The approach you use to set up DHCP servers depends on many factors, including the number of clients on the network, the network configuration, and the Windows domain implementation you are using. From a physical server perspective, the DHCP Server service doesn't use a lot of system resources and can run on just about any system configured with Windows Server 2003. The DHCP Server service is in fact often installed as an additional service on an existing infrastructure server or on an older server that isn't robust enough to offer other types of services. Either approach is fine as long as you remember the security precaution discussed previously about not installing DHCP on a domain controller if possible. Personally, however, I prefer to install the DHCP Server service on hardware that I know and trust. Rather than installing it on an older system that might fail, I install it on either a workstation-class system running Windows Server 2003 or an existing infrastructure server that can handle the additional load.
Speaking of server load, a single DHCP server can handle about 10,000 clients and about 1,000 scopes. This is, of course, if the system is a dedicated DHCP server with adequate processing power and memory. Because DHCP is so important for client startup and network access, I don't trust the service to a single server, and you shouldn't either. In most cases, you'll want to have at least two DHCP servers on the network. If you have multiple subnets, you might want two DHCP servers per subnet. However, configuring routers to forward DHCP broadcasts or having DHCP relay agents reduces the need for additional servers.
Many organizations have standby DHCP servers available as well. A standby DHCP server is a server that has the DHCP Server service fully configured but has its scopes deactivated. Then, if a primary DHCP server fails and can't be recovered immediately, the scopes can be activated to service clients on the network as necessary.
After you select the server hardware, you should plan out the IP address ranges and exclusions you want to use. The section entitled "Planning DHCP Implementations" earlier in this chapter should have given you some good ideas on how to configure IP address ranges and exclusions for availability and fault tolerance. At the implementation stage, don't forget about IP addresses that might have been or will be assigned to computers using static IP addresses. You should either specifically exclude these IP address ranges or simply not include them in the scopes you configure.
The way you set up DHCP services depends on whether the network in which the DHCP server will be placed is using Active Directory domains or workgroups. With Active Directory domains, you set up DHCP services by completing the following steps:
Installing the DHCP Server service
Authorizing the DHCP server in Active Directory
Configuring the DHCP server with the appropriate scopes, exclusions, reservations, and options
Activating the DHCP server's scopes
With workgroups, you don't need to authorize the DHCP server in Active Directory. This means the steps for setting up DHCP services look like this:
Installing the DHCP Server service
Configuring the DHCP server with the appropriate scopes, exclusions, reservations, and options
Activating the DHCP server's scopes
The sections that follow examine the related procedures in detail.
You can install the DHCP Server service using the Add Or Remove Programs utility or using the Configure Your Server Wizard. Follow these steps for using the Add Or Remove Programs utility to do this:
In Control Panel, double-click Add Or Remove Programs.
In the Add Or Remove Programs dialog box, click Add Windows Components to start the Windows Components Wizard.
On the Windows Components page, select Networking Services, and then click Details.
In the Networking Services dialog box, shown in the following screen, ensure the correct components are selected, but don't clear selections if a service has already been installed.
Click OK. Click Next to begin the installation, and then click Finish.
Follow these steps for using the Configure Your Server Wizard to do this:
Select Configure Your Server Wizard on the Administrative Tools menu. When the wizard starts, click Next twice.
The server's current roles are shown, as in the screen at the top of the following page. Select DHCP Server, and then click Next.
The wizard will then install DHCP and begin configuring the server. When it finishes, the wizard launches the New Scope Wizard.
If you want to create the initial scope for the DHCP server, click Next and follow the steps outlined in the section entitled "Creating and Configuring Scopes" later in this chapter. Otherwise, click Cancel, and create the scope later. Click Finish.
After you install the DHCP Server service, the DHCP console is available on the Administrative Tools menu. Start the console by clicking Start, Programs or All Programs as appropriate, Administrative Tools, DHCP. Then select the DHCP server you are working with to see its status. If you haven't yet created a scope, the details pane will appear, as shown in Figure 25-3. This tells you to create a scope so that the clients can get IP addresses dynamically assigned by this server.
