AD LAYER 3: DHCP
Dynamic Host Configuration Protocol - DHCP:
Preferred to statically configure: routers, DHCP servers, DNS servers, and DCs.
If not statically configuring a host, use DHCP to configure its IP stuff. DHCP is a pretty clean way to automate and remove the administative overhead of manually IPing hosts. With statically configured addresses one must touch the host to set it up, touch the host to change it, and track the IPs granted. DHCP does all this automatically. Also, if say you add a tertiary DNS server for your host's use, you can enter it in one spot and eventually all the DHCP clients will get that addition.
DHCP can allocate:
new | <----renewing---> |re-binding| |-----------------------------------|-------------------------------------|----------| 0% 50% 87.5% 100%
(Percents above are percent of DHCP lease time used)
GETTING NEW ADDRESS INFO FROM DHCP: (four steps)
RENEWING AN EXISTING ADDRESS FROM DHCP: (two steps)
RE-BINDING AN EXISTING ADDRESS FROM DHCP: (two steps)
DEFINITIONS:
Mnemonic acronym: DORA
Discover
Offer
Request
Acknowledgement
DHCP is over UDP 67 and UDP 68
DHCP automatically backs itself up once an hour to: %systemroot%system32dhcp\backup\
When manually backing up and subdir "new" is added - so backups are here: %systemroot%system32dhcp\backup\new
DHCP reconciliation checks the DB against the registry.
Use the action | display statistics drop down menu to view stats.
If the DHCP server is on a AD member (or DC) the DHCP service must be authorized for it to run. Enterprise Admin credentials are required (by default) to authorize. The idea here is that only the IT folks can instantiate a DHCP server on the network. Of course *nix, Cisco, and various appliances are not bound by this...
Use the Services node of Active Directory Sites and Services to delegate the responsibility of authorizing DHCP servers to an additional security group. You should select Show Services Node from the View menu to display the Services node. You should expand the Services node, right-click on the NetServices node, and select Delegate Control from the Context Menu. Once you do this, you can use the Delegation of Control Wizard to designate the security group to which control should be delegated.
In the audit log on the DHCP server records with event identifiers (IDs) that range from 50 through 64 include information related to Active Directory authorization of the DHCP server.
Two groups are added with a DHCP install: (this part
is a little sketchy and needs more research)
1) The DHCP Users group - provides read only view of DHCP functions
2) DHCP Admins group - local group on server grants rights to configThe boot
threshold is the amount of time that a relay agent waits for a response from
a DHCP server on its subnet before forwarding a DHCPDISCOVER message to a remote
DHCP server. Four seconds is the default setting.
If client requests or tries to renew and no server is available, will generate an APIPA address
To disable APIPA via registry:
Regkey DWORD to add and set to 1 to disable APIPA:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersIPAutoconfigurationEnabled
Tip: If planning a change to your network, like DNS or router IPs: Assuming a lease time of 8 days. (Default is 8.) Eight days out set the lease to 7, then the next day set it to 6, etc, the goal being to get all your leases to expire at the same time. Finally set the lease time to like 30 min. Make the changes to DHCP options. Test. Wait. Then up the lease time back to eight again.
Membership of the DHCP server (the computer account in AD) in the DNSUpdateProxy group eliminates ownership issues of one DHCP server renewing another's "A" records. This is a somewhat obscure problem, so this bit of info could be ignored, but it is interesting. Say DHCP server DHCPS1 grants a host an IP address, and registers/creates a DNS "A" for it. Later DHCPS1 goes down, or the DHCP service is moved to a different box, or the client is moved to a different network or something. Now DHCPS2 grants the same original host an IP - when DHCPS2 goes to update or refresh or modify the existing (but now wrong or old or stale) "A" record it can't - because DHCPS1 is the owner of that record. Putting all DHCP servers in the DNSUpdateProxy group allows them to update DNS records owned by other DHCP servers. Or something like that...
The DHCP relay agent. The DORA DHCP traffic is not unicast, but broadcast, and thus does not traverse routers. How to assign clients IP addresses when they are on the other side of a router from the DHCP server? An RFC 1542 enabled router will do it. Or a DHCP relay on the same network as the client will work too. The DHCP relay listens to DHCP client broadcast traffic, unicasts it (through the router) to the DHCP server, receives the unicasts back from the DHCP server, and broadcasts to the client.
So, to get DHCP broadcasts past routers, either:
1) Use RFC 1542 compliant routers with RFC 1542 features active, or
2) Use a DHCP relay (proxy?) server in the broadcast domain with the DHCP client(s)
DHCP superscopes ?
Question: Why is conflict detection off by default?
Question: How does a DHCP server with multiple scopes pick which one to assign from?
IPCONFIG /RENEW vs. IPCONFIG /RELEASE and then IPCONFIG /RENEW:
The 80/20 (or 75/25) rule is a way of deploying stuff (here DHCP) to archive redundancy and fault tolerance. DHCP scopes can NOT overlap. So create the same scope on two servers and then exclude 80% from one, and the other 20% from the other. Might not be able to service all the clients when you fail over to the 20% server... This is often used when there are already multiple DHCP servers needed or already in production, as a way for them to cover each other.
DHCP redundancy and fault tolerance can also be archived by clustering two machines together to function as a single DHCP service.
The MCSE candidate (or an admin who needs to automate stuff) should know about and know some basic top level syntax for the NETSH commands to config DHCP.
DHCP traffic seen by a sniffer: