Module 4: Configuring and Troubleshooting DHCP Course 6421A Module 4: Configuring and Troubleshooting DHCP Presentation: 60 minutes Lab: 30 minutes Module 4: Configuring and Troubleshooting DHCP This module helps students to configure, manage, and troubleshoot a Dynamic Host Configuration Protocol (DHCP) environment supporting an IPV4 infrastructure. After completing this module, students will be able to: Describe the DHCP Server role. Configure DHCP scopes and options. Manage a DHCP database. Monitor and troubleshoot DHCP. Secure DHCP. Required materials To teach this module, you need the Microsoft Office PowerPoint® file 6421A_04.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that the Course Companion CD has additional information and resources for the module.
Module 4: Configuring and Troubleshooting DHCP Course 6421A Module 4: Configuring and Troubleshooting DHCP Module 4: Configuring and Troubleshooting DHCP Overview of the DHCP Server Role Configuring DHCP Scopes and Options Managing a DHCP Database Monitoring and Troubleshooting DHCP Securing DHCP
Lesson 1: Overview of the DHCP Server Role Course 6421A Lesson 1: Overview of the DHCP Server Role Module 4: Configuring and Troubleshooting DHCP Benefits of Using DHCP New DHCP Features in Windows Server 2008 How DHCP Allocates IP Addresses How DHCP Lease Generation Works How DHCP Lease Renewal Works DHCP Server Authorization Demonstration: Adding the DHCP Server Role
Module 4: Configuring and Troubleshooting DHCP Course 6421A Benefits of Using DHCP Module 4: Configuring and Troubleshooting DHCP DHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration Define DHCP. Explain how DHCP reduces the complexity and amount of administrative work by using automatic Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. Explain the difference between manual and automatic TCP/IP configuration. Provide examples of how DHCP reduces the complexity and amount of administrative work. Manual TCP/IP Configuration Automatic TCP/IP Configuration IP addresses are entered manually IP address could be entered incorrectly Communication and network issues can result Frequent computer moves increase administrative effort IP addresses are supplied automatically Correct configuration information is ensured Client configuration is updated automatically A common source of network problems is eliminated
New DHCP Features in Windows Server 2008 Course 6421A New DHCP Features in Windows Server 2008 Module 4: Configuring and Troubleshooting DHCP New DHCP features include: The DHCP role on Microsoft Windows® Server 2008 supports several new features: Supports DHCPv6 stateful and stateless configuration for configuring clients in an IPv6 environment. Helps isolate potentially malware-infected computers from the corporate network via Network Access Protection (NAP) with DHCP. Enables DHCP installation as a role on a Windows Server® 2008 Server Core installation. References DHCP Server http://go.microsoft.com/fwlink/?LinkId=99877&clcid=0x409 The DHCPv6 Protocol http://go.microsoft.com/fwlink/?LinkId=99878&clcid=0x409 Windows Server 2008 Support for DHCPv6 Support for advanced network security configuration using NAP DHCP on Server Core
How DHCP Allocates IP Addresses Course 6421A How DHCP Allocates IP Addresses Module 4: Configuring and Troubleshooting DHCP DHCP Client2: IP configuration from DHCP server Non-DHCP Client: Static IP configuration DHCP allocates IP addresses on a dynamic basis, called a lease. You can set the lease value to unlimited. However, the value typically is not more than a few hours or days. Ensure that students understand that the two methods for obtaining a lease are to request a new lease or to renew an existing lease. DHCP uses IP broadcasts to initiate communications. Therefore, DHCP servers are limited to communication within their IP subnet. This means that in many networks, there is a DHCP server for each IP subnet. When this is not feasible, either for cost or management reasons, you can use a DHCP relay agent. The DHCP relay agent allows DHCP broadcast packets to be relayed into another IP subnet across a router. This makes it possible to maintain a singe DHCP server that services multiple IP subnets. DHCP packets also may be relayed into other subnets using a router that is compatible with RFC 1531. References Request for Comments 1531: http://go.microsoft.com/fwlink/?LinkId=99880&clcid=0x409 Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Lease Renewal Lease Generation DHCP Server DHCP Database DHCP Client1: IP configuration from DHCP server IP Address1: Leased to DHCP Client1 IP Address2: Leased to DHCP Client2 IP Address3: Available to be leased
How DHCP Lease Generation Works Course 6421A How DHCP Lease Generation Works Module 4: Configuring and Troubleshooting DHCP DHCP client broadcasts a DHCPDISCOVER packet 1 DHCP servers broadcast a DHCPOFFER packet 2 DHCP client broadcasts a DHCPREQUEST packet 3 DHCP Server1 broadcasts a DHCPACK packet 4 DHCP Client DHCP Server1 DHCP Server2 DHCP Server2 This text for this Topic page does not represent the full process. This Topic should be taught using the slide. Inform the students that the text in their workbook does not represent the entire process. Describe the process using the additional detail included on the student's Companion CD (and listed here): 1. The DHCP client broadcasts a DHCPDISCOVER packet. This is a message that is broadcast to every computer in the subnet. The only computer that will respond is the computer that has the DHCP server role or, if the computer is running the DHCP server agent. In the latter case, the agent will forward the message to the DHCP server with which it is configured. 