DHCP Interoperability with AD DS

Applies To: Windows Server 2008

The integration of DHCP with AD DS allows for the detection of unauthorized DHCP servers. When a DHCP server is unintentionally started on a network, it can cause a variety of network problems such as configuring clients with incorrect IP addresses or rejecting client renewal requests. Clients that obtain a lease from unauthorized servers might then fail to locate valid domain controllers, preventing the clients from successfully logging on to the network. To prevent this scenario from occurring, Windows 2000, Windows Server 2003, and Windows Server 2008 provide a method for authorizing a DHCP server as well as a means for detecting and shutting down unauthorized servers.

When a domain member DHCP server attempts to start on the network, AD DS is queried and the IP address of the server is compared to the list of authorized DHCP servers. If a match is found, the server computer is authorized as a DHCP server. If a match is not found, the following occurs:

  • The server is set to “not authorized” in AD DS.

  • The server is identified as an unauthorized server.

  • The server stops leasing IP addresses to DHCP clients.

To use DHCP server authorization, you must deploy AD DS and the DHCP service on a server running Windows 2000, Windows Server 2003, or Windows Server 2008. Other DHCP servers do not support this feature. For more information about the authorization process, see DHCP Server Authorization.