DHCP Step-by-Step Guide

Software requirements

---

The following are required components of the test lab:

• The product disc for Windows Server 2008 R2.
  
• The product disc for Windows Server 2003 with Service Pack 2 (SP2).
  
• The product disc for Windows 7.
  
  This lab demonstrates link layer-based filtering with a DHCP server in a domain with Active Directory® directory services and Windows Server 2003 installed. You can also make the domain controller in this lab run Windows Server 2008 R2.
  

Steps for configuring the test lab

---

The following are the installation, configuration, and post-installation configuration stages required to set up this test lab:

• Configure DC1.
  
  DC1 is a server running the Windows Server 2003 Standard Edition operating system. DC1 is configured as a domain controller with Active Directory. It is also configured as the primary DNS server for the intranet subnet.
  
• Configure DHCP Server 1.
  
  DHCP Server 1 is a server running Windows Server 2008 R2. DHCP Server 1 is configured with the DHCP Server service, and functions as a DHCP server in the domain.
  
• Configure Windows-based DHCP clients
  
  DHCP Client 1, DHCP Client 2, and DHCP Client 3 are client computers running Windows 7. DHCP Client 1, DHCP Client 2, and DHCP Client 3 are configured to request IP addresses from DHCP Server 1.
  

After all the components are configured, this guide will provide steps to demonstrate how link layer-based filtering gives you the control to allow or deny network access to the three clients based on MAC address.

Configure DC1

---

DC1 is a computer running Windows Server 2003 Standard Edition with SP2 that provides the following services:

• A domain controller for the Contoso.com Active Directory domain.
  
• A DNS server for the Contoso.com DNS domain.
  

To configure DC1 complete the following tasks:

• Install the operating system.
  
• Configure Transmission Control Protocol/Internet Protocol (TCP/IP)
  
• Install Active Directory and DNS.
  
• Create a user account and group in Active Directory.
  

The following sections explain these tasks in detail.

Install the operating system on DC1

---

Install Windows Server 2003 SP2 as a stand-alone server.

To install the operating system on DC1

---

1. Start your computer using the Windows Server 2003 product disc.
   
2. When prompted for a computer name, type DC1.
   

Configure TCP/IP on DC1

---

Configure TCP/IP with a static IP address of 172.16.1.1 and the subnet mask of 255.255.255.0.

To configure TCP/IP on DC1

---

1. Click Start, click Control Panel, and then double-click Network Connections.
   
2. Right-click Local Area Connection, and then click Properties.
   
3. Click Internet Protocol (TCP/IP), and then click Properties.
   
4. Select Use the following IP address. Type 172.16.1.1 next to IP address and 255.255.255.0 next to Subnet mask.
   
5. Verify that Preferred DNS server is blank.
   
6. Click OK, click Close, and then close the Network Connections window.
   

Configure DC1 as a domain controller and DNS server

---

DC1 will serve as the only domain controller and DNS server for the Contoso.com domain.

To configure DC1 as a domain controller and DNS server

---

1. To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo, and then press ENTER.
   
2. In the Active Directory Installation Wizard dialog box, click Next.
   
3. Operating system compatibility information is displayed. Click Next again.
   
4. Verify that Domain controller for a new domain is selected, and then click Next.
   
5. Verify that Domain in a new forest is selected, and then click Next two times.
   
6. On the Install or Configure DNS page, select No, just install and configure DNS on this computer, and then click Next.
   
7. Type Contoso.com next to Full DNS name for new domain, and then click Next.
   
8. Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next.
   
9. Accept the default Database Folder and Log Folder directories, and then click Next.
   
10. Accept the default folder location for Shared System Volume, and then click Next.
    
11. Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected, and then click Next.
    