You don't have to complete the rest of the configuration at the server. If you've installed the Administrative Tools (Adminpak.msi) as discussed in the section entitled "Installing Windows Server 2003 Administration Tools on Windows XP", you can remotely manage and configure DHCP. Simply start the DHCP console on your workstation, right-click the DHCP node in the left pane, and select Add Server. In the Add Server dialog box, select This Server, type the name or IP address of the DHCP server, and then click OK.
The command-line counterpart to the DHCP console is the netsh dhcp command. From the command prompt on a computer running Windows Server 2003 you can use Netsh DHCP to perform all the tasks available in the DHCP console as well as to perform some additional tasks that can't be performed in the DHCP console. To start Netsh DHCP and access a particular DHCP server, follow these steps:
Start a command prompt, and then type netsh to start Netsh. The command prompt changes to netsh>.
Access the DHCP context within Netsh by typing dhcp. The command prompt changes to netsh dhcp>.
Type server followed by the Universal Naming Convention (UNC) name or IP address of the DHCP server, such as \corpsvr02 or \192.168.1.50. If the DHCP server is in a different domain from your logon domain, you should type the fully qualified domain name (FQDN) of the server, such as \corpsvr02.cpandl.com.
The command prompt changes to netsh dhcp server>. You can now work with the selected server. If you later want to work with a different server, you can do this without having to start over. Simply type server followed by the UNC name or IP address of that server.
Before you can use a DHCP server on an Active Directory domain, you must authorize the server in Active Directory. In the DHCP console, any unauthorized DHCP server to which you connect will have an icon showing a red down arrow. Authorized DHCP servers have an icon showing a green up arrow.
In the DHCP console, you can authorize a DHCP server by right-clicking the server entry in the console tree and selecting Authorize. To remove the authorization later, right-click the server entry in the console tree and select Unauthorize.
In Netsh, you can authorize a server by typing the following command:
netsh dhcp server ServerID initiate authwhere ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1. Keep in mind that if you are already at the netsh dhcp server prompt, you only need to type initiate auth.
Note
If you install DHCP on a server acting as a domain controller, the DHCP server is automatically authorized and you cannot remove the authorization. Also note that if you install DHCP in a workgroup, you don't need to authorize the server for it to work. However, if you later install Active Directory, DHCP servers will detect this automatically and will stop running until they are authorized.
After you install the DHCP Server service, the next thing you must do is create the scopes that will provide the range of IP addresses and TCP/IP options for clients. The DHCP Server service supports three types of scopes:
Normal scope A normal scope is a scope with Class A, B, or C network addresses. Normal scopes have an IP address range assignment that includes the subnet mask and can also have exclusions and reservations as well as TCP/IP options that are specific to the scope. When you create normal scopes, each scope must be in its own subnet. This means if you add a normal scope, it must be on a different subnet than any of the existing scopes configured on the server.
Multicast scope A multicast scope is a scope with Class D network addresses. Multicast scopes are created in the same way as normal scopes except that they do not have an associated subnet mask, reservations, or related TCP/IP options. This means there is no specific subnet association for multicast scopes. Instead of a subnet mask, you assign the scope a Time to Live (TTL) value that specifies the maximum number of routers the messages sent to computers over multicast can go through. The default TTL is 32. Additionally, because multicast IP addresses are used for destination addresses only, they have longer lease duration than unicast IP addresses, typically, from 30 to 60 days.
Superscope A superscope is a container for scopes. If you configure multiple scopes on a server and want to be able to activate or deactivate them as a unit or view the usage statistics for all the scopes at once, you can use a superscope to do this. Create the superscope and then add to it the scopes you want to manage as a group.
Before you create a normal scope, you should plan out the IP address range you want to use as well as any necessary exclusions and reservations. You also must know the IP address of the default gateway and any DNS or WINS servers that should be used.
In the DHCP console, you can create a normal scope by right-clicking the server on which you want to create the scope and choosing New Scope. If the server isn't listed, right-click DHCP in the console tree, and select Add Server so that you can specify the server you want to work with.
In the New Scope Wizard, click Next to display the Scope Name page, as shown in Figure 25-4. Type a descriptive name for the scope and a description that will be used as a comment.
