Moved DHCP server to DC, now only works for domain users

I have just moved the DHCP server role from a domain member server
(which is being decommissioned) to the domain controller. It will now
only provide IP addresses to machines which are logged in to the
domain (domain user accounts).
Previously, it was no problem for the old DHCP server to provide
addresses to any machine that appeared in the network. This was good/
required behavior, because many of our machines are journeyman laptops
or linux workstations.

I have done a few hours of research on the subject, and most results
point to a problem for non-authenticated users not being able to
interact with DNS properly/securely. I have enabled insecure dynamic
updates on the DNS server, provided a dns domain name via DHCP option
015 (which was not present on the old server, btw), and made several
more changes (that I cannot remember right now) that might have
helped, but did not.

Please, can anyone help me with this problem? I currently have an old
linksys NAT box providing IPs to everyone, and while that is a
solution, it's not an incredibly robust one.

Thank you in advance,
Robert Waters

DHCP is anonymous,..it does not care about users.
Machines get an IP Config before the user can even login in the first
place,...therefore it is impossible to wait until the user has logged in
before they get the config,...the IP Config must come first,..then the
login.

Machines always go to the same DHCP they got the last successful Config
Machines always ask for the same IP# they got last time.
If a machine got a Config from the Linksys box then it will keep trying the
Linksys box the next time. Since the linksys box is still "alive" it will
try the Linksys box even of the Linksys DHCP Service is disabled.

You're screwing yourself by even allowing the Linksys box to have the DHCP
enabled at all in the first place.

Delete and re-create the Scope. *Keep it simple*. Configure only the
basics (IP, mask, DNS, DFG) at first until it works right. Don't get
"creative" until everything works dependably. Do not enable the Scope until
the Linksys DHCP is disabled. Make sure your scope is activated and the
DHCP is authorized. You may want the Scopes to be inactive and the DHCP
Server to be un-authorized until the Linksys box has the DHCP Disabled.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"robert.waters" <(E-Mail Removed)> wrote in message
news:78945182-708a-4435-8239-(E-Mail Removed)...
>I have just moved the DHCP server role from a domain member server
> (which is being decommissioned) to the domain controller. It will now
> only provide IP addresses to machines which are logged in to the
> domain (domain user accounts).
> Previously, it was no problem for the old DHCP server to provide
> addresses to any machine that appeared in the network. This was good/
> required behavior, because many of our machines are journeyman laptops
> or linux workstations.
>
> I have done a few hours of research on the subject, and most results
> point to a problem for non-authenticated users not being able to
> interact with DNS properly/securely. I have enabled insecure dynamic
> updates on the DNS server, provided a dns domain name via DHCP option
> 015 (which was not present on the old server, btw), and made several
> more changes (that I cannot remember right now) that might have
> helped, but did not.
>
> Please, can anyone help me with this problem? I currently have an old
> linksys NAT box providing IPs to everyone, and while that is a
> solution, it's not an incredibly robust one.
>
> Thank you in advance,
> Robert Waters

On Aug 11, 11:39*am, "Phillip Windell" <philwind...@hotmail.com>
wrote:
> DHCP is anonymous,..it does not care about users.
> Machines get an IP Config before the user can even login in the first
> place,...therefore it is impossible to wait until the user has logged in
> before they get the config,...the IP Config must come first,..then the
> login.
>
> Machines always go to the same DHCP they got the last successful Config
> Machines always ask for the same IP# they got last time.
> If a machine got a Config from the Linksys box then it will keep trying the
> Linksys box the next time. *Since the linksys box is still "alive" it will
> try the Linksys box even of the Linksys DHCP Service is disabled.
>
> You're screwing yourself by even allowing the Linksys box to have the DHCP
> enabled at all in the first place.
>
> Delete and re-create the Scope. **Keep it simple*. *Configure only the
> basics (IP, mask, DNS, DFG) at first until it works right. *Don't get
> "creative" until everything works dependably. *Do not enable the Scope until
> the Linksys DHCP is disabled. *Make sure your scope is activated and the
> DHCP is authorized. *You may want the Scopes to be inactive and the DHCP
> Server to be un-authorized until the Linksys box has the DHCP Disabled.
>
> --
> Phillip Windellwww.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "robert.waters" <robert.wat...@gmail.com> wrote in message
>
> news:78945182-708a-4435-8239-(E-Mail Removed)...
>
> >I have just moved the DHCP server role from a domain member server
> > (which is being decommissioned) to the domain controller. *It will now
> > only provide IP addresses to machines which are logged in to the
> > domain (domain user accounts).
> > Previously, it was no problem for the old DHCP server to provide
> > addresses to any machine that appeared in the network. *This was good/
> > required behavior, because many of our machines are journeyman laptops
> > or linux workstations.
>
> > I have done a few hours of research on the subject, and most results
> > point to a problem for non-authenticated users not being able to
> > interact with DNS properly/securely. *I have enabled insecure dynamic
> > updates on the DNS server, provided a dns domain name via DHCP option
> > 015 (which was not present on the old server, btw), and made several
> > more changes (that I cannot remember right now) that might have
> > helped, but did not.
>
> > Please, can anyone help me with this problem? *I currently have an old
> > linksys NAT box providing IPs to everyone, and while that is a
> > solution, it's not an incredibly robust one.
>
> > Thank you in advance,
> > Robert Waters

The linksys box was not in the network until I had the problems; it
was a last-ditch solution implemented only when I could not get the
new DHCP server working for non-domain PCs.

