This chapter is from the book
This chapter is from the book
This chapter is from the book
Installing and Implementing DHCP
The first question many managers ask when presented with a request to install Windows Server 2003 DHCP is this: "Can't we just use our existing DHCP?" The answer to this question is both yes and no. If you are maintaining a legacy domain and WINS network, Windows Server 2003 can receive DHCP information from any DHCP server with which Windows NT 4.0 or Windows 2000 Server works. However, if you want to take advantage of the features of Active Directory and possibly migrate away from the legacy WINS architecture, you need the Windows Server 2003 DHCP service.
The following sections discuss how to install and configure DHCP for a network.
Installing the DHCP Server Service
When you install Windows Server 2003, you can install DHCP as one of the optional services. To prepare for Exam 70-293, you need to know how to install DHCP on an existing server that does not already have DHCP installed.
Before you install DHCP, you must configure the server with a static IP address. When the DHCP server's network adapter is configured with a static IP address, you can install the DHCP service on the server. To install the DHCP service on your server, perform the steps described in Step by Step 3.1.
Step By Step 3.1: Installing the DHCP Service
- Select Start, Settings, Control Panel, Add or Remove Programs.
- On the Add or Remove Programs page, click Add/Remove Windows Components to open the Windows Components Wizard.
- Select Networking Services, as shown in Figure 3.1.
Figure 3.1 DHCP is located in the Networking Services group in the Windows Components Wizard.
- Click the Details button to open the Networking Services window, shown in Figure 3.2.
Figure 3.2 You select the Dynamic Host Configuration Protocol (DHCP) option to install the DHCP server.
- Select Dynamic Host Configuration Protocol (DHCP) and click OK.
- Back in the Windows Components Wizard page, click Next to begin the installation.
- If you are prompted to supply the location of your Windows Server 2003 CD-ROM or installation files, provide the correct location. Windows installs the DHCP service files on your computer.
- When prompted that installation is complete, click Finish to close the Windows Components Wizard.
)
)
After you've installed the DHCP service, you need to begin configuring the DHCP server so that it can service network clients. Before you can begin the configuration process, you need to understand the types of DHCP scopes in Windows Server 2003.
Understanding DHCP Scopes
A scope is a range of IP addresses that are available for dynamic assignment to hosts on a given subnet. The scope for a particular subnet is determined by the network address of the broadcast DHCP request. In addition to address information, a scope can include a set of configuration parameters to be assigned to client computers when the address is assigned. This list of configuration parameters can include DNS servers, WINS servers, default gateways, the subnet mask, a NetBIOS scope ID, IP routing information, and WINS proxy information.
You should make the scope as large as you can. Later in the scope-creation process, you can exclude addresses and define reservations for particular addresses that exist within the scope.
Understanding DHCP Superscopes
The superscope type of scope was introduced to the Windows NT product family with Service Pack 2 for Windows NT 4.0. A superscope enables you to support a supernetted or multinetted network with a Windows Server 2003 DHCP server.
A supernetted network is a network that has multiple network addresses or subnets running on the same segment. This configuration is common in a network environment with more than 254 hosts on a subnet and in an environment in which certain hosts need to be isolated from the rest of the logical network for security or routing reasons. Superscopes support a local multinet or a multinet that is located across a router and configured to use the BOOTP forwarder service.
Understanding Multicasting and Multicast Scopes
Multicasting is the act of transmitting a message to a select group of recipients. This is in contrast to the concept of a broadcast, in which traffic is sent to every host on the network, or a unicast, in which the connection is a one-to-one relationship and there is only one recipient of the data.
Let's look at an example using an email message. If you send an email message to your manager, that email is a unicast message. If you send an email message to every user on the system, you have sent a broadcast. If you send an email message to a mailing list, you have sent a multicast message, which falls between a unicast message and a broadcast message. Teleconferencing and videoconferencing use the concept of multicasting, as does broadcast audio, in which the connection is from one source computer to a selected group of destination computers. At this time, only a few applications take advantage of multicasting, but with the growing popularity of multicast applications, we might see more multicast applications in the future.
The following are a few terms you need to understand before we discuss the Windows Server 2003 multicast capabilities:
- Multicast DHCP (MDHCP)—An extension to the DHCP standard that supports dynamic assignment and configuration of IP multicast addresses on TCP/IP–based networks.