Click Next to display the IP Address Range page, as shown in Figure 25-5. Enter the start and end IP address to use for the scope in the Start IP Address and End IP Address boxes. Be sure to specify the first and last usable IP address only, which means you shouldn't include the x.x.x.0 and x.x.x.255 addresses. When you enter an IP address range, the bit length and subnet mask are filled in automatically for you. Change the default values if you use subnets.
Click Next. If the IP address range you entered is on multiple subnets, you'll see a Create Superscope page as shown in Figure 25-6 instead of the Exclusion Range page. This page gives you the opportunity to create a superscope that contains separate scopes for each subnet. Click Yes to continue to the Lease Duration page.
Figure 25-6. The New Scope Wizard knows when you cross subnet boundaries and will let you create a superscope with multiple scopes automatically.
Inside Out: Multiple subnets on same physical network
If you're wondering how it would work to have multiple subnets on the same network segment, it should work just fine and it generally won't matter to which subnet a client connects as long as you've set up DHCP to give clients the appropriate TCP/IP options. The physical network provides the boundaries for these subnets unless you've configured routers or DHCP relay agents to forward DHCP broadcasts. Incidentally, if you want to be sure that clients use a specific subnet, there is a way to do that using reservations. However, you wouldn't want to create reservations for a lot of clients. Instead, you might want to create a useror vendor-defined class and allow clients to connect to any subnet to get their class-specific TCP/IP options.
If all the IP addresses you entered are on the same subnet, you'll have the opportunity to specify an exclusion range, as shown in Figure 25-7. Use the Exclusion Range boxes to define IP address ranges that are to be excluded from the scope, such as servers that have static IP addresses assigned to them. After you enter the Start IP Address and End IP Address for the exclusion range, click Add. You can then add additional exclusion ranges as necessary.
Click Next to display the Lease Duration page, as shown in Figure 25-8. Specify the duration of leases for the scope. The default lease duration is 8 days, but don't accept the default without first giving some thought to how leases will be used. A lease duration that's too long or too short can reduce the effectiveness of DHCP. If a lease is too long, you could run out of IP addresses because the DHCP server is holding IP addresses for computers that are no longer on the network, such as when there are a lot of mobile users who connect and disconnect their portable computers. If a lease is too short, this could generate a lot of unnecessary broadcast traffic on the network as clients attempt to renew leases.
By default, clients try to renew lease when 50 percent of the lease time has passed and then again when 87.5 percent of the lease time has passed if the first attempt fails. With this in mind, you generally want to find a balance in the lease time that serves the type of clients on the subnet. If there are only fixed desktops and servers, you could use a longer lease duration of 14 to 21 days. If there are only mobile users with portable computers, you could shorten the lease duration to 2 to 3 days. If there's a mix of fixed systems and mobile systems, a lease duration of 5 to 7 days might be more appropriate.
Click Next to display the Configure DHCP Options page. If you want to set TCP/IP options now, click Yes, and then click Next to continue to the Router (Default Gateway) page, as shown in Figure 25-9. If you don't want to set TCP/IP options now, click No, click Next, and then click Finish to create the scope and exit the wizard.
In the IP Address box enter the IP address of the primary default gateway, and then click Add. You can repeat this process to specify other default gateways. Keep in mind clients try to use gateways in the order they are listed, and you can use the Up and Down buttons to change the order of the gateways, as necessary.
Click Next to display the Domain Name And DNS Servers page, as shown in Figure 25-10. In the Parent Domain box, type the name of the parent domain to use for DNS resolution of computer names that aren't fully qualified. In the IP Address box, type the IP address of the primary DNS server, and then click Add. You can repeat this process to specify additional DNS servers. As with gateways, the order of the entries determines which DNS server is used first, and you can change the order as necessary using the Up and Down buttons.
Click Next to display the WINS Servers page, as shown in Figure 25-11. In the IP Address box, type the IP address of the primary WINS server, and then click Add. You can repeat this process to specify additional WINS servers. As with gateways, the order of the entries determines which WINS server is used first, and you can change the order as necessary using the Up and Down buttons.