The DHCP server worked perfectly on a domain member server, but when
moved to the domain controller (using the same configuration with
respect to DNS servers, gateway, WINS etc.) it would only grant IP
addresses to machines (users) authenticated to the domain. e.g. log
into PC with a local (non-domain) user account, no IP assigned; re-
login using a domain account, the IP is provided.
It seems that since I moved the role to the DC, it will only allow
authenticated users to get IP addresses.

Thanks for your help.

robert.waters <(E-Mail Removed)> wrote:
> On Aug 11, 11:39 am, "Phillip Windell" <philwind...@hotmail.com>
> wrote:
>> DHCP is anonymous,..it does not care about users.
>> Machines get an IP Config before the user can even login in the first
>> place,...therefore it is impossible to wait until the user has
>> logged in before they get the config,...the IP Config must come
>> first,..then the login.
>>
>> Machines always go to the same DHCP they got the last successful
>> Config Machines always ask for the same IP# they got last time.
>> If a machine got a Config from the Linksys box then it will keep
>> trying the Linksys box the next time. Since the linksys box is still
>> "alive" it will try the Linksys box even of the Linksys DHCP Service
>> is disabled.
>>
>> You're screwing yourself by even allowing the Linksys box to have
>> the DHCP enabled at all in the first place.
>>
>> Delete and re-create the Scope. *Keep it simple*. Configure only the
>> basics (IP, mask, DNS, DFG) at first until it works right. Don't get
>> "creative" until everything works dependably. Do not enable the
>> Scope until the Linksys DHCP is disabled. Make sure your scope is
>> activated and the DHCP is authorized. You may want the Scopes to be
>> inactive and the DHCP Server to be un-authorized until the Linksys
>> box has the DHCP Disabled.
>>
>> --
>> Phillip Windellwww.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft, or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "robert.waters" <robert.wat...@gmail.com> wrote in message
>>
>> news:78945182-708a-4435-8239-(E-Mail Removed)...
>>
>>> I have just moved the DHCP server role from a domain member server
>>> (which is being decommissioned) to the domain controller. It will
>>> now only provide IP addresses to machines which are logged in to the
>>> domain (domain user accounts).
>>> Previously, it was no problem for the old DHCP server to provide
>>> addresses to any machine that appeared in the network. This was
>>> good/ required behavior, because many of our machines are
>>> journeyman laptops or linux workstations.
>>
>>> I have done a few hours of research on the subject, and most results
>>> point to a problem for non-authenticated users not being able to
>>> interact with DNS properly/securely. I have enabled insecure dynamic
>>> updates on the DNS server, provided a dns domain name via DHCP
>>> option 015 (which was not present on the old server, btw), and made
>>> several more changes (that I cannot remember right now) that might
>>> have helped, but did not.
>>
>>> Please, can anyone help me with this problem? I currently have an
>>> old linksys NAT box providing IPs to everyone, and while that is a
>>> solution, it's not an incredibly robust one.
>>
>>> Thank you in advance,
>>> Robert Waters
>
> The linksys box was not in the network until I had the problems; it
> was a last-ditch solution implemented only when I could not get the
> new DHCP server working for non-domain PCs.
>
> The DHCP server worked perfectly on a domain member server, but when
> moved to the domain controller (using the same configuration with
> respect to DNS servers, gateway, WINS etc.) it would only grant IP
> addresses to machines (users) authenticated to the domain. e.g. log
> into PC with a local (non-domain) user account, no IP assigned; re-
> login using a domain account, the IP is provided.
> It seems that since I moved the role to the DC, it will only allow
> authenticated users to get IP addresses.
>
> Thanks for your help.

As Phil states, there is simply no way DHCP can work only for authenticated
users in the domain. DHCP doesn't know anything about AD, and DHCP lease
assignments happen long before any user has even been prompted to logged in.
Now, dyamic DNS updates *can* be restricted to nuthenticated AD users only,
but that has nothing to do with DHCP & is unlikely to be the issue here. I
agree with Phil - I'd yank out the Linksys box & and start over.