2. Any DHCP Server in the subnet will respond by broadcasting a DHCPOFFER packet. This packet will provide the client with a potential address. 3. The client receives the DHCPOFFER packet. It may receive packets from multiple servers. If the client receives offers from more than one server, it usually will choose the server that made the fastest response to its DHCPDISCOVER. This typically is the DHCP server closest to the client. The client then will broadcast a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCP servers that receive the broadcast which server the client has chosen to accept the DHCPOFFER. 4. The DHCP servers receive the DHCPREQUEST. Those servers that the DHCPREQUEST message does not accept use the message as notification that the client has declined that server’s offer. The chosen server stores the IP address client information in the DHCP database and responds with a DHCPACK message. If for some reason the DHCP server cannot provide the address that was offered in the initial DHCPOFFER, the DHCP server will send a DHCPNAK message. Explain that DHCP uses a four-step process to lease IP addressing information to DHCP clients. Describe the DHCP lease-generation process by referring to the slide’s illustration. It is important that students understand this process. Run through the demonstration as many times as necessary. References MOC 2277C: Module 1 Microsoft TechNet: How DHCP Technology Works: http://go.microsoft.com/fwlink/?LinkID=112075&clcid=0x409 DHCP Server1 DHCP Client DHCP client broadcasts a DHCPDISCOVER packet 1 DHCP servers broadcast a DHCPOFFER packet 2 DHCP client broadcasts a DHCPREQUEST packet 3 DHCP Server1 broadcasts a DHCPACK packet 4
How DHCP Lease Renewal Works Course 6421A How DHCP Lease Renewal Works Module 4: Configuring and Troubleshooting DHCP DHCP Client DHCP Server1 DHCP Server2 DHCP client sends a DHCPREQUEST packet 1 DHCP Server1 sends a DHCPACK packet 2 50% of lease duration has expired DHCP Client DHCP Server1 DHCP Server2 DHCP Renewal occurs when 50% of lease duration has expired. Describe the DHCP lease-renewal process by referring to the slide’s illustration. References MOC 2277C: Module 1 Microsoft TechNet: How DHCP Technology Works: http://go.microsoft.com/fwlink/?LinkID=112075&clcid=0x409 100% of lease duration has expired 50% of lease duration has expired 87.5% of lease duration has expired If the client fails to renew its lease, after 50% of the lease duration has expired, then the DHCP lease renewal process will begin again after 87.5% of the lease duration has expired If the client fails to renew it’s lease, after 87.5% of the lease has expired, then the DHCP lease generation process starts over again with a DHCP client broadcasting a DHCPDISCOVER DHCP Client sends a DHCPREQUEST packet 1 DHCP Server1 sends a DHCPACK packet 2
DHCP Server Authorization Course 6421A DHCP Server Authorization Module 4: Configuring and Troubleshooting DHCP DHCP authorization is the process of registering the DHCP Server service in the Active Directory domain to support DHCP clients DHCP Server1 checks with the domain controller to obtain a list of authorized DHCP servers If DHCP Server1 finds its IP address on the list, the service starts and supports DHCP clients Students should know and understand the importance of DHCP authorization. A rogue DHCP server can cause problems in a network. Incorrectly configured clients can cause numerous issues. When you install a DHCP role in a domain, an Enterprise Administrator must authorize it because several domains can exist in the same IP subnet. Although it is not recommended, you can use a stand-alone server as a DHCP server, provided that it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients. It also is important to note that other network devices may run DHCP servers. These devices do not comply with the notion of being authorized, and therefore they may cause issues in a networked environment. References Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Microsoft TechNet: Networking Collection: http://go.microsoft.com/fwlink/?LinkId=99883&clcid=0x409 Domain Controller Active Directory DHCP Client DHCP Server1 Authorized Services DHCP requests DHCP Server2 Unauthorized Does not service DHCP requests If DHCP Server2 does not find its IP address on the list, the service does not start and support DHCP clients DHCP client receives IP address from authorized DHCP Server1 DHCP Server2 checks with the domain controller to obtain a list of authorized DHCP servers
Demonstration: Adding the DHCP Server Role Course 6421A Demonstration: Adding the DHCP Server Role Module 4: Configuring and Troubleshooting DHCP In this demonstration, you will see how to add and authorize the DHCP Server role Demonstrate how to: Add the DHCP server role. Authorize the DHCP Server role. Demonstration steps: Open Server Manager, click Roles, click Add Role, click DHCP, and then go through the Installation wizard. After the DHCP service is installed, open the Firewall applet in Control Panel, click Advanced, and show the class that Server Manager created the necessary exception in the firewall. Remove the DHCP service, and reboot the server. Install the DHCP role from the command prompt: Click Start, and then click Command Prompt. Type: servermanagercmd -install DHCP -resultPath installResult.xml The role will install. Open the installResult.xml file using Notepad. Information about installing the role is displayed.