Click Next to display the Activate Scope page. If you want to activate the scope, click Yes, I Will Activate This Scope Now. Otherwise, click No, I Will Activate This Scope Later. Click Next, and then click Finish to create the scope and exit the wizard.
Using Netsh, you can create a scope by typing the following command:
netsh dhcp server ServerID add scopeNetworkID SubnetMask ScopeName
where the following is true:
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
SubnetMask is the subnet mask of the scope, such as 255.255.255.0.
ScopeName is the name of the scope, such as Primary.
After you create the scope, you must use separate commands to set the scope's IP address, exclusions, reservations, and options. You can add an IP range to the scope using the ADD IPRANGE command for the NETSH DHCP SERVER SCOPE context. Type the following:
netsh dhcp server ServerID scope NetworkID add iprangeStartIP EndIP
where
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
StartIP is the first IP address in the range, such as 192.168.1.1.
EndIP is the last IP address in the range, such as 192.168.1.254.
Other commands available when you are working with the NETSH DHCP SERVER SCOPE context include the following:
ADD EXCLUDERANGE StartIP EndIP—adds a range of excluded IP addresses to the scope.
DELETE IPRANGE StartIP EndIP—deletes an IP address range from the scope.
DELETE EXCLUDERANGE StartIP EndIP—deletes an exclusion range from the scope.
SHOW IPRANGE—shows currently configured IP address ranges for the scope.
SHOW EXCLUDERANGE—shows currently configured exclusion ranges for the scope.
SHOW CLIENTS—lists clients using the scope.
SHOW STATE—shows the state of the scope as active or inactive.
To exclude IP addresses from a scope, you can define an exclusion range. In the DHCP console, any existing exclusions for a scope can be displayed by expanding the scope and selecting Address Pool, as shown in Figure 25-12. To list exclusions at the command line, type the following:
netsh dhcp server ServerID scope NetworkID show excluderange
where ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1, and NetworkID is the network ID of the scope, such as 192.168.1.0.
In the DHCP console, you can define an exclusion range by right-clicking Address Pool within the scope you want to work with and choosing New Exclusion Range. In the Add Exclusion dialog box, enter a start address and an end address for the exclusion range, as shown in Figure 25-13, and then click Add. Keep in mind the range excluded must be a subset of the scope's range and must not currently be in use by DHCP clients.
Using Netsh, you can add an exclusion range in much the same way. Type the following:
netsh dhcp server ServerID scope NetworkID add excluderangeStartIP EndIP
where the following is true:
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
StartIP is the first IP address in the exclusion range, such as 192.168.1.200.
EndIP is the last IP address in the exclusion range, such as 192.168.1.219.
Reservations provide a way to assign a permanent lease on an IP address to a client. In this way, the client has a fixed IP address, but you retain flexibility in that you could change the IP address at any time if necessary through DHCP rather than having to do so on the client. In the DHCP console, any existing reservations for a scope can be displayed by expanding the scope and selecting Reservations. As shown in Figure 25-14, existing reservations are shown according to the reservation name and IP address reserved. You can right-click a reservation and select Properties to see the associated MAC address. To list reservations by IP address and MAC address at the command line, type the following:
netsh dhcp server ServerID scope NetworkID show reservedip
where ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1, and NetworkID is the network ID of the scope, such as 192.168.1.0.