- Multicast forwarding table—The table used by an IP router to forward IP multicast traffic. An entry in the IP multicast forwarding table consists of the multicast group address, the source IP address, a list of interfaces to which the traffic is forwarded (that is, the next-hop interfaces), and the single interface on which the traffic must be received to be forwarded (that is, the previous-hop interface).
- Multicast group—A group of member TCP/IP hosts configured to listen for and receive datagrams sent to a specified destination IP address. The destination address for the group is a shared IP address in the Class D address range (224.0.0.0 to 2239.255.255.255).
- Multicast scope—A scope of IP multicast addresses in the range 239.0.0.0 to 239.254.255.255. Multicast addresses in this range can be prevented from propagating in either direction (send or receive) through the scope-based multicast boundaries.
Windows Server 2003 makes use of the concept of a multicast scope. The DHCP service has been extended to allow the assignment of multicast addresses in addition to unicast (single-computer) addresses. A proposed IETF standard (RFC 2730, "Multicast Address Dynamic Client Allocation Protocol [MADCAP]") defines multicast address allocation. MADCAP (also known as MDHCP in Microsoft lingo) would enable administrators to dynamically allocate multicast addresses to be assigned in the same fashion as unicast addresses. The Windows Server 2003 DHCP multicasting capability also supports dynamic membership, which allows individual computers to join or leave a multicast group at any time. This is similar to registering to receive an Internet broadcast or joining and leaving an email mailing list. Group membership is not limited by size, and computers are not restricted to membership in any single group.
How do client computers join and leave a multicast group? The answer is via MDHCP and the MDHCP application programming interface (API). Client computers using MDHCP must be configured to use the MDHCP API. MDHCP assists in simplifying and automating configuration of multicast groups on a network, but it is not required for the operation of multicast groups or for the DHCP service. Multicast scopes provide only address configuration and do not support or use other DHCP-assignable options. MDHCP address configuration for client computers should be done independently of how the client computers are configured to receive their primary IP addresses. Computers using either static or dynamic configuration through a DHCP server can also be MDHCP clients.
Now that you know the different types of scopes supported in Windows Server 2003, you can move forward to creating scopes on a DHCP server.
Creating a DHCP Scope
Now that you are familiar with the different types of scopes, you can create one. To create a standard DHCP scope, you perform the steps described in Step by Step 3.2.
Step By Step 3.2: Creating a DHCP Scope
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select New Scope from the context menu.
- Click Next to dismiss the opening page of the New Scope Wizard.
- On the first page of the wizard, the Scope Name page, enter a name and description for the new scope, as shown in Figure 3.3. You should make this name something that will enable you to easily identify this scope if you have multiple scopes on the DHCP server. When you're done entering the information, click Next to continue.
Figure 3.3 You should enter an intuitive name and description for the new scope.
- On the next page of the wizard, the IP Address Range page, enter the IP address range and subnet mask that you need for the network, as shown in Figure 3.4. You can define the subnet mask by using the standard octet method (for example, 255.255.255.0) or by using the more router-centric mask length field (for example, 24 bits). When you're done entering the information, click Next to continue.
Figure 3.4 Configuring the IP address range and subnet mask information defines the scope boundaries.
- On the next page of the wizard, the Add Exclusions page (see Figure 3.5), you can configure a range of IP addresses that will not be leased to client computers. These are typically addresses assigned to application servers, routers, printers, or other infrastructure equipment that requires static addresses. You can have multiple excluded IP addresses or ranges for each scope. When you're done entering the information, click Next to continue.
Figure 3.5 Configuring IP address exclusions enables you to prevent addresses within the scope from being leased.
- On the next page of the wizard, the Lease Duration page, you can configure the amount of time for which a DHCP lease is valid, as shown in Figure 3.6. The default setting is 8 days and can be changed to any value between 1 minute and almost 1,000 days (999 days, 23 hours, 59 seconds, to be exact). For the average network, the default setting of 8 days is sufficient. In a network that has a large number of computers connecting at various locations, such as portable computers on wireless connections, you might want to reduce the lease duration. Conversely, in a network with clients that do not change location, you might consider increasing the lease duration to cut down on DHCP traffic on the network. When you're done entering the information, click Next to continue.
Figure 3.6 You should configure the lease duration that seems appropriate for the network.
