- Is there a particular feature in DHCP (eg. reservations, callout DLL, failover, netsh, ...) that interests you?
- Have you customized the DHCP server, using scripts or external utilities to suit your environment?
- Are there features, that you would like to see, in the next version of your favorite DHCP server?
If you have answered "Yes" to any of the above, we would love to hear from you. Please contact us at msnetworkteam_AT_live_dot_com.
thanks,
Ajay
Team DHCP
(Keywords : DHCP, reservation, failover, mac filter, callout dll, split scope, 80-20 setup)
Network administrators deploying DHCP NAP on their network often need to create NAP enforcement exemption for devices like printers, NAS, VoIP Phones which don't support NAP. Today, we would look at steps to create such NPS policy based on the MAC address of the NIC of the devices.
Limitations: Due to the restriction on the length of NAP Condition Attribute field, the MAC list may be at max 256 characters long. To accommodate more MACs, one has to use regular expression instead of precise MAC strings.
1. Launch NPS MMC -> Network Access Policy --> Right Click -> New
2. Set the name of the policy and select DHCP Server for the Type of Network Access Server. Click Next
3. In the Specify condition page, Click 'Add'
4. Scroll down the condition list and select 'Call Station ID' from the list. Click Add
5. Here, we have to enter the list of all the MAC Address we want to exempt. To specify the list, we take advantage of the pattern matching capability of NPS so that we dont end up creating one policy for each Appliance. Please note that this field has a limitation of 256 characters, so if you need to exempt large number of Interfaces, please use pattern matching instead of actual(exact) MAC strings.
Remove any hyphen (dashes) from the MAC address so 02-00-54-55-4E-01 becomes 020054554E01. Enclose the MAC between Caret and Dollar : ^020054554E01$ . This ensures that exact match is done. To add another MAC, put a Pipe/Logical OR (|) and put the another MAC enclosed between ^ and $. Please note that there should not be any space in the list. Add all the MACs you want to exempt in this list.
Click Ok to add the list. You can later add/remove MACs by opening the property of the Policy.
6. You can see the condition added. Click next
7. In the Specify Access Permission page, set "Access Granted" and click Next.
8. In the Configure Authentication Method page, ensure only "Perform machine health check only" is checked. Click Next.
9. Click Finish to complete the Wizard
10. Now the policy is in place, but due to policy processing order of NPS, this policy would never get a chance to be evaluated if there are other policies in place. Go to the NPS and select the policy -> Right Click -> Move Up.
11. Repeat the above till the policy is at the top of the list. You are done!!
Lets check whether all such devices are indeed exmpted by this policy.
Open Windows Event Viewer (eventvwr.mmc) and turn on / renew the address of all such devices. In the left pane of the MMC , click Custom View -> Server Role -> Network Access Server. Scroll down the logged events till you find either the MAC address or the exemption policy matched.
Hope this helps in your DHCP NAP deployment. Looking forward for comments, suggestions and queries.
Regards,
Ujjwal John
[Windows Enterprise Networking Group, Microsoft]
DHCP server administrators deploying DHCP NAP have often queried about provisioning clients on different subnets with separate Network policies. Here a step-by-step walk through for configuring such policies from the NPS management console as well as required settings in DHCP management console.
Scenario Description
Kevin is a Network Administrator of an organization having two subnets managed by a Windows Server 2008 running DHCP Server role and NPS roles:
192.168.1.xxx - for permanent employees sitting inside the secured facility
10.10.10.xxx - for temporary vendors placed in the unsecured facilities who carry their Laptops to customer sites.
The Admin would like to assign addresses to clients on these two subnets through two different Network Access Policies, enforcing different level of restrictions to unhealthy client. What we have to do here is, to make the respective scopes pass specific "MS-Service Class" value to the NPS, so that NPS can match the corresponding policy to grant network access. We would call these scopes Scope192 and Scope10 respectively and create the DHCP Cope and NPS policies. We start with creating the DHCP scopes :
1. Launch the DHCP server management console either from Computer management, or directly giving the command : dhcpmgmt.msc. In the DHCP MMC ->Server-->IPv4-->Right Click -> New Scope
2. Now set the name of the scope and add some description
3. Create the Address pool for the subnet and the subnet mask
4. Set the other scope option and activate the scope
5. To complete, finish the wizard
6. Now open the properties page of the scope by right clicking the scope.
7. Open the 'Network Access Protection' tab in the porperties page and set the custom profile name to the Scope name itself. We would be using the Name of the sope here and while creating the NPS profile for consistancy.
8. Click Ok to finish.
Repeat the steps 1 thru 8 to create another scope for 10.10.10.xxx and name it 'Scope10'
Now when we have the required scope created, lets create the NPS profile for the corresponding scopes. Open the NPS MMC snap-in from Computer Management console or directly type 'nps' in the command prompt. Follow the following steps to create and configure the Network Access Policies for DHCP:
1. Click the NPS icon on the left pane of the NPS MMC and click "Configure NAP" from the "Getting Started" pane.
2. In the ensuing wizard page, select DHCP for 'Network Connection Method' and set the Policy name to the name of the scope for which you are creating the policy, 'Sope192' in our case.
3. Add any Remote RADIUS servers, if you have. click Next.
4. Now Specify the DHCP Scope this profile would be used for. Note that this name should exactly the same what we specified in Steps 2 and 7 while creating the DHCP scope. For us, it would be "Scope192". Click next and set the other properties.
5. Finish the wizard to complete creating the policy.
Repeat the steps 1 thru 5 to create policy for Scope10.
Verifying the NPS Profiles
Now when we have created the scopes and the policies, we need to verify that the appropriate NPS policies are indeed governing the network access on a particular Subnet. Open Windows Event Viewer and clear/Save events logged in the Security channel Windows Logs. Release IP of a client on the Subnet 192.168.1.xxx and renew IP. You should see the appropriate Policy being matched for any request on that subnet, in the logs for the NPS server roles:
You can verify the same for the Scope10 by generating a DHCP request on that subnet and looking at the Event Logs. If you find that request from a subnet is being matched against wrong policy, please look carefully at the Event logs. Most of such issues can be attributed to even slight errors in creating the policy.
I hope this article helps those deploying DHCP NAP in a typical enterprise network. Any comments, suggestions and queries are welcome.
Regards,
Ujjwal John
[Windows Enterprise Networking Group, Microsoft]
The Microsoft DHCP server provides show command to display reserved addresses configured at a particular scope level. But diplaying ALL the reserved addresses configured in ALL the scopes in the server is not possible with a single command.
You can make use of the below script (Batch File) to display the reservations for all the scopes configured in the server. An intermidiate file named "display.nsh" will be created in the current folder but it gets deleted once the script execution completes.
Note: The below script contents are for running as a batch file. If you are running directly on the console (ie not as a batch file), please replace all occurrences of %%i in the script with %i.
Script for DHCPV4 (Display_DHCPV4_Reservations.bat)
*********************************************************************************************************
@echo off
del display.nsh > nul 2> nul
for /F "skip=4 tokens=1 delims== " %%i in ('netsh dhcp server show scope') do if NOT %%i == Total if NOT %%i == Command echo dhcp server scope %%i show reservedip >> display.nsh
netsh -f display.nsh
del display.nsh > nul 2> nul
*********************************************************************************************************
Script for DHCPV6 (Display_DHCPV6_Reservations.bat)
*********************************************************************************************************
@echo off
del display.nsh > nul 2> nul
for /F "skip=4 tokens=1 delims== " %%i in ('netsh dhcp server v6 show scope') do if NOT %%i == Total if NOT %%i == Command echo dhcp server v6 scope %%i show reservedip >> display.nsh
netsh -f display.nsh
del display.nsh > nul 2> nul
*********************************************************************************************************
Thanks,
Gnana Pandian.C
Team DHCP.