To create a reservation, you need to know the MAC address of the computer that will hold the IP address. The MAC address is specific to an individual network interface configured on the client and can be viewed by typing ipconfig /all at the command prompt. The output will list the MAC address as the Physical Address of the network interface, as it does under Physical Address in the following example:
Windows IP Configuration
Host Name. . . . . . . . . . . . . : corpsvr06
Primary Dns Suffix . . . . . . . . : cpandl.com
Node Type. . . . . . . . . . . . . : Hybrid
IP Routing Enabled . . . . . . . . : No
WINS Proxy Enabled . . . . . . . . : No
DNS Suffix Search List . . . . . . : cpandl.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . . :
Description. . . . . . . . . . . . : Intel(R) PRO/100
Physical Address . . . . . . . . . : 23-24-AE-67-B4-E8
Dhcp Enabled . . . . . . . . . . . : Yes
Autoconfiguration Enabled. . . . . : Yes
IP Address . . . . . . . . . . . . : 192.168.1.20
Subnet Mask. . . . . . . . . . . . : 255.255.255.0
Default Gateway. . . . . . . . . . : 192.168.1.1
DHCP Server. . . . . . . . . . . . : 192.168.1.50
Lease Obtained . . . . . . . . . . : Thursday, August 12, 2004 12:03:40 PM
Lease Expires. . . . . . . . . . . : Friday, August 20, 2004 12:03:40 PMIn the DHCP console, you can reserve a DHCP address for a client as follows:
After you expand the scope you want to work with, right-click the Reservations folder, and choose New Reservation. This opens the New Reservation dialog box, as shown in Figure 25-15.
In the Reservation Name box, type a descriptive name for the reservation. This doesn't have to be the name of the computer to which the reservation belongs, but that does help simplify administration.
In the IP Address box, enter the IP address you want to reserve for the client. This IP address must be valid for the currently selected scope.
In the MAC Address box, type the MAC address as previously obtained using the IPCONFIG /ALL command.
If desired, enter an optional comment in the Description box.
By default, the reservation is configured to accept both DHCP and BOOTP clients. Only change the default if you want to exclude a particular type of client. DHCP clients include computers running the standard version of the DHCP client as with most Windows operating systems. BOOTP clients are clients running other operating systems and could also include devices such as printers that can use dynamic IP addressing.
Click Add to create the address reservation.
In Netsh, you can create a reservation by typing the following command:
netsh dhcp server ServerID scope NetworkID add reservedipReservedIP MacAddress Name Comment
where the following is true:
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
ReservedIP is the IP address you are reserving, such as 192.168.1.20.
MacAddress is the MAC address of the client (excluding the dashes), such as 2324AE67B4E8.
Name is the descriptive name of the reservation.
Comment is the optional comment describing the reservation.
When you assign reservations, keep in mind that a client with an existing lease won't automatically use the reservation. If a client has a current lease, you must force the client to release that lease and then request a new one. If a client has an existing address and you want to force it to start using DHCP, you must force the client to stop using its current IP address and request a new IP address from DHCP.
To force a client to release an existing lease or drop its current IP address, log on to the client, and type ipconfig /release at the command prompt. Next, if the client isn't already configured to use DHCP, you must configure the client to use DHCP as discussed in the section entitled "Configuring Dynamic IP Addressing".
To get a client to request a new IP address from DHCP, log on to the client, and type ipconfig /renew at the command prompt.
Scopes are available only when they are activated. If you want to make a scope available to clients, you must right-click it in the DHCP console and then select Activate. Activating a scope won't make clients switch to that scope. If you want to force clients to switch to a different scope or to use a different DHCP server, you can terminate the client leases in the DHCP console and then deactivate the scope the clients are currently using.
To terminate a lease, you expand the scope you want to work with in the DHCP console and then select Address Leases. You will then see a list of current leases and can terminate a lease by right-clicking it and selecting Delete. The next time the client goes to renew its lease, the DHCP server will tell the client the lease is no longer valid and that a new one must be obtained.
To prevent clients from reusing the original scope, you can deactivate that scope by rightclicking it in the DHCP console and then selecting Deactivate.
You can perform these same actions using Netsh. To terminate a lease, type the following command:
netsh dhcp server ServerID scope NetworkID delete leaseIPAddress
where the following is true:
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
IPAddress is the IP address for the lease you want to remove, such as 192.168.1.8.
To activate or deactivate a scope, type the following:
netsh dhcp server ServerID scope NetworkID stateStateVal
where the following is true:
ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \CORPSVR03 or \192.168.1.1.
NetworkID is the network ID of the scope, such as 192.168.1.0.
StateVal is set to 0 to deactivate the scope and 1 to activate it. If you are using a switched network where multiple logical networks are hosted on a single physical network, use 2 to deactivate the scope and 3 to activate the scope.