DHCP Rogue Detection Problem

October 26th, 2005 - 01:53 pm ET by Verrice | Report spam
Hello,

Some time ago we implemented an Active Directory installation. Our NT4
DHCP server was not part of the upgrade, but now we want to move DHCP
into AD.

The NT4 DHCP server is not a member of the AD.

We installed the DHCP service onto the AD-BDC, setup the scope,
authorized the server, turned off the old DHCP server, activated the
scope on the new DHCP server, and got nothing. It does show that it
sees requests, and is on the same subnet as the scope it is trying to
provide. It just doesn't answer the call to duty.

We tried using the registry edit to turn off rogue detection, but that
has had no impact. All related servers and clients have been rebooted
numerous times. We also saw, much too late, the words from MS:

"For the directory authorization process to work properly, it is
assumed
and necessary that the first DHCP server introduced onto your network
participate in the Active Directory service. This requires that the
server
be installed as either a domain controller or a member server. When you

are either planning for or actively deploying Active Directory
services, it
is
important that you do not elect to install your first DHCP server
computer
as a stand-alone server."

My question is... how do you contend with the situation where you DID
have a DHCP server that was a stand-alone server before any other DHCP
servers were in AD? Reinstalling AD isn't a very good option.

Any help would be appreciated!

-Verrice
email Follow the discussionReplies 4 repliesReplies Make a reply

Similar topics

Replies

#1 Paul Hinsberg
October 26th, 2005 - 04:05 pm ET | Report spam
You can validate which DHCP Servers are on the network as authorized by
running the following from any server in the domain:

C:\>netsh dhcp show server

You can also use the NETSH command to delete a rogue authorized server if
need be:

C:>netsh dhcp delete server Badserver.mydomain.com 10.10.10.10

or NETSH DHCP DELETE SERVER [FQDN of server] [IP Address of server]

If you have smart switches and/or routers on your network, you will need to
make sure that these are configured to forward BOOTP/DHCP requests to the new
DHCP server. This is refered to as setting the IPHELPER parameter.

Make sure that the DHCP server service on the old server is STOPPED, even if
the scopes are disabled.

Paul Hinsberg


"Verrice" wrote:

Hello,

Some time ago we implemented an Active Directory installation. Our NT4
DHCP server was not part of the upgrade, but now we want to move DHCP
into AD.

The NT4 DHCP server is not a member of the AD.

We installed the DHCP service onto the AD-BDC, setup the scope,
authorized the server, turned off the old DHCP server, activated the
scope on the new DHCP server, and got nothing. It does show that it
sees requests, and is on the same subnet as the scope it is trying to
provide. It just doesn't answer the call to duty.

We tried using the registry edit to turn off rogue detection, but that
has had no impact. All related servers and clients have been rebooted
numerous times. We also saw, much too late, the words from MS:

"For the directory authorization process to work properly, it is
assumed
and necessary that the first DHCP server introduced onto your network
participate in the Active Directory service. This requires that the
server
be installed as either a domain controller or a member server. When you

are either planning for or actively deploying Active Directory
services, it
is
important that you do not elect to install your first DHCP server
computer
as a stand-alone server."

My question is... how do you contend with the situation where you DID
have a DHCP server that was a stand-alone server before any other DHCP
servers were in AD? Reinstalling AD isn't a very good option.

Any help would be appreciated!

-Verrice




Replies Reply to this message
#2 Verrice
October 26th, 2005 - 10:50 pm ET | Report spam
I tried netsh dhcp show server and only see the DHCP servers that I
want to use, not the old NT4 server I want to decomission... Is that
okay? Can I do the delete for the old server even if it's not in the
list?

I'll have to try that part another time since I cannot bring down the
old DHCP server from here.
Replies Reply to this message
#3 Verrice
October 26th, 2005 - 10:51 pm ET | Report spam
Oh, and thank you for the reply :)
Replies Reply to this message
#4 Blastoff
October 28th, 2005 - 12:37 am ET | Report spam
Rouge DHCP Detection.

By its virtue DHCP as no auth scheme, so the ms implementation
in AD is about as useless as a sack of rocks for rouge dhcp
detection.

When a pc comes up on the network that does not have a static ip
address it will do a broadcast in the hope of finding a dhcp server
if one exists on the subnet it will try assign the client a ip.
If 2 dhcp servers exist on the same subnet, which ever one responds
to the request first will typically asign a ip to the client.

Case and point. Assume your handing out ips on a 172.16.x.x subnet
from your dhcp server to client pc's and someone puts a netgear router
for example on the same subnet, but its configured to hand out ip's in
the 192.168.x.x address range, You will find that a fair number of
your clients over time will receive a lease from the "netgeAr type
router "

So this leaves you with pc's assigned off your desired subnet.

FYI: your dhcp server does not have to be a part of AD. your existing
nt box will do fine. As long as only one dhcp server exists at any
give time on a subnet you will not have problems.

Hope this sheds some insight on it for you.

JJ.
email Follow the discussion Replies Reply to this message
Help Create a new topicReplies Make a reply
Search Make your own search