Looking at the problem in configuring Mac Address List File while configuring callout DLL for Mac Address based filtering, here are some detailed tips which will help you in verifying your configuration with one below...
· File should contain action followed by MAC address list as show in below format. There is stringent check on the format and hence it needs to be strictly followed including braces etc.
MAC_ACTION = {ALLOW / DENY}
000a0c0d1254
000d0c4a6723
…
…
…
…
· First line in the file should specify the action. Action can be either ALLOW or DENY. Please note the braces around action.
o When action is specified as ALLOW, all requests from MAC address present in this list will be served by dhcp servers. All requests originating from MAC address not present in this list will be ignored.
o When action is specified as DENY, all request from MAC address present in the list will be ignored by dhcp servers. All requests from MAC addresses not present in this list will be severed by dhcp server.
o Only one action out of ALLOW or DENY can be specified in MAC Address List File
· MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 - F).There should not any delimiter such as -, : in MAC address. Each MAC address should be specified in separate line.
· If there is any error in MAC Address List File, it will be logged into CalloutErrorLogFile or default error log file. Following is expected behavior of dll in cases of errors
o If the action is not specified correctly, then dhcp server will function as if there is no callout dll i.e. none of the requests will be ignored. Error for the same will be logged in error log file.
o If one or more MAC addresses are not specified correctly, then in this case those MAC address entries will be ignored. Error for the same will be logged in error log file.
Thanks
Govind [MSFT]
Export and import commands in netsh helps to export configuration of a local server to a particular file and then using this file these configurations can be imported on another server.
Exporting and importing of DHCPv6 Server configuration can be done using the following steps:
Let’s say there are three scopes configured under DHCPv6 Server with prefix 3ffe:: , 4ffe:: and 5ffe:: .
The v6 configurations of this local server can be exported to a file using the following steps:
a. Open command prompt or powershell and type netsh
b. Then go to v6 context by typing dhcp server v6
c. If all the v6 configurations need to be exported use the following command
export c:\dhcp\tempdb all
If the configurations of few particular v6 scopes need to be exported then use the following command
export c:\dhcp\tempdb 3ffe:: 4ffe::
Now if these configurations are to be imported on another server, then copy the exported configuration file on the other server and follow the below steps on it:
a. Open command prompt or powershell and type netsh
b. Then go to v6 context by typing dhcp server v6
c. If all the v6 configurations need to be imported use the following command
import <filename> all
If the configuration of a particular v6 scope needs to be imported then use the following command
import <filename> 3ffe::
Raunak Pandya
DHCP Server Team
Unleash the power of Windows Server 2008, Visual Studio 2008 & SQL Server 2008 and be a {HERO}!
Windows Server 2008, SQL Server 2008, and Visual Studio 2008 provide a secure and trusted platform for creating and running your most demanding applications. Combined, the products provide a solid foundation for next-generation web applications, broad support for virtualization technology, and access to relevant information. Advanced security technology, developer support for the latest platforms, improved management and web tools, flexible virtualization solutions, and access to relevant information from throughout your organization enable you to drive your business forward.
With Heroes Happen Here launch, you can write a story based on how you have used Microsoft Windows Server, SQL Server, Visual Studio innovatively. For instance, if you are a Developer, Architect, Tester or a Designer, you can tell us how you have used these to ensure bug-free coding or created solutions that changed business. In case you are an IT Pro, then you could for example, tell the world how you saved money for your company or bettered business performance or anything else you are proud of.
Contribute your hero stories on Heroes Happen Here and you can win some real cool prizes.
Submit your story now. All the best!
----------------------------------------------------------------------------------------------------------------------------------------------------
Get Inspired! Read stories from other IT Heroes & 
for them !!
DHCP enhancements in Windows Vista & Windows Server 2008: NAP enforcement & DHCPv6
Join us to discover all the new and improved features in the Windows Server 2008 and Windows Vista DHCP Client.
We will discuss IPv6 support, NAP enforcements, Deployment tricks, techniques and best practices for Microsoft DHCP product in a live web-chat session on December 6, 2007. This is your chance to talk about your experiences and give us feedback on what you want us to improve.
