DHCP Rogue Detection Problem

October 26th, 2005 - 01:53 pm ET by Verrice | Report spam
Hello,

Some time ago we implemented an Active Directory installation. Our NT4
DHCP server was not part of the upgrade, but now we want to move DHCP
into AD.

The NT4 DHCP server is not a member of the AD.

We installed the DHCP service onto the AD-BDC, setup the scope,
authorized the server, turned off the old DHCP server, activated the
scope on the new DHCP server, and got nothing. It does show that it
sees requests, and is on the same subnet as the scope it is trying to
provide. It just doesn't answer the call to duty.

We tried using the registry edit to turn off rogue detection, but that
has had no impact. All related servers and clients have been rebooted
numerous times. We also saw, much too late, the words from MS:

"For the directory authorization process to work properly, it is
assumed
and necessary that the first DHCP server introduced onto your network
participate in the Active Directory service. This requires that the
server
be installed as either a domain controller or a member server. When you

are either planning for or actively deploying Active Directory
services, it
is
important that you do not elect to install your first DHCP server
computer
as a stand-alone server."

My question is... how do you contend with the situation where you DID
have a DHCP server that was a stand-alone server before any other DHCP
servers were in AD? Reinstalling AD isn't a very good option.

Any help would be appreciated!

-Verrice
email Follow the discussionReplies 4 repliesReplies Make a reply

Replies

#1 Blastoff
October 28th, 2005 - 12:37 am ET | Report spam
Rouge DHCP Detection.

By its virtue DHCP as no auth scheme, so the ms implementation
in AD is about as useless as a sack of rocks for rouge dhcp
detection.

When a pc comes up on the network that does not have a static ip
address it will do a broadcast in the hope of finding a dhcp server
if one exists on the subnet it will try assign the client a ip.
If 2 dhcp servers exist on the same subnet, which ever one responds
to the request first will typically asign a ip to the client.

Case and point. Assume your handing out ips on a 172.16.x.x subnet
from your dhcp server to client pc's and someone puts a netgear router
for example on the same subnet, but its configured to hand out ip's in
the 192.168.x.x address range, You will find that a fair number of
your clients over time will receive a lease from the "netgeAr type
router "

So this leaves you with pc's assigned off your desired subnet.

FYI: your dhcp server does not have to be a part of AD. your existing
nt box will do fine. As long as only one dhcp server exists at any
give time on a subnet you will not have problems.

Hope this sheds some insight on it for you.

JJ.

Similar topics