DHCP Server Authorization
Applies To: Windows Server 2008
Starting with the release of Windows 2000, there is an Active Directory feature that prevents rogue Windows 2000-based DHCP servers from running. When a DHCP server running Windows 2000 or later starts, it first checks Active Directory to confirm its authorization to run. If the server has explicitly been authorized as a DHCP server, it is allowed to run. By default, the DHCP server checks its authorization every sixty minutes.
The Windows Server 2008 support tools (located in the \Support\Tools folder of the operating system CD) include a tool called dhcploc.exe that displays active DHCP servers on the subnet. Upon detection of any unauthorized DHCP servers, the tool beeps and sends out alert messages. Packets from DHCP servers are also displayed; the administrator can specify whether to display packets from all DHCP servers or only from unauthorized servers.
How DHCP servers are authorized
The process for authorizing DHCP servers depends on the AD DS role of the server on your network. In Windows Server 2008, there are three AD DS roles that can be installed for each server:
Domain controller: The computer keeps and maintains a copy of the Active Directory database and provides secure account management for domain member users and computers.
Member server: The computer does not operate as a domain controller, but has joined a domain and has a membership account in the domain’s Active Directory database.
Stand-alone server: The computer operates neither as a domain controller nor as a member server of a domain. Instead, the server is made known to the network through a specified workgroup name, which can be shared by other computers but is used only for browsing purposes and not to provide secured logon access to shared domain resources.
If you deploy AD DS, all computers operating as DHCP servers must be either domain controllers or domain member servers before they can be authorized to provide DHCP service to clients.
Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients.
DHCP servers running Windows Server 2008 provide detection of both authorized and unauthorized servers using the following specific enhancements of the DHCP standard:
Information messaging between DHCP servers using the DHCP information message (DHCPINFORM).
Addition of several new vendor-specific option types for communicating information about the root domain.
Most commonly, there is one enterprise root and therefore only a single point for directory authorization of the DHCP servers. However, there is no restriction on authorizing DHCP servers for more than one enterprise root.
For the directory authorization process to work properly, the first DHCP server introduced on your network must participate in AD DS. This means the server must be installed as either a domain controller or a member server. When planning or deploying AD DS with DHCP in Windows Server 2008, do not install your first DHCP server as a stand-alone server.