DHCP Authorization

Why do you need to authorize a DHCP server when the server is a member of a
Domain? Where does it store the authorized server information and what does
it do special with the information? Is there a way around this with a
machine in the domain? What type of overhead is genterated by this?

Thanks

Mark

Hi Mark,

An unauthorized DHCP server on a network can cause a variety of problems,
such as the leasing of incorrect IP addresses and options. To protect
against this type of problem, when a Windows 2000 or Windows Server 2003
domain member DHCP server attempts to start on the network, it first queries
Active Directory. The DHCP server compares its IP address and server name to
the list of authorized DHCP servers. If either the server name or IP address
is found on the list of authorized DHCP servers, the server is authorized as
a DHCP server. If no match is found, the server is not authorized in Active
Directory and does not respond to DHCP traffic. The process of authorizing
DHCP servers is useful for only Windows 2000-based or Windows Server
2003-based DHCP servers. This process cannot be used for DHCP servers
running Windows NT Server, or servers running non-Windows-based DHCP
services. Only a member of the Enterprise Admins group can authorize or
unauthorize a DHCP server in Active Directory.

Authorizing DHCP Servers in Active Directory
http://www.microsoft.com/resources/d...c_dhc_srnz.asp

I hope this helps.

--
Mike
Microsoft MVP - Windows Security

"Mark" <(E-Mail Removed)> wrote in message
news:A2557CF8-DC57-42A8-8AE4-(E-Mail Removed)...
> Why do you need to authorize a DHCP server when the server is a member of
> a
> Domain? Where does it store the authorized server information and what
> does
> it do special with the information? Is there a way around this with a
> machine in the domain? What type of overhead is genterated by this?
>
> Thanks
>
> Mark

Miha,

I have seen this article and yes it helps thanks but I am really interested
in what the process is. Is this basically just a list stored in LDAP that is
checked every so often by a DHCP server to see if it is authorized? what
overhead does this generated?

Thanks

Mark

"Miha Pihler [MVP]" wrote:

> Hi Mark,
>
> An unauthorized DHCP server on a network can cause a variety of problems,
> such as the leasing of incorrect IP addresses and options. To protect
> against this type of problem, when a Windows 2000 or Windows Server 2003
> domain member DHCP server attempts to start on the network, it first queries
> Active Directory. The DHCP server compares its IP address and server name to
> the list of authorized DHCP servers. If either the server name or IP address
> is found on the list of authorized DHCP servers, the server is authorized as
> a DHCP server. If no match is found, the server is not authorized in Active
> Directory and does not respond to DHCP traffic. The process of authorizing
> DHCP servers is useful for only Windows 2000-based or Windows Server
> 2003-based DHCP servers. This process cannot be used for DHCP servers
> running Windows NT Server, or servers running non-Windows-based DHCP
> services. Only a member of the Enterprise Admins group can authorize or
> unauthorize a DHCP server in Active Directory.
>
> Authorizing DHCP Servers in Active Directory
> http://www.microsoft.com/resources/d...c_dhc_srnz.asp
>
> I hope this helps.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Mark" <(E-Mail Removed)> wrote in message
> news:A2557CF8-DC57-42A8-8AE4-(E-Mail Removed)...
> > Why do you need to authorize a DHCP server when the server is a member of
> > a
> > Domain? Where does it store the authorized server information and what
> > does
> > it do special with the information? Is there a way around this with a
> > machine in the domain? What type of overhead is genterated by this?
> >
> > Thanks
> >
> > Mark
>
>
>

AD is checked every time DHCP service starts. I am not sure about the
overhead. Can you be more specific what are your concerned about? Network
overhead? I believe this check would cause less traffic then client looking
for DHCP...

--
Mike
Microsoft MVP - Windows Security

"Mark" <(E-Mail Removed)> wrote in message
news:92D72F72-1006-450F-8AC0-(E-Mail Removed)...
> Miha,
>
> I have seen this article and yes it helps thanks but I am really
> interested
> in what the process is. Is this basically just a list stored in LDAP that
> is
> checked every so often by a DHCP server to see if it is authorized? what
> overhead does this generated?
>
> Thanks
>
> Mark
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi Mark,
>>
>> An unauthorized DHCP server on a network can cause a variety of problems,
>> such as the leasing of incorrect IP addresses and options. To protect
>> against this type of problem, when a Windows 2000 or Windows Server 2003
>> domain member DHCP server attempts to start on the network, it first
>> queries
>> Active Directory. The DHCP server compares its IP address and server name
>> to
>> the list of authorized DHCP servers. If either the server name or IP
>> address
>> is found on the list of authorized DHCP servers, the server is authorized
>> as
>> a DHCP server. If no match is found, the server is not authorized in
>> Active
>> Directory and does not respond to DHCP traffic. The process of
>> authorizing
>> DHCP servers is useful for only Windows 2000-based or Windows Server
>> 2003-based DHCP servers. This process cannot be used for DHCP servers
>> running Windows NT Server, or servers running non-Windows-based DHCP
>> services. Only a member of the Enterprise Admins group can authorize or
>> unauthorize a DHCP server in Active Directory.
>>
>> Authorizing DHCP Servers in Active Directory
>> http://www.microsoft.com/resources/d...c_dhc_srnz.asp
>>
>> I hope this helps.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Mark" <(E-Mail Removed)> wrote in message
>> news:A2557CF8-DC57-42A8-8AE4-(E-Mail Removed)...
>> > Why do you need to authorize a DHCP server when the server is a member
>> > of
>> > a
>> > Domain? Where does it store the authorized server information and what
>> > does
>> > it do special with the information? Is there a way around this with a
>> > machine in the domain? What type of overhead is genterated by this?
>> >
>> > Thanks
>> >
>> > Mark
>>
>>
>>