DHCP in Windows Server 2003 allows the assignment of multicast addresses in addition to unicast addresses. This feature benefits network administrators by enabling assignment of multicast addresses in the same fashion as unicast addresses, allowing complete utilization of the existing infrastructure.
Conferencing and audio applications typically use multicast address allocation, which requires users to specially configure multicast addresses. Unlike IP broadcasts, to which all computers on the network have access, broadcast multicast addresses are used to send traffic to a group of computers using the concept of group membership to identify the message recipients.
The multicast address allocation feature has two parts: The server implementation provides multicast addresses and the client has APIs that applications can use to request, renew, and release multicast addresses. To use this feature, the administrator first configures the multicast scopes and the corresponding multicast IP ranges on the server using the DHCP snap-in, allowing multicast address management that is similar to the typical management of IP addresses. The client can use APIs to request a multicast address from a scope. The underlying implementation uses DHCP-compatible packets between client and the server.
Unauthorized DHCP Server Detection
DHCP in Windows Server 2003 prevents unauthorized DHCP servers from creating address assignment conflicts. This feature solves problems that could otherwise occur if users accidentally created unauthorized DHCP servers that could unintentionally assign IP addresses to clients elsewhere on the network. For example, a user could create a local DHCP server by using nonunique Net 10 addresses from the private address space, unintentionally leasing the addresses to clients requesting addresses.
DHCP in Windows Server 2003 includes management features that both prevent unauthorized deployments and detect existing unauthorized DHCP servers by requiring authentication by an authorized administrator to make a DHCP server active on the network.
Protecting Against Unauthorized DHCP Servers
When a member of a Microsoft Active Directory® domain DHCP server comes up, it can query against the list stored in Active Directory and determine if it is authorized. If not, it does not respond to DHCP requests. Only a domain or enterprise administrator has write access to the folder location in Active Directory that contains the authorized list.
Administrators create the list of authorized servers in Active Directory with the DHCP console. When a DHCP server first starts on a network, it tries to establish contact with Active Directory to determine its membership in the list of authorized servers. If it fails to connect, it cannot respond to client requests.
Figure 1 below illustrates the sequence of checks by which a DHCP server gains authorization on a network.
Figure 1. DHCP Server Authorization Sequence
Protecting Against Improper Use of Workgroup DHCP Servers
When DHCP servers that do not belong to a domain (such as a member of a workgroup) start, the following occurs:
The DHCP server broadcasts a DHCPINFORM message on the network. Any other DHCP server that receives this message responds with a DHCPACK message and provides the name of its domain.
If a workgroup DHCP server detects another member DHCP server of a domain on the network, the workgroup DHCP server does not service requests.
If the workgroup DHCP server detects the presence of another workgroup server, it ignores it.
Even when a workgroup server starts and is able to run—for example, because of the absence of a domain member server or workgroup server on the network—it continues to send DHCPINFORM messages every 60 minutes. If an authorized domain member DHCP server starts later, the workgroup server becomes unauthorized and stops servicing DHCP requests from clients.
|