Configuring DHCP to Support DNS
If you have downlevel clients that you want to register in DNS, you can take advantage of the DHCP proxy features for Dynamic DNS registration. This proxy makes it possible to move large numbers of desktops and servers over to DNS-enabled name resolution very quickly.
The DHCP proxy feature was structured using the provisions of Internet Draft draft-ietf-dhc-dhcp-dns-10.txt, "Interaction Between DHCP and DNS." This draft outlines the use of a new DHCP option called Client FQDN, option 81. This option includes a new message format that a client can use to inform the DHCP server of its FQDN. The DHCP server uses this information to send a DNS Update message to the DNS server on behalf of the client.
If you plan on using DHCP to proxy DNS updates, be sure to use Active Directory Integrated zones with Secure Dynamic Updates enabled. This protects the zone records from accidental or deliberate overwrites. Do not install DHCP on a domain controller. The DHCP service runs in the LocalSystem security context, and therefore has full privileges on the machine. This permits a DHCP client to update any record in DNS, with potentially disastrous results.
Before installing DHCP, you should inventory your current IP address assignments and ensure that you know the hosts that have static addresses. Windows Server 2003 DHCP, along with NT4 SP4, will use ICMP to verify that an address is free before leasing it, but that verification is not comprehensive. When you are ready to install DHCP and set aside addresses to lease, follow Procedure 5.25.
Procedure 5.25 Installing DHCP Service Drivers
From Control Panel, open the Add/Remove Programs applet.
Click Add/Remove Windows Components. The Windows Components Wizard starts with the focus set to the Windows Components window.
Highlight Networking Services and click Details. The Networking Services window opens.
Select Dynamic Host Configuration Protocol (DHCP) and click OK to save the change and return to the Windows Components window.
Click Next. The Configuring Components window opens and the drivers begin loading. When the drivers have loaded and the configuration is complete, the wizard displays a successful completion window.
Click Finish to close the window and return to the Add/Remove Programs window.
Close the Add/Remove Programs window.
At this point, you can begin configuring the service. There is no need to restart.
Authorizing a DHCP Server
After the service drivers have been loaded, open the DHCP console. The server icon shows a red down arrow, meaning that the service has not started. If you are installing the service on a domain controller or domain member server, the status in the right pane will show Not Authorized. If you are installing in a workgroup, press F5 to refresh the console. The server status should change to Running.
Windows Server 2003 DHCP has a feature that attempts to prevent rogue DHCP servers from coming on the wire and leasing improper IP addresses. This feature requires a DHCP server to be authorized. An authorized DHCP server has a DHCPClass object in Active Directory. This object can be viewed using the AD Sites and Services console. It is stored under Services | NetServices. Figure 5.19 shows an example.
Figure 5.19. AD Sites and Services console showing authorized DHCP server.
Authorize a DHCP server by right-clicking the server icon in the right pane and selecting AUTHORIZE from the flyout menu. The DHCP object is added to the directory automatically. Then, refresh the console by pressing F5. The server status changes to Running. Figure 5.20 shows an operational DHCP scope with leased addresses.
Figure 5.20. DHCP console showing authorized DHCP server that has leased addresses.
Verify that the server is issuing addresses by renewing an existing DHCP client. If you are in a routed network that uses DHCP helpers, you need to configure the BOOTP relay agents at your routers to point at the new DHCP server. After you have verified basic operability, take the server out of production by deactivating the scope while you configure the scope options.
Configuring Scope Options
While the scope is deactivated, select the scope options that you want to include in the DHCP ACK packet that is returned to the clients along with their leased address. The list of scope options does not include the new option 81, FQDN Client option. This option is configured separately as part of scope properties. It is covered in the next section. At this point, you need to configure options for DNS server(s), a DNS domain name, and a default gateway. You may have other options you want to include, but these are the basics. To configure scope options, follow the steps in Procedure 5.26.
Procedure 5.26 Configuring Scope Options
Right-click the server icon and select NEW SCOPE from the flyout menu. The New Scope Wizard starts.
Click Next. The Scope Name window opens. Give the scope a name and description that can help you identify it when it displays in the console.