- On the next page of the wizard, the Configure DHCP Options page, you have the choice to configure additional options for your scope now or later. It is usually best to configure these options at the time of scope configuration, so you should do that now. Select Yes, I Want to Configure These Options Now and click Next to continue.
- On the next page of the wizard, the Router (Default Gateway) page, enter the default gateway for the network or the subnet that the scope serves, as shown in Figure 3.7. When you're done entering the information, click Next to continue.
Figure 3.7 If you configure multiple gateways, you need to ensure that you place them in preferred order from top to bottom.
- On the next page of the wizard, the Domain Name and DNS Servers page, configure the parent domain that all DHCP clients should be made part of, as well as any number of DNS servers you require, as shown in Figure 3.8. It is recommended that you enter at least two DNS servers for your clients to use. If you need to resolve a server name to an IP address, you can enter the server's name and then click the Resolve button. When you're done entering the information, click Next to continue.
Figure 3.8 If you configure multiple DNS servers, you should ensure that you place them in preferred order from top to bottom.
- On the next page of the wizard, the WINS Servers page, enter the IP addresses of the network's WINS servers, as shown in Figure 3.9. WINS servers are used to convert NetBIOS names to IP addresses for legacy clients on the network. As on the Domain Name and DNS Servers page, you can use the Resolve button to resolve a host name to an address. If a network is purely Windows 2000 or better, you do not need to have a WINS server on the network because Windows 2000, Windows XP, and Windows Server 2003 use DNS by default for all name resolutions. If you need WINS servers on a network, it is recommended that you enter at least two of them here. When you're done entering the information, click Next to complete the scope-creation process.
Figure 3.9 WINS servers are not required for networks that use only Windows 2000, Windows XP, or Windows Server 2003 computers.
- On the next page of the wizard, the Activate Scope page (see Figure 3.10), you have the option to active the configured scope now or later. In most cases, you want to activate the scope right away. Select Yes, I Want to Activate This Scope Now and click Next to activate the configured scope.
Figure 3.10 You typically want to activate the scope immediately after configuring it.
- Click Finish to close the New Scope Wizard. Note that the DHCP won't issue any IP address from your new scope unless it has already been authorized in Active Directory. We discuss this a bit later in this chapter.
)
)
)
)
)
)
)
)
Configuring Scope Properties
After you've created a scope, you might want to modify its properties. To modify a scope's properties, you perform the steps described in Step by Step 3.3.
Step By Step 3.3: Configuring a DHCP Scope's Properties
- Right-click the scope and select Properties from the context menu.
- The Properties dialog box opens, as shown in Figure 3.11.
Figure 3.11 You can use the Scope Properties dialog box to change scope properties after you create a scope.
- On the General tab, change the scope name, IP address range, lease duration, and scope description, if you want to.
- If you want to change the options on the DNS tab, do so now. The options on the DNS tab are discussed later in this chapter, in the section "Configuring DHCP for DNS Integration."
- On the Advanced tab, select options related to BOOTP clients, as shown in Figure 3.12. If you have BOOTP clients on your network, select either the BOOTP Only option or the Both option, depending on your network configuration. The default setting is DHCP Only. Click OK to close the Scope Properties dialog box after you make your changes.
Figure 3.12 You can configure the scope to service BOOTP clients on the Advanced tab of the Scope Properties dialog box.
- To view the address pool and configured exclusion ranges, click the Address Pool node of the DHCP console, as shown in Figure 3.13.
Figure 3.13 You can quickly view all configured scope ranges and exclusion ranges from the Address Pool node.
- To add a new exclusion range, right-click Address Pool and select New Exclusion Range from the context menu. The Add Exclusion window appears (see Figure 3.14). Click Add after you enter your new exclusion range.
Figure 3.14 You can add a new exclusion range to a configured DHCP scope by using the Add Exclusion dialog box.
- To view the addresses that have been leased, click the Address Leases node, as shown in Figure 3.15. (Of course, no leases are shown here until you authorize the DHCP server, as discussed later in this chapter, in the section "Authorizing a DHCP Server in Active Directory.")
Figure 3.15 You can view all active scope leases from the Address Leases node.
- If you want to manually revoke an active client lease, right-click it in the right pane of the Address Leases node and select Delete from the context menu.
- To view the configured reservations, click the Reservations node of the DHCP console.