Lesson 2: Configuring DHCP Scopes and Options Course 6421A Lesson 2: Configuring DHCP Scopes and Options Module 4: Configuring and Troubleshooting DHCP What Are DHCP Scopes? What Are Superscopes and Multicast Scopes? Demonstration: Configuring DHCP Scopes What Are DHCP Options? What Are DHCP Class-Level Options? What Is a DHCP Reservation? DHCP Sizing and Availability How DHCP Options Are Applied Demonstration: Configuring DHCP Options
Module 4: Configuring and Troubleshooting DHCP Course 6421A What Are DHCP Scopes? Module 4: Configuring and Troubleshooting DHCP A scope is a range of IP addresses that are available to be leased DHCP Server Describe the purpose of a DHCP scope. Explain that administrators must create a DHCP scope before leasing IP addresses to a client. A DHCP scope is a range of IP addresses that are available for lease. Scope properties contain data about the scope, such as the scope range, the lease duration, Domain Name System (DNS) update settings, NAP Configuration, and DHCP/BOOTP configuration options. Describe IPv4 or IPv6 scope capabilities. However, do not go into depth with IPv6, because the next module covers this. Explain that you can create scopes by using the New Scope wizard or the netsh command. References Microsoft TechNet: Setting Up Scopes: http://go.microsoft.com/fwlink/?LinkID=112076&clcid=0x409 LAN A LAN B Scope A Scope B Scope Properties Network ID Subnet mask Scope name Exclusion range Lease duration Network IP address range
What Are Superscopes and Multicast Scopes? Course 6421A What Are Superscopes and Multicast Scopes? Module 4: Configuring and Troubleshooting DHCP DHCP Server Define superscopes and multicast scopes. Emphasize that these scopes are used for special purposes and are not part of every DHCP deployment. Provide examples of when you would use superscopes. What is a superscope? A superscope is a collection of scopes grouped together into an administrative whole. This allows clients to receive an IP address from multiple logical subnets even when they are on the same physical subnet. Reasons to use superscopes One Scope is running out of IP addresses: A common reason for using a superscope is when a scope has exhausted its address pool. This can occur when the network has grown beyond the original subnet’s maximum amount of hosts. In this case, a superscope can allow the network administrator to add additional addresses for clients to lease from another subnet. It is important to remember that you need to configure the routing infrastructure to recognize the new subnet to support local routing. You need to renumber an IP Network. You want to use two DHCP servers on the network for redundancy. What is a multicast scope? A collection of multicast addresses (Class D IP addresses) that a multicast group shares. This is an IP address in the Class D range (224-239). Applications can request these addresses to send data to multiple hosts without needing to send data to each host individually. These scopes are referred to as Multicast Address Client Allocation Protocol (MADCAP) scopes. Applications that request these addresses must support the MADCAP application programming interface (API). References Microsoft TechNet: Setting Up Scopes: http://go.microsoft.com/fwlink/?LinkID=112076&clcid=0x409 LAN A LAN B Scope A and Scope B DHCP Server LAN A LAN B Scope A Scope B
Demonstration: Configuring DHCP Scopes Course 6421A Demonstration: Configuring DHCP Scopes Module 4: Configuring and Troubleshooting DHCP In this demonstration, you will see how to: Create and authorize a DHCP scope Configure a DHCP superscope Demonstrate how to configure DHCP scopes to allocate IP addresses to network clients by: Creating and authorizing a DHCP scope. Configuring a DHCP superscope. Demonstration steps: In the DHCP Microsoft Management Consoles (MMC) console, create and authorize a DHCP scope. Use a private IPv4 network address. (Class C example: 192.168.0.0 Mask: 255.255.255.0) Add a second scope in a neighboring subnet: 192.168.1.0 Mask: 255.255.255.0 Use the Superscope wizard to create a superscope with the two ranges.