Thursday, December 6, 2007
10:00 - 11:00 A.M. Pacific Time
11:00 - 12:00 P.M. Mountain Time
18:00 - 19:00 GMT
Join chat room on the day of the chat.
Add the session to your Calendar: http://www.microsoft.com/communities/chats/vcs/07_1206_tn_DHCP.ics
The Microsoft DHCP Server provides a way for administrator to access the critical phases of DHCP protocol processing in Windows Server 2003 family and later. With this admin can do followings.
- Create customized extensions to the Microsoft DHCP Server
- Monitor statistics
- Create parallel lease databases
- Provide other customized solutions
I am attaching the simplest code for callout API. Someone can modify this code according to his need. For example someone want to use DhcpPktSendHook and want to modify the DHCP packet before sending , Then one need to do following steps for
1)- Allocate the Buffer to copy the DHCP packet
2)- Copy the packet in it.
3)- Modify the packet.
4)-Free the memory specified in LPBYTE* Packet of DhcpPktSendHook function and assign the pointer one have allocated.
For allocting the pointer one should use
HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, Size);
For freeing the packet one should use
HeapFree(Packet)
/******************************************************************************************/
//Mind you this is a very simple implementation of the callout DLL.
//Our callout function just logs the various states into a file (and that too incompletely..)
#include <windows.h>
#include <stdio.h>
#include "dhcpssdk.h"
FILE * CalloutFile;
DWORD CALLBACK DhcpAddressDelHook
(LPBYTE Packet,DWORD PacketSize,DWORD ControlCode,DWORD IpAddress,DWORD AltAddress,LPVOID Reserved,LPVOID PktContext)
{
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpAddressOfferHook
(LPBYTE Packet,DWORD PacketSize,DWORD ControlCode, DWORD IpAddress,DWORD AltAddress,DWORD AddrType,DWORD LeaseTime,LPVOID Reserved,LPVOID PktContext)
{
char PacketBuff[4096];
if(ControlCode==DHCP_GIVE_ADDRESS_NEW)
{
fprintf(CalloutFile,"Offering new address %x %d on interface %x for %d seconds\n",AltAddress,AltAddress,IpAddress,LeaseTime);
}
else if(ControlCode==DHCP_GIVE_ADDRESS_OLD)
{
fprintf(CalloutFile,"Offering old address %x %d on interface %x for %d seconds\n",AltAddress,AltAddress,IpAddress,LeaseTime);
}
if(PacketSize<4096)
{
memcpy(PacketBuff,Packet,PacketSize);
PacketBuff[PacketSize]='\0';
fprintf(CalloutFile,"Packet: %s\n",PacketBuff);
}
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpControlHook(DWORD dwControlCode,LPVOID lpReserved)
{
switch (dwControlCode)
{
case DHCP_CONTROL_START:
{
CalloutFile=fopen("callout.txt","w");
fprintf(CalloutFile,"The DHCP server has successfully started.\n");
break;
}
case DHCP_CONTROL_STOP:
{
fprintf(CalloutFile,"The DHCP server has successfully stoped.\n");
fclose(CalloutFile);
break;
}
case DHCP_CONTROL_PAUSE:
{
fprintf(CalloutFile,"The DHCP server has been paused.\n");
break;
}
case DHCP_CONTROL_CONTINUE:
{
fprintf(CalloutFile,"The DHCP server has been continued.\n");
break;
}
}
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpDeleteClientHook(DWORD IpAddress, LPBYTE HwAddress,ULONG HwAddressLength, DWORD Reserved,DWORD ClientType)
{
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpNewPktHook(LPBYTE* Packet,DWORD* PacketSize,DWORD IpAddress,LPVOID Reserved,LPVOID* PktContext,LPBOOL ProcessIt)
{
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpPktDropHook(LPBYTE* Packet,DWORD* PacketSize,DWORD ControlCode, DWORD IpAddress,LPVOID Reserved,LPVOID PktContext)
{
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpPktSendHook(LPBYTE* Packet,DWORD* PacketSize,DWORD ControlCode,DWORD IpAddress,LPVOID Reserved,LPVOID PktContext)
{
return ERROR_SUCCESS;
}
DWORD CALLBACK DhcpServerCalloutEntry(LPWSTR ChainDlls,DWORD CalloutVersion,LPDHCP_CALLOUT_TABLE CalloutTbl)