12. Leave the Restore Mode Password and Confirm Password text boxes blank, and then click Next.
    
13. View the summary information provided, and then click Next.
    
14. Wait while the wizard completes configuration of Active Directory and DNS services, and then click Finish.
    
15. When prompted to restart the computer, click Restart Now.
    
16. After the computer is restarted, log on to the CONTOSO domain using the Administrator account.
    

Create a user account in Active Directory

---

Next, create a user account in Active Directory. This account will be used when logging in to DHCP Server 1 and DHCP Server 2.

To create a user account in Active Directory

---

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
   
2. In the console tree, double-click Contoso.com, right-click Users, point to New, and then click User.
   
3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name, type User1.
   
4. Click Next.
   
5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.
   
6. Clear the User must change password at next logon check box, and select the Password never expires check box.
   
7. Click Next, and then click Finish.
   
8. Leave the Active Directory Users and Computers console open for the following procedure.
   

Add user1 to the DHCP Administrators group

---

Next, add the newly created user to the DHCP Administrators group and use it for all of the configuration activities.

To add a user to the DHCP Administrators group

---

1. In the Active Directory Users and Computers console tree, click Users.
   
2. In the details pane, double-click DHCP Administrators.
   
3. In the DHCP Administrators Properties dialog box, click the Members tab, and then click Add.
   
4. Under Enter the object names to select (examples), type User1, the user name that you created in the previous procedure, click OK, and then click OK again.
   
5. Leave the Active Directory Users and Computers console open for the following procedure.
   

Configure DHCP Server 1

---

For the test lab, DHCP Server 1 will be running Windows Server 2008 R2, with the DHCP Server service, which provides IP addresses and leases for the requesting DHCP clients. To configure DHCP Server 1, complete the following tasks:

• Install the operating system.
  
• Configure TCP/IP.
  
• Join the computer to the domain.
  
• Install DHCP server roles.
  
• Configure DHCP.
  

Install Windows Server 2008 R2

---

To install Windows Server 2008 R2

---

1. Start your computer using the Windows Server 2008 R2 product CD.
   
2. When prompted for the installation type, select Custom.
   
3. Follow the instructions that appear on your screen to finish the installation.
   

Install the DHCP server role

---

1. Click Start, and then click Server Manager.
   
2. Under Roles Summary, click Add roles, and then click Next.
   
3. On the Select Server Roles page, select the DHCP server, and then click Next two times.
   
4. On the Select Network Connection Bindings page, verify that 172.16.1.2 is selected, and then click Next on DHCP Server 1. Similarly, on the Select Network Connection Bindings page, verify that 172.16.1.3 is selected, and then click Next on DHCP Server 2.
   
5. On the Specify IPv4 DNS Server Settings page, verify that contoso.com is listed under Parent domain.
   
6. Type 172.16.1.1 under Preferred DNS server IP address, and then click Validate. Verify that the result returned is valid, and then click Next.
   
7. On the Specify WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.
   
8. On the Add or Edit DHCP Scopes page, click Add.
   
9. In the Add Scope dialog box, type SS Scope next to Scope Name. Next to Starting IP Address, type 172.16.1.4, next to Ending IP Address, type 172.16.1.204, and next to Subnet Mask, type 255.255.255.0.
   
10. Select the Activate this scope check box, click OK, and then click Next.
    
11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next.
    
12. On the Authorize DHCP Server page, select Use current credentials. Verify that CONTOSO\user1 is displayed next to Username, and then click Next.
    
13. On the Confirm Installation Selections page, click Install.
    
14. Verify that the installation was successful, and then click Close.
    

Configure DHCP on DHCP Server 1

---

DHCP Server 1 is the member servers that will provide DHCP addressing. The DHCP service was partially configured during installation with Server Manager on both of these servers.
We will configure scope options further for DHCP Server 1.

Open the DHCP console

---

To open the DHCP console

---

1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER.
   
2. Leave this window open for all DHCP configuration tasks.
   

Configure the default user class on DHCP Server 1

---

Next, configure scope options for the default user class. These server options are used when a client computer attempts to access the network and obtain an IP address from the DHCP server.

