pool, but each must have
a different excluded IP address and the total number of addresses is split in half or 50/50.
11
or budget to deploy clustered DHCP services, so the more common approach to providing
DHCP redundancy is to deploy multiple DHCP servers running split scopes.
351
352
CHAPTER 11
DHCP/WINS/Domain Controllers
Figure 11.8 illustrates the 50/50 split-scope configuration. As indicated in the diagram, the
network has 200 clients defined by 192.168.1.0/24. Each DHCP server contains a scope to
cover the entire specific client subnet. Server1’s scope is configured with exclusions for all
IP addresses except for the range of 192.168.1.1–192.168.1.125. Server2’s scope is configured with exclusions for the first half and a client lease range of
192.168.1.126–192.168.1.254.
192.168.1.0/24 Subnet
200 Clients
50%
Scope Name:
First Scope
Scope Range:
Exclusions:
192.168.1.1-192.168.1.254
192.168.1.126-192.168.1.254
Scope Name:
Scope Range:
Exclusions:
Second Scope
192.168.1.1-192.168.1.254
192.168.1.1-192.168.1.126
Server1
50%
Server2
FIGURE 11.8 Examining the 50/50 failover approach.
Upon requesting a client IP address, the first server to respond to a request will be
accepted, thus roughly balancing the load between the two servers, except for one thing:
There is no way to determine which DHCP server will respond first and serve the client
requests, so there is a chance that one DHCP server will run out of IP addresses before all
IP addresses are used. Also, another issue with this configuration is that both DHCP
servers would respond to lease requests and a DHCP administrator would need to review
both servers to troubleshoot and determine what the true number of available IP addresses
are, when clients are having issues getting an IP address lease.
Exploring the 80/20 Failover Approach to DHCP Fault Tolerance
The 80/20 failover approach is similar to the 50/50 approach, except that the effective
scope range on the server designated as the backup DHCP server contains only 20% of the
available client IP range. The server with 80% of the range would be considered the
primary DHCP server, and the 20% server would be considered the secondary. In the event
of primary server failure, the secondary server would have enough IP addresses to provide
leases until the primary server could be fixed and returned to operation. This is the bestpractice split-scope configuration, but until Windows Server 2008 R2, this configuration
frequently resulted in the secondary server running out of IP addresses during regular
operation because it can respond to client requests as fast as the primary server—and the
first server to respond wins!
Understanding the 100/100 Failover Approach to DHCP Fault Tolerance
The 100/100 split-scope configuration in Windows Server 2008 R2 DHCP can be the most
effective means of achieving high availability out of a DHCP environment. The 100/100