Module 4: Configuring and Troubleshooting DHCP Course 6421A What Are DHCP Options? Module 4: Configuring and Troubleshooting DHCP DHCP options are values for common configuration data that applies to the server, scopes, reservations, and class options Explain the purpose of DHCP options. DHCP options allow you to apply common settings to computers that you define in scopes. References Request for Comments 2132: http://go.microsoft.com/fwlink/?LinkId=99885&clcid=0x409 Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Common scope options are: DNS Servers DNS Name Default Gateway WINS Servers WINS Servers
What Are DHCP Class-Level Options? Course 6421A What Are DHCP Class-Level Options? Module 4: Configuring and Troubleshooting DHCP DHCP class-level options are scope options that apply to a specific type of device Explain that you specify class-level options when you require that a device that belongs to a particular class be configured in a specific way. A class is a logically defined group based on attributes of an IP-based device. Vendor-class Ensure that students understand that vendors specify vendor classes internally You cannot change the vendor class. Microsoft’s DHCP server role offers special options based on the vendor class. An example is disabling NetBIOS over TCP/IP for clients with a vendor class matching Windows 2000 or Windows XP. User-class You can specify user class as needed when you want to set options for a certain class of users (for example, users from a particular physical location). References Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Microsoft TechNet: Using option classes: http://go.microsoft.com/fwlink/?LinkId=99886&clcid=0x409 DHCP class-level option Description Vendor-class Configured by vendors such as Microsoft, HP, and Sun User-class Set and viewed by the user
What Is a DHCP Reservation? Course 6421A What Is a DHCP Reservation? Module 4: Configuring and Troubleshooting DHCP A reservation is a specific IP address, within a scope, that is reserved permanently for lease to a specific DHCP client Explain what a DHCP reservation is. A DHCP reservation is when an IP address within a scope is set aside for use with a specific DHCP client. Explain why to use a DHCP reservation. If you intend to have servers or printers, it often is desirable to provide them with a fixed address. This ensures that IP addresses in a predefined scope will not be assigned inadvertently to another device. This also will ensure that should a scope be depleted of addresses, the devices with reservations will be guaranteed to have an IP address. Describe the process for configuring a DHCP reservation: Open the DHCP Server role. Expand the DHCP scope, and then click Reservations. Click More Actions, and then click New Reservation. To configure a reservation, you must know the media access control (MAC) or physical address of the device. This is how the DHCP server knows that the device should have a reservation. References Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Workstation 1 File and Print Server Subnet A Subnet B DHCP Server Workstation 2 IP Address1: Leased to Workstation 1 IP Address2: Leased to Workstation 2 IP Address3: Reserved for File and Print Server
DHCP Sizing and Availability Course 6421A DHCP Clients DHCP Server1 192.168.1.2 DHCP Server2 192.168.1.1 DHCP Sizing and Availability Module 4: Configuring and Troubleshooting DHCP Explain the purpose of sizing the environment’s scopes. For balancing DHCP server usage, a best practice is to use the “80/20” rule to divide the scope addresses between the two DHCP servers. If you configure Server 1 to make available most (approximately 80%) of the addresses, then you can configure Server 2 to make the other addresses (approximately 20%) available to clients. This also adds a degree of fault tolerance to the DHCP servers by increasing their availability. If one server fails, the second server can continue to renew and provide leases for the clients. References Technet: Configuring Scopes: http://go.microsoft.com/fwlink/?LinkId=99887&clcid=0x409 Technet: DHCP Best Practices: http://go.microsoft.com/fwlink/?LinkId=99888&clcid=0x409 DHCP Server1 has 20% of addresses as follows: Scope range: 192.168.1.10-192.168.1.254 Excluded addresses: 192.168.1.10-192.168.1.205 DHCP Server2 has 80% of addresses as follows: Excluded addresses: 192.168.1.26-192.168.1.254 18
How DHCP Options Are Applied Course 6421A How DHCP Options Are Applied Module 4: Configuring and Troubleshooting DHCP DHCP options can be applied at various levels: Explain how DHCP applies options to clients’ computers when multiple options are configured at the server, scope, class, and reserved-client level. DHCP applies options to client computers in a specific order: Server level Scope level Class level Reserved-client level It is important that students understand that scope options will override server options. Class options will override both scope and server options. Reserved-client options apply to devices that have a DHCP reservation. References Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Server Scope Class Reserved client
Demonstration: Configuring DHCP Options Course 6421A Demonstration: Configuring DHCP Options Module 4: Configuring and Troubleshooting DHCP In this demonstration, you will see how to configure DHCP server, scope, and class options Explain how to configure DHCP options by demonstrating how to: Configure DHCP server and scope options. Configure a DHCP user class option. Configure a DHCP reservation. Demonstration steps: Configure DHCP server and scope options: Using the DHCP MMC console, configure scope options under the scope options node: (Router, DNS server) Configure a DHCP user class option: Using the DHCP MMC console, configure class options. Right-click Server Options, and click the Advanced tab. Configure a DHCP reservation: Using the DHCP MMC console, configure a DHCP reservation in the scope that you configured previously.
Lesson 3: Managing a DHCP Database Course 6421A Lesson 3: Managing a DHCP Database Module 4: Configuring and Troubleshooting DHCP Overview of DHCP Management Scenarios What Is a DHCP Database? How a DHCP Database Is Backed Up and Restored How a DHCP Database Is Reconciled Moving a DHCP Database DHCP Server Configuration Options Demonstration: Managing a DHCP Database
Overview of DHCP Management Scenarios Course 6421A Overview of DHCP Management Scenarios Module 4: Configuring and Troubleshooting DHCP The DHCP service needs to be managed to respond to network changes Scenarios for managing DHCP: Describe management tasks related to DHCP. DHCP management scenarios include: Managing DHCP database growth. The DHCP database is based on a Microsoft Jet database. You need to compact Jet databases on a regular basis. Backup and restore. Information in the DHCP database is important to maintain. If the DHCP server database becomes corrupt or gets lost, it could lead to significant IP configuration issues. DHCP database consistency. The database needs to be accurate. If lease data in the DHCP database does not match the lease information on the client, issues such as duplicate IP addresses can occur on the network. Moving the DHCP database. If the database is very large, it may need to be moved to a larger partition or a better performing volume. Adding clients. Adding new network service servers. Adding new subnets. Adding clients, servers, and subnets can lead to changes in the way the DHCP database is used. These changes require database monitoring and may require new maintenance actions. Managing DHCP database growth Protecting the DHCP database Ensuring DHCP database consistency Adding clients Adding new network service servers Adding new subnets
Module 4: Configuring and Troubleshooting DHCP Course 6421A What Is a DHCP Database? Module 4: Configuring and Troubleshooting DHCP The DHCP database is a dynamic database that contains configuration information The DHCP database contains DHCP configuration data such as: Scopes Address leases Reservations Describe the DHCP database Emphasize that the J50.log file, J50#####.log file, Dhcp.mdb file, and Dhcp.tmp file should not be removed or altered. Describe compacting the DHCP database. Ensure that students understand that Jet databases do not recover space automatically when records are erased. Thus, the database is compacted periodically. If the database has an increased amount of usage, it may be necessary to compact the database manually. Starting with Windows NT Server 4.0, dynamic database compaction occurs on DHCP servers as an automatic background process during idle time or after a database update. References Microsoft TechNet: DHCP Resources: http://go.microsoft.com/fwlink/?LinkId=99882&clcid=0x409 Windows Server 2003 stores the DHCP database in the %Systemroot%\System32\Dhcp folder The DHCP database files include: Dhcp.mdb Tmp.edb J50.log and J50*.log Res*.log J50.chk
How a DHCP Database Is Backed Up and Restored Course 6421A How a DHCP Database Is Backed Up and Restored Module 4: Configuring and Troubleshooting DHCP DHCP Server DHCP Offline Storage Restore Describe how you back up and restore the DHCP database. Automatic backup (synchronous backup) Occurs every 60 minutes. Best practice: Ensure that an offsite backup of the database is kept. Best practice: Make sure that your automatic backup is to a different volume than that on which your DHCP server is running. Manual backup (asynchronous backup) Requires administrative-level permissions. Can also be a member of the DHCP administrators group. What is backed up: All scopes, including superscopes and multicast scopes. Reservations. Leases. All options, including server options, scope options, reservation options, and class options. All registry keys and other configuration settings (for example, audit log settings and folder location settings) set in DHCP server properties. These settings are stored in the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters To back up this subkey, open Registry Editor, and save the specified key to a text file Backup Security: Best Practice: Backups stored on another volume should grant permissions only to the administrative and DHCP administrator groups. Restore process References Microsoft TechNet: Backing up the DHCP database: http://go.microsoft.com/fwlink/?LinkId=99889&clcid=0x409 Back up Restore Back up The DHCP service automatically backs up the DHCP database to the backup directory on the local drive If the original database is unable to load, the DHCP service automatically restores from the backup directory on the local drive In the event that the server hardware fails, the administrator can restore only from the offline storage location The administrator moves a copy of the backed up DHCP database to an offline storage location
How a DHCP Database Is Reconciled Course 6421A How a DHCP Database Is Reconciled Module 4: Configuring and Troubleshooting DHCP DHCP Database Detailed IP address lease information Compares and reconciles inconsistencies in the DHCP Database Explain how you reconcile a DHCP database. Reconciling scopes can fix inconsistencies, such as incorrect or missing information for client IP addresses that are stored in scope-lease information. The DHCP Server service stores the Scope IP address-lease information: Detailed IP address-lease information, stored in the DHCP database. Summary IP address-lease information, stored in the DHCP database. When reconciling scopes, the detail and summary entries are compared to find inconsistencies. To correct and repair these inconsistencies, you need to reconcile any scope inconsistencies found when performing this operation. Once you select and reconcile scope inconsistencies, the DHCP service either restores those IP addresses to the original owner or creates a temporary reservation for them. These reservations are valid for the lease time assigned to the scope. When the lease time expires, the addresses are recovered for future use. Registry Summary IP address lease information DHCP Server Example Registry DHCP Database After Reconciliation Client has IP address 192.168.1.34 IP address 192.168.1.34 is available Lease entry is created in DHCP Database
Module 4: Configuring and Troubleshooting DHCP Course 6421A Moving a DHCP Database Module 4: Configuring and Troubleshooting DHCP DHCP Database You can move a DHCP database from one server to another by using the normal backup and restore procedure. Steps for moving a DHCP database: Back up database on old server. Stop the old DHCP server. Copy database to the new server and, if necessary, install the DHCP server role. Restore the database. Start the DHCP server role. Backup Media DHCP Database Old DHCP Server New DHCP Server
DHCP Server Configuration Options Course 6421A DHCP Server Configuration Options Module 4: Configuring and Troubleshooting DHCP Describe DHCP server configuration options. DHCP server configuration options are the global settings that you define at the server level. General options Allow the administrator to set DHCP statistic for debugging and troubleshooting. DNS options This is an important panel to configure if there are devices or operating systems that do not update their DNS information automatically. You can configure the DHCP server to update the DNS server if the client is unable to do so. Network Access Protection options This panel enables you to enforce NAP for one or more scopes. NAP allows administrators to validate that machines requesting an IP address have been patched to their operating system’s latest version, and that they are running an updated anti-virus program. Advanced options Allows the administrator to force the DHCP server to check for IP conflicts when a DHCP client requests a particular IP address. Older clients that do not perform their own check benefit from this. However, this also can cause some overhead. The recommended configuration is to turn this setting off. The IP binding allows the administrator to specify on which IP address the DHCP server should listen for requests. 27
Demonstration: Managing a DHCP Database Course 6421A Demonstration: Managing a DHCP Database Module 4: Configuring and Troubleshooting DHCP In this demonstration, you will see how to manage a DHCP database Use the DNS MMC to demonstrate the follow operations: Back up a DHCP database. Restore a DHCP database. Reconcile the DHCP database.
Lesson 4: Monitoring and Troubleshooting DHCP Course 6421A Lesson 4: Monitoring and Troubleshooting DHCP Module 4: Configuring and Troubleshooting DHCP Overview of Monitoring DHCP Common DHCP Issues What Are DHCP Statistics? What Is a DHCP Audit Log File? Monitoring DHCP Server Performance Demonstration: Monitoring DHCP
Overview of Monitoring DHCP Course 6421A Overview of Monitoring DHCP Module 4: Configuring and Troubleshooting DHCP Why monitor DHCP? To observe the dynamic DHCP environment To determine DHCP server performance To facilitate planning for current and future needs Describe methods of, and the reasons for, monitoring DHCP: To ensure the DHCP service is performing at an acceptable level. To ensure the DHCP service has sufficient IP addresses to provide to all clients. To anticipate future growth and proactively address possible issues. Monitoring tasks include: DHCP statistics DHCP events DHCP performance data DHCP data includes: DHCP statistics DHCP events DHCP performance data
Module 4: Configuring and Troubleshooting DHCP Course 6421A Common DHCP Issues Module 4: Configuring and Troubleshooting DHCP Address conflicts Discuss common issues that can occur when you do not configure DHCP properly. Failure to obtain a DHCP address Address obtained from incorrect scope DHCP database suffered data corruption or loss DHCP server has exhausted its IP address pool
What Are DHCP Statistics? Course 6421A What Are DHCP Statistics? Module 4: Configuring and Troubleshooting DHCP DHCP statistics are collected at either the server level or scope level Explain that DHCP statistics provide a general view of DHCP activity and usage. You can configure the refresh rate for the statistics in the server properties General tab. How to monitor DHCP statistics Show students the statistics panel in the DHCP Server. DHCP server statistics Provide an overview of DHCP server usage. You can use this data to understand the DHCP server’s state quickly. DHCP scope statistics Provides basic data about the leases in the DHCP scope. DHCP Server