{
CalloutTbl->DhcpAddressDelHook=DhcpAddressDelHook;
CalloutTbl->DhcpControlHook=DhcpControlHook;
CalloutTbl->DhcpDeleteClientHook=DhcpDeleteClientHook;
CalloutTbl->DhcpPktDropHook=DhcpPktDropHook;
CalloutTbl->DhcpAddressDelHook=DhcpAddressDelHook;
CalloutTbl->DhcpNewPktHook=DhcpNewPktHook;
CalloutTbl->DhcpPktSendHook=DhcpPktSendHook;
return ERROR_SUCCESS;
}
/******************************************************************************************/
Manu Jeewani
Windows Enterprise Networking
Split scopes are generally used to provide high-availability in a DHCP Server deployment, so that if one server goes down, another server is available from which clients continue to obain an IP address lease.
Lets take an example how Split scopes are created.We have the range from 10.0.0.1 to 10.0.0.200 and we want to configure the split scope in 50-50 manner then
1)-We will create the scope 10.0.0.1 to 10.0.0.200 on first server(say A), we will configure the Exclusion on server A from address 10.0.0.101 to 10.0.0.200 so that it serves the addresses from 10.0.0.1 to 10.0.0.100.
2)- We will create the scope 10.0.0.1 to 10.0.0.200 on second server(say B), we will configure the Exclusion on server B from address 10.0.0.1 to 10.0.0.100 so that it serves the adderss from 10.0.0.101 to 10.0.0.200.
Now some times we want that few network devices like Printers,fax m/c should always get constant IP address, this problem can be solved by two ways
1)-We can configure the same reservation on these boxes, this will make sure that these machine are getting reserved IP address only but it can be assigned by any of the server(A or B)
2)- If we want that server A only should give IP X to client C and server B should not assign any address to that client then we can create the the reservation for client A on Server A and we can implement call out DLL on Server B that when ever this server receives the packet from client X, it should drop the packet. for more information for callout dlls one can refer http://blogs.msdn.com/anto_rocks/archive/2005/02/25/380510.aspx
Manu Jeewani
Windows Enterprise Networking
1. Verify output of ipconfig command that it showing at least one interface wired or wireless connected to your machine.
2. Verify output of ipconfig/all showing DHCP is enabled on that interface.
DHCP Enabled. . . . . . . . . . . : Yes
3. Verify DHCP client service is running on your machine. Run command 'sc queryex dhcp` on command prompt.
SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 980
FLAGS :
4. Check output of ipconfig /renew. Does it say "Unable to connect to DHCP Server"? If duplicate address is detected, DHCP client will automatically try to get new ip address.
5. Make sure DHCP server is running in network and reachable. If you know IP address of dhcp server, ping it from some other machine in network. Check other machines on same network are getting ip address from DHCP server.
6. Disable and enable your network adapotor. Goto ncpa.cpl and disable\enable adaptor.
7. Remove cable from this machine and connect to other good machine where you are already getting ip address from DHCP server to ensure that this is not cable or driver issue.
8. Stop firewall on your machine and try ipconfig /renew. Does it solve your problem? It might be firewall who is blocking you to communicate with DHCP server. Contact your firewall software provider.
9. Is it issue with your router? Try resetting your router and see if it solves your issue.
10. Assign static ip address and gateway to interface and check if you are able to ping other machines in the network. If NOT, this might be cable or dirver issue of interface. Try using another cable or NIC card. Refer instructions at http://support.microsoft.com/kb/555992 for static ip address assignement.