- You can configure a new address reservation by right-clicking Reservations and selecting New Reservation from the context menu. You can configure a reservation for any device for which you want to have a DHCP-assigned IP address that never expires. Configure the reservation as shown in Figure 3.16 and click Add to add it. Click Close to close the New Reservation input box when you're done configuring reservations for this scope. After you've configured a reservation, you can see it in the Reservations node of the DHCP console, as shown in Figure 3.17.
Figure 3.16 You can configure a new DHCP reservation, which is typically done for printers and other static infrastructure devices.
Figure 3.17 You can view all scope reservations from the Reservations node.
- You can view existing scope options by clicking the Scope Options node, as shown in Figure 3.18.
Figure 3.18 The Scope Options node lists all currently configured scope options.
- To configure a new scope option, right-click the Scope Options node and select Configure Options from the context menu. Configure the options in the Scope Options window (see Figure 3.19). Table 3.1 listed the common DHCP options available for configuration. Table 3.2 listed the Microsoft-specific DHCP options that are available for configuration.
Figure 3.19 You can configure extra scope options from the Scope Options dialog box.
)
)
)
)
)
)
)
)
)
Authorizing a DHCP Server in Active Directory
For security reasons, a new DHCP server must be authorized in Active Directory before it can assign IP addresses by an administrator with Enterprise Admin credentials. This prevents unauthorized DHCP servers from running on the network. One of the nastiest things a troublemaker can do is put up a rogue DHCP server and have it issue addresses that conflict with infrastructure devices' addresses. The nice thing about this feature is that if you are running Windows 2000 or better client computers and they are using Active Directory, the computers will not accept DHCP addresses from an unauthorized server. To authorize a DHCP server in Active Directory, you perform the steps described in Step by Step 3.4.
Step By Step 3.4: Authorizing a DHCP Server in Active Directory
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select Authorize from the context menu.
- The authorization process might take some time, depending on network conditions. Refresh the DHCP console by pressing F5. You should see the window shown in Figure 3.20. When authorization is complete, the status is shown as Active and the server is ready to issue addresses when it receives DHCP requests. Note also that the status arrow on the server itself is now pointing up instead of down, as before.
Figure 3.20 When a DHCP server is authorized, DHCP server scope information appears in the right pane of the DHCP console window.
)
Windows Server 2003 and Windows 2000 Server DHCP servers that are not authorized do not provide DHCP services to network clients. These unauthorized servers also check every 5 minutes to see if their authorization status has changed, thus allowing them to begin servicing clients.
You have now installed, configured, and authorized a Windows Server 2003 DHCP server. We next examine configuring DHCP for DNS integration.
Configuring DHCP for DNS Integration
One of the keys to effectively implementing an Active Directory environment is the capability for Windows 2000 and Windows XP workstations using DHCP to be automatically registered in DNS. You can set the following settings for DNS integration (see Step by Step 3.5):
- Dynamically Update DNS A and PTR Records Only If Requested by the DHCP Clients—This is the default behavior of the Windows Server 2003 DHCP server. It causes the DHCP server to register and update client information with the authoritative DNS server of the zone in which the DHCP server is located, according to the DHCP client's request. The DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client's request for handling updates to its name and IP address information in DNS. This selection requires you to select the Enable Dynamic DNS Updates According to the Settings Below option.
- Always Dynamically Update DNS A and PTR Records—When this option is selected, the DHCP server always updates the client's fully qualified domain name (FQDN), IP address, and both A and PTR resource records, regardless of whether the client has requested to perform its own updates. This selection requires you to select the Enable Dynamic DNS Updates According to the Settings Below.
- Discard A and PTR Records When Lease Is Deleted—This option, which is selected by default, instructs the DHCP server to cause the DNS server to delete the client's A and PTR records when the lease has expired or otherwise has been deleted. This selection requires you to select the Enable Dynamic DNS Updates According to the Settings Below option.
- Dynamically Update DNS A and PTR Records for DHCP Clients That Do Not Request Automatic Updates—This option allows legacy clients, such as Windows NT 4.0 and Windows 9x clients, to participate in DNS dynamic updates. This selection requires you to select the Enable Dynamic DNS Updates According to the Settings Below option.