To configure default user class scope options

---

1. In the DHCP console tree, under Scope [172.16.0.0] SS Scope, right-click Scope Options, and then click Configure Options.
   
2. On the Advanced tab, verify that Default User Class is selected next to User class.
   
3. Select the 006 DNS Servers check box, in IP Address, under Data entry, type 172.16.1.1, and then click Add.
   
4. Select the 015 DNS Domain Name check box, in String value, under Data entry, type contoso.com, and then click OK.
   

   Note
   The 003 Router option is configured in the default user class if a default gateway is required for client computers. Because all computers in the test lab are located on the same subnet, this option is not required.

   
   

Configure the DHCP Clients

---

DHCP Client 1, DHCP Client 2, and DHCP Client 3 are computers running Windows Server 2008 R2 that you will use to demonstrate DHCP clients requesting IP Addresses from the DHCP Server in the domain. To configure the DHCP clients, complete the following steps:

• Install the operating system.
  
• Configure TCP/IP.
  
• Verify network connectivity.
  
• Join the computer to the domain and restart the computer.
  

Install Windows 7 Client on DHCP Clients

---

To install the operating system on DHCP Client 1, DHCP Client 2, and DHCP Client 3

---

1. Start your computer using the product discs for Windows 7.
   
2. When prompted for the installation type, select Custom Installation.
   
3. When prompted for a computer name, type DHCP Client 1, DHCP Client 2, and DHCP Client 3.
   
4. On the Select your computer's current location page, click Work.
   
5. Follow the rest of the instructions that appear on your screen to finish the installation.
   

Configure TCP/IP on the 3 DHCP Clients

---

Complete all of the following steps on each of the three client computers.

To configure TCP/IP on DHCP Client 1, DHCP Client 2, and DHCP Client 3

---

1. Click Start, and then click Control Panel.
   
2. Click Network and Internet, click Network and Sharing Center, and then click Manage network connections.
   
3. Right-click Local Area Connection, and then click Properties.
   
4. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. This will reduce the complexity of the lab, particularly for those who are not familiar with IPv6.
   
5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
   
6. Verify that Obtain an IP address automatically and Obtain DNS server address automatically are selected.
   
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
   
8. Close the Network Connections and Network and Sharing Center windows.
   

Join DHCP Clients to the Contoso.com domain

---

Because the DHCP clients now have access to domain services, they can be joined to the domain. Complete all of the following steps on each of the three client computers.

To join DHCP Client 1, DHCP Client 2, and DHCP Client 3 to the Contoso.com domain

---

1. Click Start, right-click Computer, and then click Properties.
   
2. Under Computer name, domain, and workgroup settings, click Change settings.
   
3. In the System Properties dialog box, click Change.
   
4. In the Computer Name/Domain Changes dialog box, select Domain, type Contoso.com, and then, in Computer Name, type enggmachine1.contoso.com.
   
5. Click More, and then, in Primary DNS suffix of this computer, type Contoso.com.
   
6. Click OK two times.
   
7. When prompted for a user name and password, type the user name and password for the User1 account, and then click OK.
   
8. When you see a dialog box that welcomes you to the Contoso.com domain, click OK.
   
9. When you see a dialog box that tells you that you must restart the computer to apply changes, click OK.
   
10. In the System Properties dialog box, click Close.
    
11. In the dialog box that prompts you to restart the compute, click Restart the computer now.
    

Release and Renew IP addresses on the DHCP Clients

---

Next, obtain a new IP address profile for the DHCP clients from DHCP. Complete all of the following steps on each of the three client computers

To renew IP addressing on the DHCP Clients

---

• On a DHCP client, in the Administrator: Command Prompt window, type ipconfig /renew, and then press ENTER.
  
• In the Command Prompt window, type ping 172.16.1.1, and then press ENTER.
  
• Verify that the response reads Reply from 172.16.1.1.
  
• In the Command Prompt window, type ipconfig, and then press ENTER.
  