Click Next. The IP Address Range window opens (see Figure 5.21). Enter an address range and subnet mask for the scope. The example shows the private network of 10.1.0.0 with a 24-bit subnet mask.
Figure 5.21. New Scope Wizard—IP Address Range window.
Click Next. The Add Exclusions window opens. If you have addresses within the scope that are already assigned to hosts or need to be set aside for static assignment, exclude them here.
Click Next. The Lease Duration window opens. The new default lease duration is eight days, up from three days in NT4. This gives enough time for a user to go on a week's vacation and still get the old address back. If you have a shortage of addresses, you can cut the lease duration back to eight hours.
Click Next. The Configure Your DHCP Options window opens. Let's skip the rest of the wizard and configure the options from the DHCP console. It's faster. Select No,I Will Configure These Options Later.
Click Next. The wizard displays a completion window.
Click Finish to close the wizard and return to the DHCP console. The console now shows the new scope with its address pool and exclusions.
Right-click the Scope Options window and select NEW SCOPE OPTIONS from the flyout menu. The Scope Options window opens.
Select Option 006 DNS Servers. Enter the FQDN of the DNS server that you want to use for this scope and click Resolve to get its IP address. (I prefer this method because it quickly validates that the DNS configuration is correct.)
Select Option 015 DNS Domain Name. Enter the DNS domain name (same as DNS Suffix) you want to distribute to clients in this scope. This name must exist as a DNS zone on the server selected in option 006.
Select other options you want to include in the configuration packet. Typical entries are Option 003 Router, Option 046 WINS/NBNS Servers, and 046 WINT/NBT Node Type.
Click OK to set the options and close the window.
Right-click the Scope icon and select Active. This permits the DHCP service to respond to DHCP requests and makes the address pool in the scope available. The status of the scope changes to Active in the right pane of the console.
When a DHCP client leases an address, it gets a configuration packet containing the IP address of one or more DNS servers. The client registers its newly leased address, both the A and PTR records, with the DNS server. You can verify this by checking the DNS console to see whether new addresses appear as Windows Server 2003 DHCP clients get their DHCP configuration packets.
DNS Update Proxy Configuration
If a DHCP client is not running Windows Server 2003 or some other client that supports Dynamic DNS Updates, it will not register its leased DHCP address in DNS. This limits the effectiveness of DNS as a name repository in a peer networking environment, at least if you want to get away from running WINS.
You can configure the DHCP server to act as a DNS update proxy for downlevel clients. Open the server Properties window and select the DNS tab. Figure 5.22 shows an example.
Figure 5.22. DHCP server Properties window showing the DNS tab.
If you highlight the Address Leases icon and look at the list of active DHCP clients, you will notice that the icons for dynamically registered clients have fountain pen emblems.
The Automatically Update DHCP Client Information in DNS selection enables option 81, Client FQDN, for all addresses in the scope. The remaining options are dimmed if this is deselected. Here is a list of the functions for the various configuration options:
Update DNS Only if DHCP Client Requests.
This is the preferred option. If the client has selected the Register This Connection's Addresses in DNS option under TCP/IP Properties, the client takes responsibility for updating DNS and the DHCP server bows out.
Always Update DNS.
This option overrides the Register This Connection's Addresses in DNS setting at the client and uses the FQDN message from the client to register. If this option is selected, a flag is toggled in the option 81 message to the client telling it not to update DNS.
Discard Forward (Name-to-Address) Lookups When Lease Expires.
This option is selected by default. It removes the A record when the lease expires. The DNS scavenger does this, too, but it's better to keep the zone tidy day-by-day.
Enable Updates for DNS Clients That Do Not Support Dynamic Updates.
This option is not set by default. It provides a way for downlevel clients to dynamically register their resource records. If you are prepared to have a couple of thousand resource records appear in your zone file during tomorrow morning's logon, select this option.
If you select the last option that registers downlevel clients by proxy, you'll see the icons appear as dynamic registration icons (fountain pen emblems) as the clients renew their leases. As clients renew their leases, they renew their Dynamic DNS registrations, as well.