Because the DHCP server controls DNS dynamic updating, you need to perform all the applicable DNS configuration from the DHCP console. The DHCP server automatically updates any DNS server configured as part of the server's TCP/IP network properties. It is important to be sure that the primary DNS server is configured as one of the DNS servers because any updates sent to it are propagated to the rest of the DNS servers for that domain. However, the DNS server in question must support DDNS. The Windows Server 2003 DNS server supports these updates, as do a number of other DNS servers.
To configure a DHCP server for DNS integration, you perform the steps described in Step by Step 3.5.
Step By Step 3.5: Configuring DHCP for DNS Integration
- Open the DHCP console by selecting Start, Programs, Administrative Tools, DHCP.
- Right-click the DHCP server and select Properties from the context menu. Select the DNS tab of the DHCP Server Properties dialog box, shown in Figure 3.21.
Figure 3.21 You can configure DDNS options on the DNS tab.
- To enable DHCP integration with DNS, ensure that the Enable Dynamic DNS Updates According to the Settings Below check box is selected.
- Select to have the DHCP server update A and PTR records when requested or to always update A and PTR records.
- To help keep the DNS database clean and consistent, allow the DHCP server to cause expired leases to lead to A and PTR record deletion.
- If there are legacy clients on the network, ensure that dynamic updating is configured for them.
- If you are using secure dynamic updates, consider configuring a dedicated network user account for dynamic updating. You can enter the account credentials by switching to the Advanced tab of the DHCP Server Properties dialog box, as shown in Figure 3.22.
Figure 3.22 Click the Credentials button to enter the account username and password for DDNS.
- Click the Credentials button to open the DNS Dynamic Update Credentials window, as shown in Figure 3.23.
Figure 3.23 Enter the dynamic updates account credentials in the DNS Dynamic Update Credentials dialog box.
- Enter the domain user account name, domain, and password in the DNS Dynamic Update Credentials dialog box. Click OK to accept the credentials or Cancel to avoid entering credentials at this time.
- Click OK to close the DHCP Server Properties dialog box.
)
)
)
DHCP option code 81 is required to make dynamic updates work. Let's look at two examples that explain the basic dynamic update process.
The first example looks at a Windows 2000 Professional client computer that has requested a DHCP lease from a Windows Server 2003 DHCP server configured with the default options:
- During the DHCP lease-negotiation process, the Windows 2000 Professional client sends a DHCPREQUEST message. By default, the client includes DHCP option 81 in this message, informing the DHCP server that it is requesting that the DHCP server register its PTR record in DNS. The client is responsible for registering its A record on its own.
- The DHCP server replies with a DHCPACK message, granting the requested DHCP lease. This message includes DHCP option 81. With the default DHCP server settings, the DHCP server informs the client that it will register the PTR record and that the client is responsible for registering the A record in DNS.
- The client registers its A record, and the DHCP server registers the client's PTR record in DNS.
The second example looks at a Windows NT 4.0 Workstation client computer that has requested a DHCP lease from a Windows Server 2003 DHCP server configured with the default options:
- During the DHCP lease-negotiation process, the Windows NT 4.0 Workstation client sends a DHCPREQUEST message. DHCP option 81 is not included in this message.
- The server returns a DHCPACK message to the client, granting its DHCP lease request.
- The DHCP server updates the DNS server with the client's A and PTR records.
Configuring and Implementing a DHCP Relay Agent
Today most networks that use DHCP are routed. As discussed previously, DHCP messages are broadcast messages. By default, nearly all routers do not pass broadcast traffic, in the interest of reducing overall network traffic levels. Fortunately, you can get around this design limitation by configuring a DHCP relay agent to pass BOOTP messages across routers.
You can set up a DHCP relay agent in three basic configurations. The first involves entering the IP address or addresses of the DHCP server(s) into the router itself, instructing it to pass DHCP messages to a specified IP address for action. The second method involves using the Windows Server 2003 Routing and Remote Access Service (RRAS) component as a router (in place of a hardware-based router) and configuring the DHCP relay agent within it. The third solution, and the one that we examine in this section, uses a Windows Server 2003 computer located on a subnet without a DHCP server to act as a DHCP relay agent. This option requires RRAS components, but it does not involve creating or configuring a router, as the second solution would. What's important to understand is that the server providing the DHCP relay agent service does not have to be dedicated to that purpose; it could be a file server, a print server, or any other type of Windows Server 2003 (or Windows 2000 Server) server on that subnet. Figure 3.24 shows how this arrangement would look on a network.