11. Verify that you are not facing this issue http://support.microsoft.com/kb/928233 (Windows Vista cannot obtain an IP address from certain routers or from certain non-Microsoft DHCP servers)
12. Verify that you are not facing issue http://support.microsoft.com/kb/933340 (You cannot use a remote access server to apply Dynamic Host Configuration Protocol (DHCP) options to a Windows Vista-based computer. Therefore, the Windows Vista-based computer loses some TCP/IP configurations.)
13. Install netmon and verify that DHCP communication with server is happening..you can send us the NETMON capture of DHCP Transactions and DHCP Server configurations for analysis..NETMON 3 is available at http://www.microsoft.com/downloads
14. You can also capture dhcp client tracing for further analysis
1. Output of ipconfig /all
2. Enable DHCP tracking (netsh dhcpclient trace enable)
3. ipconfig /release and ipconfig /renew
4. output ipconfig /all (when in quarantine and firewall is disabled)
5. Pls send the route information (route print -4)
6 . Please provide the %windir%\system32\logfiles\WMI\dhcpcsvc.etl, dhcpcsvc6.etl, dhcpqec.etl files.
7. Share build information (share value of You can find the full build string in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version in the BuildLabEx value or output of winver command.)
8. Also pls provide the system event logs ( run "eventvwr" on command line and go to Windows Logs -> System)
Share above information at http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=716&SiteID=17
Hope this helps in solving your problem,
Govind [MSFT]
There is a DHCP Server management API DhcpGetClientInfo() with which DHCPUser can get the information about DHCP Clients.
There are three way to figure out the information for the client with the above API.
The first one is by specifing ClientIPAddress in DHCP_SEARCH_INFO structure.
The second way is by specifing the ClientName in DHCP_SERACH_INFO structure.
The third one and the trickest one is by specify the MAC addess. For particular MAC address there can be more the one address assigned to client in differnt subnets so while doing the search the API caller should specify in which subnet one wants to perform the serach. For this he needs to create the client UID.
The client UID is created in this way.
[Subnet address in which he wants to perform the search for the client]*+[01]+[MAC]
The following is the sample code for doing this.
#include"stdio.h"
#include"windows.h"
#include"dhcpsapi.h"
main()
{
int error;
DHCP_SEARCH_INFO dhcpSInfo;
DHCP_CLIENT_INFO *clientInfo;
WCHAR *server=L"127.0.0.1";
BYTE Mac[11];
DWORD ipAddress;
int i;
Mac[0] = 0x00; /// Subnet address in host order.
Mac[1] = 0x00;
Mac[2] = 0x00;
Mac[3] = 0x6e;
Mac[4] = 0x01; ///-à Hardware address type, this is the default value.
Mac[5] = 0x00; ///--à My MAC bytes start from here (00 14 38 c1 c6 b3 )
Mac[6] = 0x14;
Mac[7] = 0x38;
Mac[8] = 0xc1;
Mac[9] = 0xc6;
Mac[10] =0xb3;
dhcpSInfo.SearchType = DhcpClientHardwareAddress;
dhcpSInfo.SearchInfo.ClientHardwareAddress.DataLength=11;
dhcpSInfo.SearchInfo.ClientHardwareAddress.Data=Mac;
error = DhcpGetClientInfo(server,&dhcpSInfo,&clientInfo);
printf("Error, %d\n",error);
printf(" IP %x\n", clientInfo->ClientIpAddress);
}
/*
The output I got by executing this particular code on was Error, 0
IP 6e6e6e32
*/
Manu Jeewani,
Windows Enterprise Networking
This DHCP Server Callout DLL helps administrator to filter out DHCP Requests to DHCP Server based on MAC Address. When a device or computer tries to connect to network, it shall first try to obtain ip address from DHCP Server. DHCP Server Callout DLL checks if this device MAC address is present in known list of MAC addresses configured by administrators. If it is present, device shall be allowed to obtain ip address or device requests shall be ignored based on action configured by administrator.
