Windows Server 2008 R2 Unleashed (74 page)

DHCP Reservations

A DHCP reservation is a configuration on a DHCP server that will match a MAC address to

a specific IP address in the DHCP Scope Address pool. This enables DHCP administrators

to leave systems enabled for DHCP but to predefine which IP address the system will

Enhancing DHCP Reliability

347

11

FIGURE 11.7

Enabled link layer filtering.

ptg

obtain when requesting an IP address from the particular DHCP scope on that server. This

is especially handy for network printers and network workstations that need to be

accessed remotely by mobile users. In many cases, setting static IP configuration on print-

ers or end-user computers can cause problems when these devices are moved to other

networks so a DHCP reservation is desirable when this device needs to be reliably

contacted when on the organization’s network. DHCP reservations can be created manu-

ally or they can be created from existing leases on the DHCP server. To create a DHCP

reservation, perform the following steps:

1. Open the DHCP console on the server to which you want to create DHCP reserva-

tions by clicking Start, All Programs, Administrative Tools, DHCP. If prompted, click

Continue to confirm the action.

2. When the DHCP console loads, expand the server to reveal the IPv4 node.

3. Expand an existing scope to reveal the Reservations node and select it to show any

existing reservations in the center or right pane.

4. Right-click the Reservations node and select New Reservation.

5. Enter a friendly name for the reservation, the specific MAC address of the network

adapter, and the desired IP address that is within the DHCP address pool range. Also

enter a description as desired and click the Add button to create the reservation.

Alternately, a reservation can be created from an existing lease by right-clicking on the

lease and selecting Add to Reservation.

348

CHAPTER 11

DHCP/WINS/Domain Controllers

NOTE

Reservations can be assigned to IP addresses within either the included or excluded

IP address ranges defined within a scope’s address pool. This is especially handy

when split scopes are used on redundant DHCP servers to ensure that a system will

get the same IP address regardless of which DHCP server handles the request for an

IP address.

Configuring Reservation-Specific DHCP Scope Options

In some networking situations, there might be a requirement to provide specific DHCP

options to a subset of devices—for example, Voice over IP phones or mobile devices.

These devices might need to be segmented for security or functionality requirements. As

an example, a network administrator might not want these devices to receive a default

router or gateway scope option setting, to block these devices from accessing the Internet

or other networks. Windows Server 2008 R2 DHCP enables administrators to configure

specific DHCP options for specific systems, but they must be configured on a DHCP

scope reservation. So, essentially, the DHCP administrator will either need to know the

MAC address of the device, or take the lease and create a reservation before specific

options can be set. Setting reservation-specific DHCP options can be created by perform-

ing the following steps:

ptg

1. Open the DHCP console on the server to which you want to define reservation-

specific DHCP options by clicking Start, All Programs, Administrative Tools, DHCP. If

prompted, click Continue to confirm the action.

2. When the DHCP console loads, expand the server to reveal the IPv4 node.

3. Expand an existing scope to reveal the Reservations node and select it to show any

existing reservations in the center or right pane.

4. Right-click an existing reservation in the center or right pane and select Configure

Options.

5. Select the desired DHCP options and configure the desired settings by checking on

the option and either entering the values or leaving the value blank. Click OK when

completed. If no options are checked, the reservation will maintain the options

defined in the scope or global DHCP server options settings.

DHCP Name Protection

Another new feature of the Windows Server 2008 R2 DHCP service is DHCP Name

Protection. DHCP Name Protection is a feature that ties in directly with DNS service to

prevent a system from registering or overwriting an existing name in the DNS zone for a

particular DNS domain. DHCP Name Protection is based on a new DNS resource record

type name DHCID. For more information on DHCID, review the RFC on DHCID. To enable

DHCP Name Protection on a Windows Server 2008 R2 system, perform the following steps:

1. Open the DHCP console on the server to which you want to enable DHCP Name

Protection by clicking Start, All Programs, Administrative Tools, DHCP. If prompted,

click Continue to confirm the action.

Enhancing DHCP Reliability

349

2. When the DHCP console loads, expand the server to reveal the IPv4 node.

3. To enable DHCP Name Protection on all IPv4 scopes, right-click the IPv4 node in the

11

tree pane and select Properties.

4. Select the DNS tab, and near the bottom of the window, click the Configure button

in the Name Protection section.

5. In the Name Protection window, check Enable Name Protection check box and click

OK.

6. Click OK again to save the settings to the IPv4 node. This will only enable Name

Protection on new scopes.

7. To enable Name Protection on existing scopes, expand the IPv4 node in the tree

pane to reveal all the IPv4 DHCP scopes.

8. Right-click the desired scope and select Properties.

9. Select the DNS tab, and near the bottom of the window, click the Configure button

in the Name Protection section.

10. In the Name Protection window, check the Enable Name Protection check box and

click OK.

11. Click OK again to save the settings to the IPv4 scope.

ptg

DHCP Network Access Protection Integration

Windows Server 2008 R2 DHCP includes support for Network Access Protection (NAP).