)
Figure 3.24 The DHCP relay agent allows clients on the other side of a router to communicate with the DHCP server.
In Step by Step 3.6, you enable the DHCP relay agent on a Windows Server 2003 computer. This exercise assumes that you have not previously configured and enabled RRAS on the computer.
Step By Step 3.6: Configuring a DHCP Relay Agent
- Select Start, Programs, Administrative Tools, Routing and Remote Access to open the Routing and Remote Access console, shown in Figure 3.25. (If you've previously configured and enabled RRAS, you can skip to Step 7.)
Figure 3.25 The Routing and Remote Access console is initially empty.
- Right-click the server name and select Configure and Enable Routing and Remote Access from the context menu. The Routing and Remote Access Server Setup Wizard appears. Click Next to dismiss the opening page.
- On the Configuration page of the wizard, shown in Figure 3.26, select the Custom Configuration option and click Next to continue.
Figure 3.26 You need to specify a custom configuration to perform basic DHCP relay agent setup.
- On the Custom Configuration page of the wizard, shown in Figure 3.27, select the LAN Routing option and click Next to continue.
Figure 3.27 The LAN Routing option is the bare minimum you need to support later installation of the DHCP relay agent.
- When the summary page is displayed, review your selections and click Finish to continue.
- You are prompted to start RRAS. Click Yes to start the service.
- Back at the Routing and Remote Access console, expand the following nodes: Routing and Remote Access, ServerName, IP Routing, and General, as shown in Figure 3.28.
Figure 3.28 You need to add the DHCP relay agent from the General node.
- Right-click the General node and select New Routing Protocol from the context menu. This opens the New Routing Protocol dialog box.
- From the New Routing Protocol dialog box, shown in Figure 3.29, select DHCP Relay Agent. Click OK to confirm your configuration.
Figure 3.29 You can add the DHCP relay agent in addition to standard IP routing protocols.
- To select a network interface for the DHCP relay agent to run on, right-click the DHCP Relay Agent node in the RRAS console and select New Interface from the context menu.
- On the New Interface for DHCP Relay Agent page, shown in Figure 3.30, select the network interface that you want to be available for the DHCP relay agent. Click OK to continue. The DHCP Relay Properties dialog box, shown in Figure 3.31, opens.
Figure 3.30 Select one or more installed network adapters for use by the DHCP relay agent.
Figure 3.31 You need to configure the maximum hop count and length of delay time for the DHCP relay agent.
- In the DHCP Relay Properties dialog box, configure the required values for hop-count threshold and boot threshold. The default value for each of them is 4. Click OK to confirm your settings.
- The last configuration you need to perform is to assign the DHCP server IP addresses to which the DHCP relay agent forwards DHCP messages. Right-click the DHCP Relay Agent node in the RRAS console and select Properties to open the DHCP Relay Agent Properties dialog box, shown in Figure 3.32. Enter one or more remote DHCP servers in the list and click OK to confirm your settings.
Figure 3.32 Provide one or more remote DHCP servers to which the DHCP relay agent can forward DHCP messages.
)
)
)
)
)
)
)
)
Configuring Security for DHCP
Although no administrative tasks outwardly appear to help secure your DHCP infrastructure, you can follow some best practices and take other actions to provide a more secure (and, thus, more reliable) DHCP implementation in your environment. We briefly examine them here:
- Use the 80/20, 70/30, or 50/50 address-allocation rule—By using one of these configurations, you can ensure that leases will still be made available to clients requesting them if a single server is under a DoS attack or otherwise becomes unavailable.
- Create and use DHCP server clusters—By enabling a DHCP server cluster, you remove a single server as a single point of failure (SPOF). By having two (or more) servers in a cluster acting as a single DHCP entity, a failure of a single server (or multiple servers, depending on your configuration) will not result in a failure to provide leases to clients.
-
Examine the DHCP audit logs regularly—Ensure that audit logging is enabled, as shown in Figure 3.33. The audit logs are stored in the location defined on the Advanced tab, which was shown in Figure 3.22. The location is %systemroot%\system32\dhcp\ by default.
Figure 3.33 DHCP audit logging is enabled from the General tab of the DHCP server Properties dialog box.
- Harden servers—You can get detailed information and assistance on hardening Windows Server 2003 servers from the "Windows Server 2003 Security Guide."
)