MAC address based filtering will allow network administrators to ensure that only know set of devices in the system are able get ip address from DHCP Server. This DLL will help administrators to enforce additional security into network.
This callout DLL will help user in solving either of the following problems
1. Allow Machines only belonging to set of MAC addresses to get ip address from DHCP Server.
2. Deny Machines belonging to set of MAC addresses from getting ip address from this server.
This callout DLL shall work on W2K3 Server and Windows Longhorn Server.
The usage is pretty simple and explained in the setup document along with the tool.
Both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied on to %SystemRoot%\system32 folder after installation.
Raunak Pandya
DHCP Server Team
We thank our users, for your patronage of the Server Callout DLL. The DHCP team is interested in obtaining your feedback, on this utility. Please contact us at msnetworkteam_AT_live_DOT_com, if you are willing to share your experiences and help us improve our products.
Team DHCP |
Attachment(s): MacFilterCallout.zip
In a previous post, I had discussed How to use Split-Scopes in DHCP for a Robust Deployment. Some of you wrote back asking why is a 80:20 split better than a 60:40 or 50:50 split. Let me try to answer how the ratio of the split should be determined.
An 80:20 split of the available address range between the primary and the secondary DHCP servers is most commonly used, but of course you can use any ratio appropriate to your deployment.
A good rule of thumb for determining the ratio is (0.5*Lease Time for the Subnet) : (Amount of time it will take you to restore a server). For instance, if the address lease time on your DHCP server is 8 days, then the clients will renew their lease every (0.5 * 8 = 4) days. Say, it will take you max 1 day to restore a server in case it is down. Then the appropriate ratio would be 4:1 or 80:20. You can vary this based on your requirements/deployment.
Ideally, of course, if you have a lot of free address space available (especially if you are using one of the private address ranges specified by RFC 1918) then you can forget about the above rule and use a 50:50 split. Note that in this case the max number of clients on the network should correspond to around 50% of the available address range. So if you are expecting around 250 clients, you should use a /23 address range for the subnet.
Hope this helps you fine-tune your DHCP split-scope deployment.
Santosh Chandwani
Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]
When should you configure Split Scopes in your DHCP deployment?
Split-scopes are intended for scenarios where you need some backup capability for DHCP when servicing a given subnet, but you don't want to deploy a DHCP server cluster. In this case, you can use 2 stand-alone DHCP servers to back each other up using split-scopes.
How do you setup Split Scopes?
Consider a DHCP scope with subnet-mask of 255.255.254.0 , which can support a range of 512 addresses. Say, you have around 300 clients on this subnet. The recommended way to setup a split-scope for this subnet is to have the majority of the available addresses configured on the primary DHCP Server A for that subnet. The remaining addresses are configured on the secondary DHCP Server B. The addresses used on A are then setup as an exclusion on Server B, and vice versa. Usually, the available addresses are split between the primary and the secondary servers through an 80-20 split.
Let's take an example: for a subnet 10.0.20.0/23, you would configure the same scope 10.0.20.0 to 10.0.21.255 on both the servers, A and B. However, on server A, you would configure 10.0.21.151 to 10.0.21.255 as an exclusion range on that scope. On server B, you would configure the other part of the address range (10.0.20.0 to 10.0.21.150) as the exclusion range. Thus there would be 407 address available for assignment on Server A, and 105 addresses available for assignment on Server B.
Note that you should ensure that the maximum number of clients you expect to have on that subnet doesn't exceed the number of addresses available for assignment on the primary server. If the /23 address range in this case is almost fully utilized, then you wouldn't have any spare capacity on Server B to service clients which need to renew when Server A is down.
How do Split Scopes work?
In the above example, a client would normally get its address lease from Server A. However, if server A were to be unavailable, the exclusion on server B would ensure that server B does not NAK the client's request to renew its address in the REBINDING state. If the client's lease expires before Server A has been restored, then it would start the DISCOVER process again. This time, it would get an address lease from Server B.
This gives the administrator some time to respond and restore Server A to the normal state.
Santosh Chandwani
Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]