What Is a DHCP Audit Log File? Course 6421A What Is a DHCP Audit Log File? Module 4: Configuring and Troubleshooting DHCP A DHCP audit log is a log of service-related events Describe the purpose of the DHCP audit log. The audit log provides a traceable log of DHCP server activity that you can use to track lease requests, and grants and denials, and to troubleshoot DHCP server issues. The audit file is stored in systemroot\system32\dhcp. The name of the audit file is based on the weekday it was created. For example, if the day of the week is Monday, then the file name is DhcpSrvLog-Mon.log. Fields that make up a DHCP audit log: Field Description ID A DHCP server event ID code Date The date on which this entry was logged on the DHCP server Time The time at which this entry was logged on the DHCP server Description A description of this DHCP server event IP Address The IP address of the DHCP client Host Name The host name of the DHCP client MAC Address The MAC address that the network adapter hardware of the client uses Common Event ID codes ID,Date,Time,Description,IP Address,Host Name,MAC Address 00,06/08/03,22:35:10,Started,,,, 56,06/08/03,22:35:10,Authorization failure, stopped servicing,,domain1.local,, 55,06/08/03,22:45:38,Authorized(servicing),,domain1.local References Microsoft TechNet: Audit logging: http://go.microsoft.com/fwlink/?LinkId=99893&clcid=0x409
Monitoring DHCP Server Performance Course 6421A Monitoring DHCP Server Performance Module 4: Configuring and Troubleshooting DHCP Performance counters What to look for after a baseline is established Packets received/second Monitor for sudden increases or decreases, which could reflect network problems Requests/second Active queue length Monitor for both sudden and gradual increases, which could reflect increased load or decreased server capacity Duplicates dropped/second Monitor for any activity that could indicate that more than one request is being transmitted on behalf of clients Create a DHCP performance baseline Explain how to monitor DHCP server performance. The DHCP performance counters become available after you install the DHCP Server role. Once available, you can load the performance counters using the performance monitor. Describe the guidelines for monitoring the performance of a DHCP server. A DHCP server typically should not come under a heavy network load. However, if you notice the queue lengths are logging consistently high values, you should check the server for bottlenecks that could be slowing DHCP performance. Common performance counters include: Packets received/second Packets expired/second Requests/second Milliseconds per packet Active queue length Duplicates dropped/second References Microsoft TechNet: DHCP performance monitoring reference: http://go.microsoft.com/fwlink/?LinkId=99894&clcid=0x409 Check the standard counters for server performance Review DHCP server counters for significant changes in DHCP traffic
Demonstration: Monitoring DHCP Course 6421A Demonstration: Monitoring DHCP Module 4: Configuring and Troubleshooting DHCP In this demonstration, you will see how to monitor DHCP statistics and performance Explain how to monitor DHCP statistics and performance by demonstrating how to: View DHCP statistics. Configure DHCP audit logging. Configure DHCP performance counters.
Module 4: Configuring and Troubleshooting DHCP Course 6421A Lesson 5: Securing DHCP Module 4: Configuring and Troubleshooting DHCP Securing DHCP Preventing an Unauthorized User from Obtaining a Lease Restricting Unauthorized, Non-Microsoft DHCP Servers from Leasing IP Addresses Restricting DHCP Administration
Module 4: Configuring and Troubleshooting DHCP Course 6421A Securing DHCP Module 4: Configuring and Troubleshooting DHCP Reasons for securing DHCP include: Preventing an unauthorized user from obtaining a lease List the reasons for securing DHCP: Preventing an unauthorized user from obtaining a lease Restricting unauthorized, non-Microsoft DHCP servers from leasing IP addresses Restricting DHCP administration Note: This topic is for overview purposes only. Each of the reasons for securing DHCP is discussed in more detail in this lesson’s remaining topics. Restricting unauthorized, non-Microsoft DHCP servers from leasing IP addresses Restricting DHCP administration
Preventing an Unauthorized User from Obtaining a Lease Course 6421A Preventing an Unauthorized User from Obtaining a Lease Module 4: Configuring and Troubleshooting DHCP To prevent an unauthorized user from obtaining a lease: Ensure that unauthorized persons do not have physical or wireless access to your network Discuss the guidelines for preventing an unauthorized user from obtaining a lease. Emphasize that the only way to completely prevent unauthorized access using only DHCP is to disallow network access. However, this is not feasible. The next best action is to limit the possibility of somebody plugging into an empty network jack or to implement security on a wireless network. Use NAP to validate a client computer’s health. NAP can determine if the computer is running an up-to-date antivirus program and the latest Windows updates. If the computer is not compliant with the NAP policy, it can be denied network access or it can be relegated to a remediation network where it may obtain the necessary updates to become compliant. You also can use NAP to restrict access to a network based on whether the user is authorized for network access. Enable audit logging for every DHCP server on your network Regularly check and monitor audit log files Use 802.1X-enabled LAN switches or wireless access points to access the network Configure NAP to validate users and security policy compliance