NAP is a service that can be implemented on a network that will define a policy that

clients must adhere to before they can be fully connected to the network. Network Access

Protection is configured within a Windows Network Policy Server, which is detailed in

Chapter 15, “Security Policies, Network Policy Server, and Network Access Protection.” To

enable DHCP Network Access Protection Integration on a Windows Server 2008 R2 DHCP

server, perform the following steps:

1. Open the DHCP console on the server to which you want to enable DHCP Network

Access Protection by clicking Start, All Programs, Administrative Tools, DHCP. If

prompted, click Continue to confirm the action.

2. When the DHCP console loads, expand the server to reveal the IPv4 node.

3. Right-click the IPv4 node and select Properties.

4. Select the Network Access Protection tab and click the Enable on All Scopes button.

5. Click Yes to confirm that the Network Access Protection settings will be overwritten

on all existing scopes.

6. In the lower section of the IPv4 Network Access Protection page, select the option

button that is appropriate to determine the action the DHCP server will perform

when a Network Policy Server is unreachable, such as Restricted Access, and click OK

to save the settings.

7. If Network Access Protection will only be enabled on a single IPv4 scope, right-click

the desired scope and select Properties.

350

CHAPTER 11

DHCP/WINS/Domain Controllers

8. In the Scope Properties window, select the Network Access Protection tab and click

the Enable for This Scope option button. If necessary, specify the NAP profile that

will be used, if the default profile will not be used. Click OK to complete this task.

Access DHCP Activity Logs

Windows Server 2008 R2 DHCP service includes much more logging than in previous

versions. All configuration changes to a DHCP server will be logged on the system’s event

logs, under the DHCP logs. Also, there is a new DHCP activity log that is stored in the

%systemroot%\system32\DHCP folder by default. This location can be changed on a

scope-by-scope basis by configuring the audit log file path location from the protocol

Properties Advanced page of the desired protocol (IPv4 or IPv6). One log will be created

for each day of the week and will be named DhcpSrvLog-Mon.log for Monday for IPv4

activity and DhcpV6SrvLog-Mon.log for IPv6 activity. This log can be accessed on the

local DHCP server by opening the desired file with Notepad, although the Microsoft

DHCP Server team has created a DHCP Server Events Tool MMC snap-in, which can be

downloaded and installed, that will allow for simple and quick review of the DHCP activ-

ity logs. For more information on this tool and to locate the download, review the infor-

mation located on the DHCP Server team site at http://blogs.technet.com/teamdhcp. To

access the DHCP event logs, open the Event Viewer from the Administrative Tools menu,

expand Applications and Services Logs, expand Microsoft, expand Windows, and select

ptg

the DHCP-Server node. Within this folder is the FilterNotifications log, which logs entries

for any action that was taken, based on an enabled link layer filter. The other log in the

DHCP-Server node is the operational log, which logs any and all changes to the DHCP

configuration of the server.

Implementing Redundant DHCP Services

The previous sections of this chapter detailed features that provide Windows Server 2008

R2 DHCP administrators with the ability to gain tighter control over DHCP address

resources and DHCP client configurations, as well as tighter monitoring through increased

logging. The next few sections of this chapter present some important information for

DHCP administrators to consider when deploying DHCP services when a redundant

configuration is required.

DHCP administrators who recognize the need to provide redundancy for DHCP have been

challenged for many years and have had to implement manual configurations to provide

any level of redundancy. Many of these implementations lacked certain functionality and

required network resources that were not always readily available, such as a suitable

second server to deploy DHCP services on. DHCP services redundancy can be achieved by

either deploying multiple DHCP servers running overlapping or split scopes or by deploy-

ing clustered DHCP services. Many organizations do not have the administrative support

Implementing Redundant DHCP Services

351

or budget to deploy clustered DHCP services, so the more common approach to providing

DHCP redundancy is to deploy multiple DHCP servers running split scopes.

11

DHCP Split Scope

A DHCP scope is primarily defined by an address pool that contains the IP addresses that

will be made available to DHCP clients. Within a scope, there is usually an included and

excluded IP address list as well as DHCP scope options, such as default gateway and DNS

server options, which will be delivered to clients receiving a DHCP IP address lease. A

scope also contains IP address reservations and other general scope properties that enable

administrators to define how the DHCP server will deal with Dynamic DNS registration

for DHCP leases, audit log path settings, Name Protection settings, and much more. When

redundancy is required for DHCP services, and deploying DHCP services on a cluster is

not a viable option, DHCP administrators will deploy multiple DHCP servers set up in a

split-scope configuration.

A DHCP split scope is a range of IP addresses available for DHCP IP address leases that are

logically split between two or more DHCP servers. The IP address pool is the same on both

servers, and the defining configuration for a split scope is the excluded IP range. For

example, suppose a DHCP administrator was given an address pool of 192.168.1.1 to

192.168.1.254. On a split-scope configuration, both DHCP servers would have this range

ptg

defined in the scope, but on the first DHCP server, there would be an excluded address

range of 192.168.1.1 to 192.168.1.100; this means that the first DHCP server would lease

addresses 192.168.1.101 to 192.168.1.254. The second DHCP server would also have