exclude MACs from DHCP/Bootp on Windows 2003 Server

Hi everyone,

this is not another question about "securing" the network via dhcp -
though related.

I have 3 Terminals (MAC-Addresses) on my Network that I just don't want
my DHCP-Server to handle.

The Story: We have 2 DHCP-Server on the same physical net (it's WRONG,
but right know can't change it). One is hosted by a external
Corporation, it and its clients are SCO Unix, running mission-critical
applications and I'm officially not allowed to mess with them (I'm not
keen on it either). The terminals boot from network, so after upgrading
our DHCP-Server it fetches the diskless terminals, assigns an IP and
they won't boot.

I see 2 possible solutions:
1. Emulate the BOOTP/DHCP-Assignments from the Unix Server on my
server. Deprecated, since a unsuspecting Technician from the Company
will spent his time (and our money) firguring out, why the
replacement-terminal won't boot.

2. Make our DHCP Server ignore those Terminals (MACs). Favoured. I'd
like to seperate those Systems as much as possible.

BTW: Separating the nets physically won't work (Reporting and
Controlling occurs from normal Network-PCs)

Any suggestions?
Thanks in advance.

Best Regards
Sascha

On Fri, 17 Feb 2006 06:20:42 -0800, Sascha Kremers wrote:

> Hi everyone,
>
> this is not another question about "securing" the network via dhcp -
> though related.
>
> I have 3 Terminals (MAC-Addresses) on my Network that I just don't want my
> DHCP-Server to handle.

What you could do is use DHCP Userclasses. this way you can configure to
only respond to clients that arive with a specific DHCP Userclass. When
you do this you have to make sure that all your clients on your network
have this userclass defined. You can do this with IPConfig and it is
maintained after reboot. So setting it ones on all your clients will
be enough. Then you have to make sure that you don't respond to clients
that don't come with this DHCP Userclass. This also excludes strange
machines from your network.

Jan Hugo

Thanks so far. Now I'll have to wait until the Clients are rebootet, to
do a first test.

What I did (just in case anyone has the same problem):
add 2 Lines to the default login-script
ipconfig /setclassid "*" windows
ipconfig /renew

Create a new User Class (Rightclick on DHCP - <MyServer>)

Assign the standard options (already defined without class) to this
User Class (Scope Options - RightClick - Configure Scope - Advanced;
Select the created User Class from the upper pull-down-menu and tick
the options).

What I'll do:
delete the Classless-Options.
Hope, this will keep the Clients without User Class (those
Unix-Terminals) from getting an IP-Adress, even though there is no
explicit DHCP-Option for getting an IP.

Best Regards
Sascha


German Keywords:
Benutzerklasse, Bereich, Bereichsoptionen konfigurieren,

hello Sascha Kremers ,

I am seeking to put two DHCP servers on the same physical LAN could you
please help me in that ?

On Mon, 20 Feb 2006 07:59:27 -0800, Sascha Kremers wrote:

> Thanks so far. Now I'll have to wait until the Clients are rebootet, to
> do a first test.
>
> What I did (just in case anyone has the same problem):
> add 2 Lines to the default login-script
> ipconfig /setclassid "*" windows
> ipconfig /renew
>
> Create a new User Class (Rightclick on DHCP - <MyServer>)
>
> Assign the standard options (already defined without class) to this
> User Class (Scope Options - RightClick - Configure Scope - Advanced;
> Select the created User Class from the upper pull-down-menu and tick
> the options).
>
> What I'll do:
> delete the Classless-Options.
> Hope, this will keep the Clients without User Class (those
> Unix-Terminals) from getting an IP-Adress, even though there is no
> explicit DHCP-Option for getting an IP.

I did some further reading on this and it is not possible to deny a
certain MAC address to get an IP from your DHCP Server. The only way to do
this is use a Linux/Unix DHCP Server. ISC DHCP Server has the possibility
to put a MAC in the config file and set it on deny allways. But this means
stop using the windows DHCP Server.

You could also ask the people that are running this second DHCP Server in
your network to do the DHCP for the complete network. Your windows clients
probebly won't suffer that much from this because they only need some
basic options and a single IP.

Jan Hugo

Jan Hugo Prins schrieb:

> On Mon, 20 Feb 2006 07:59:27 -0800, Sascha Kremers wrote:
>
> > Thanks so far. Now I'll have to wait until the Clients are rebootet, to
> > do a first test.

It failed. The Unix-Terminals still don't boot from the Unix-Server.

> I did some further reading on this and it is not possible to deny a
> certain MAC address to get an IP from your DHCP Server.

You're almost likely right. The unix-guys from that company told me
another customer would have accomplished this with a windows DHCP
server. I guess they were just wrong.

> The only way to do
> this is use a Linux/Unix DHCP Server. ISC DHCP Server has the possibility
> to put a MAC in the config file and set it on deny allways. But this means
> stop using the windows DHCP Server.

That would be a minor problem. But for now, Windows doesn't seem to be
directly supported (at least I'll have to build it on my own). But I'll
be reading deeper into that. Thank you.

> You could also ask the people that are running this second DHCP Server in
> your network to do the DHCP for the complete network. Your windows clients
> probebly won't suffer that much from this because they only need some
> basic options and a single IP.

Those People seem rather incompetent to me and they've quite high
prices too.
We'll end all contracts within 3 months anyway.

Best Regards
Sascha