Module 4: Configuring and Troubleshooting DHCP Course 6421A Restricting Unauthorized, Non-Microsoft DHCP Servers from Leasing IP Addresses Module 4: Configuring and Troubleshooting DHCP DHCP authorization Available on Windows 2000 and Windows Server 2003 Mention to students that users must disable DHCP services from other devices, such as routers or third-party tools. If users complain of network access problems, check the IP settings that the DHCP server is providing by using the following command: ipconfig.exe/all If the DHCP server result is not correct, investigating the IP address in question should identify the problem. The only way to restrict these servers is to find their source IP and to remove them from the network. Dhcploc.exe is a utility that you can use to locate rogue DHCP servers on a network. Authorization not required on other DHCP implementations To restrict an unauthorized, non-Microsoft DHCP server from leasing IP addresses, ensure that unauthorized persons do not have physical or wireless access to your network
Restricting DHCP Administration Course 6421A Restricting DHCP Administration Module 4: Configuring and Troubleshooting DHCP To restrict who can administer the DHCP service: Limit the members of the DHCP Administrators group Restrict who can administer the DHCP server role The DHCP Administrators group is located in the built-in groups on domain controllers or on local servers because the DHCP Administrators local group is used to restrict and grant access to administer DHCP servers. Permissions required to authorize and administer DHCP Authorization of a DHCP service is available only to Enterprise administrators. If the need exists for a down-level administrator to authorize the domain, it can be done using Active Directory® directory service delegation. DHCP Administrators Any user in the DHCP Administrators group can manage the DHCP service on the server. DHCP Users Any user in the DHCP Users group can have read-only access to the console. Add users needing read-only access to the DHCP Users group Account Permissions DHCP Administrators group Can view and modify any data about the DHCP server DHCP Users group Has read-only DHCP console access to the server
Lab: Configuring and Troubleshooting the DHCP Server Role Course 6421A Lab: Configuring and Troubleshooting the DHCP Server Role Module 4: Configuring and Troubleshooting DHCP Exercise 1: Installing and Authorizing the DHCP Server Role Exercise 2: Configuring a DHCP Scope Exercise 3: Troubleshooting Common DHCP Issues Lab objectives: Install and authorize the DHCP server role Configure a DHCP Scope and scope options Troubleshoot common DHCP issues Scenario: You need to implement a new Windows Server 2008 DHCP server role within the Woodgrove Bank networking environment. Exercise 1: Installing and Authorizing the DHCP Server Role The students will install the DHCP server role and ensure that it is authorized in Active Directory. Exercise 2: Configuring a DHCP Scope Students will perform the following tasks: Configure DHCP scope and scope options. Validate that DHCP works as expected. Exercise 3: Troubleshooting Common DHCP Issues Students will run a script that will configure the DHCP server so that it will not work properly. Using the available information, they will then fix the configuration problems that the script caused. Inputs: Provided scenario Virtual machines Output: DHCP server role installed and configured. Logon information Virtual machine NYC-DC1, NYC-CL1 User name Administrator Password Pa$$w0rd Estimated time: 30 minutes
Module 4: Configuring and Troubleshooting DHCP Course 6421A Lab Review Module 4: Configuring and Troubleshooting DHCP What kind of account is necessary to authorize a DHCP server? Why is it important to define an exclusion range when configuring the DHCP scope? What is the consequence of not providing a default gateway when configuring DHCP scope options? Question: What kind of account is necessary to authorize a DHCP server? Answer: An Enterprise administrative account is necessary to authorize a DHCP server in a domain. Question: Why is it important to define an exclusion range when configuring the DHCP scope? Answer: So that DHCP does not lease the IP addresses of devices that are assigned static IP addresses in the exclusion range, which could cause a possible IP conflict. Question: What is the consequence of not providing a default gateway when configuring DHCP scope options? Answer: The computers that you configure with that scope may not be able to communicate outside their own network. If you require Internet connectivity, then you must configure computers with a default gateway.
Module Review and Takeaways Course 6421A Module Review and Takeaways Module 4: Configuring and Troubleshooting DHCP Review Questions Common Issues and Troubleshooting Tips Best Practices Tools Review Questions Question: What is the main benefit of using DHCP? Answer: The main benefit is automatic configuration of IP addresses for client computers. Question: With what new security feature does DHCP integrate to force client computers to be compliant with company security policies ? Answer: Network Access Protection (NAP) Question: What are the four DHCP message broadcasts that are used when a successful address lease occurs? Answer: DHCPDISCOVER DHCPOFFER DHCPREQUEST DHCPACK Question: At what point in a DHCP lease does the client usually renew the lease automatically? Answer: When 50 percent of the lease duration has expired. Question: Why would you use a superscope? You are running out of IP addresses in a subnet and need additional IPs for an expanding base of users and devices. You need to transition clients from one IP subnet to another over a period of time, and you want the transition to occur transparently. Question: What are the three data sources for monitoring DHCP? DHCP Statistics DHCP Events DHCP Event data