• In the command output, verify that the value of Connection-specific DNS Suffix is contoso.com and that the value of Subnet Mask is 255.255.255.0.
  
• In the Command Prompt window, type route print -4, and then press ENTER.
  
• In the command output, below Active Routes, verify that a Network Destination of 172.16.1.1 is displayed.
  
• Close the Command Prompt window.
  

All three clients should have unrestricted access to the network at this point. In the next steps, we will add clients to the link layer-based filtering on the DHCP Server 1 allow and deny lists and demonstrate that one client retains access while the other two clients are denied access.

Configure DHCP on DHCP Server 1 to allow and deny DHCP clients

---

You may remember that our clients represent domain-joined DHCP clients configured to dynamically obtain IP addresses from the DHCP server in the domain

• DHCP Client 1 is a healthy network authorized client computer that is active and has an IP address from the DHCP server.
  
• DHCP Client 2 is a malicious unauthorized client computer that is active and has an IP address from the DHCP Server 1.
  
• DHCP Client 3 is a new client computer that is inactive and does not have network connectivity.
  

Open the DHCP console

---

Next, we will add DHCP Client 1 to the allow list and DHCP Client 2 to the deny list. DHCP Client 3 will not be added to any list and therefore will be denied network access as well.

To open the DHCP console

---

1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER.
   
2. Leave this window open for all DHCP configuration tasks.
   

Configure the Allow filter on DHCP Server 1

---

Next, configure the Allow filter under the IPv4 node by adding the MAC address of DHCP Client 1. A DHCP server offers its services to the DHCP clients based on the availability of MAC address filtering. Once the Allow filter is set, all DHCP operations are based on the access controls (allow/deny).

Note
You can add a valid MAC address to either the Allow or Deny filters, but not both.

To configure the Allow filter

---

1. In the DHCP console tree of DHCP Server 1, under IPv4, click Filters, under Filters right-click Allow, and then click New Filter.
   
2. In the New Allow Filter dialog box, in MAC Address, enter a six hexadecimal number representing the MAC or physical address of DHCP Client 1, and then click Add.
   
3. Under Filters right-click the Allow node, and then click the Enable pop-up menu item.
   

Configure the Deny filter on DHCP Server 1

---

Next, configure the Deny filter under the IPv4 node by adding the MAC address of DHCP Client 2.

To configure the Deny filter

---

1. In the DHCP console tree of DHCP Server 1, under IPv4, click Filters, right-click Deny under Filters, and then click New Filter.
   
2. In the New Deny Filter dialog box, in MAC Address, enter a six hexadecimal number representing the MAC or physical address of DHCP Client 2, click Add, and then click Close.
   
3. Under Filters right-click the Deny node, and then click the Enable pop-up menu item.
   

Release and Renew IP addresses on the DHCP clients

---

Now that the Allow and Deny filters are set, renew the IP addresses on the client computers and notice that DHCP Client 1 retains network connectivity while DHCP clients 2 and 3 are denied access. Repeat the following steps on each of the DHCP clients.

To renew IP addressing on the DHCP clients

---

• On DHCP Client 1, in the Administrator: Command Prompt window, type ipconfig /renew, and then press ENTER.
  
• In the Command Prompt window, type ping 172.16.1.1, and then press ENTER.
  
• Verify that the response reads Reply from 172.16.1.1 on DHCP Client 1 and Response timed out for DHCP clients 2 and 3.
  
• In the Command Prompt window, type ipconfig, and then press ENTER.
  
• In the command output, verify that the value of Connection-specific DNS Suffix is contoso.com and that the value of Subnet Mask is 255.255.255.0 for DHCP Client 1 and that these filed are blank for DHCP clients 2 and 3.
  
• In the Command Prompt window, type route print -4, and then press ENTER.
  
• In the command output, below Active Routes, verify that a Network Destination of 172.16.1.1 is displayed for DHCP Client 1, and that there is no route displayed for DHCP clients 2 and 3.
  
• Close the Command Prompt window.