On Aug 11, 7:12*pm, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
> robert.waters <robert.wat...@gmail.com> wrote:
> > On Aug 11, 11:39 am, "Phillip Windell" <philwind...@hotmail.com>
> > wrote:
> >> DHCP is anonymous,..it does not care about users.
> >> Machines get an IP Config before the user can even login in the first
> >> place,...therefore it is impossible to wait until the user has
> >> logged in before they get the config,...the IP Config must come
> >> first,..then the login.
>
> >> Machines always go to the same DHCP they got the last successful
> >> Config Machines always ask for the same IP# they got last time.
> >> If a machine got a Config from the Linksys box then it will keep
> >> trying the Linksys box the next time. Since the linksys box is still
> >> "alive" it will try the Linksys box even of the Linksys DHCP Service
> >> is disabled.
>
> >> You're screwing yourself by even allowing the Linksys box to have
> >> the DHCP enabled at all in the first place.
>
> >> Delete and re-create the Scope. *Keep it simple*. Configure only the
> >> basics (IP, mask, DNS, DFG) at first until it works right. Don't get
> >> "creative" until everything works dependably. Do not enable the
> >> Scope until the Linksys DHCP is disabled. Make sure your scope is
> >> activated and the DHCP is authorized. You may want the Scopes to be
> >> inactive and the DHCP Server to be un-authorized until the Linksys
> >> box has the DHCP Disabled.
>
> >> --
> >> Phillip Windellwww.wandtv.com
>
> >> The views expressed, are my own and not those of my employer, or
> >> Microsoft, or anyone else associated with me, including my cats.
> >> -----------------------------------------------------
>
> >> "robert.waters" <robert.wat...@gmail.com> wrote in message
>
> >>news:78945182-708a-4435-8239-(E-Mail Removed)....
>
> >>> I have just moved the DHCP server role from a domain member server
> >>> (which is being decommissioned) to the domain controller. It will
> >>> now only provide IP addresses to machines which are logged in to the
> >>> domain (domain user accounts).
> >>> Previously, it was no problem for the old DHCP server to provide
> >>> addresses to any machine that appeared in the network. This was
> >>> good/ required behavior, because many of our machines are
> >>> journeyman laptops or linux workstations.
>
> >>> I have done a few hours of research on the subject, and most results
> >>> point to a problem for non-authenticated users not being able to
> >>> interact with DNS properly/securely. I have enabled insecure dynamic
> >>> updates on the DNS server, provided a dns domain name via DHCP
> >>> option 015 (which was not present on the old server, btw), and made
> >>> several more changes (that I cannot remember right now) that might
> >>> have helped, but did not.
>
> >>> Please, can anyone help me with this problem? I currently have an
> >>> old linksys NAT box providing IPs to everyone, and while that is a
> >>> solution, it's not an incredibly robust one.
>
> >>> Thank you in advance,
> >>> Robert Waters
>
> > The linksys box was not in the network until I had the problems; it
> > was a last-ditch solution implemented only when I could not get the
> > new DHCP server working for non-domain PCs.
>
> > The DHCP server worked perfectly on a domain member server, but when
> > moved to the domain controller (using the same configuration with
> > respect to DNS servers, gateway, WINS etc.) it would only grant IP
> > addresses to machines (users) authenticated to the domain. *e.g. log
> > into PC with a local (non-domain) user account, no IP assigned; re-
> > login using a domain account, the IP is provided.
> > It seems that since I moved the role to the DC, it will only allow
> > authenticated users to get IP addresses.
>
> > Thanks for your help.
>
> As Phil states, there is simply no way DHCP can work only for authenticated
> users in the domain. DHCP doesn't know anything about AD, and DHCP lease
> assignments happen long before any user has even been prompted to logged in.
> Now, dyamic DNS updates *can* be restricted to nuthenticated AD users only,
> but that has nothing to do with DHCP & is unlikely to be the issue here. I
> agree with Phil - I'd yank out the Linksys box & and start over.

Are you absolutely sure? The DHCP server is integrated with AD at
least insofar as it has been "Authorized" to provide IP addresses to
domain machines.
I have a great deal of trouble not associating this problem with AD,
since a clear relationship has been demonstrated, where domain
accounts work on the same machine upon which non-domain accounts do
not work.
I appreciate your help, and will take your advice and start from
whatever scratch I can (being that I can't wipe my DC without causing
myself a great bit of trouble. I might as well keep the Linksys box).

Thanks again

Hello robert.waters,

As all the others states, DHCP has nothing to do with user login. The authorization
in AD makes sure that no other windows DHCP server is aible to release addresses
in your domain. That's the reason for it. It will also hand out addresses
to computers that are NOT members of the domain.

If you have logon trouble with non-domain users, then check how they logon.
They can only choose the option for (this computer) behind the computername.
You can NOT logon with non-domain accounts if they choose the field "logon
to" with the domain name.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> On Aug 11, 7:12 pm, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
>> robert.waters <robert.wat...@gmail.com> wrote:
>>
>>> On Aug 11, 11:39 am, "Phillip Windell" <philwind...@hotmail.com>
>>> wrote:
>>>
>>>> DHCP is anonymous,..it does not care about users.
>>>> Machines get an IP Config before the user can even login in the
>>>> first
>>>> place,...therefore it is impossible to wait until the user has
>>>> logged in before they get the config,...the IP Config must come
>>>> first,..then the login.
>>>> Machines always go to the same DHCP they got the last successful
>>>> Config Machines always ask for the same IP# they got last time.
>>>> If a machine got a Config from the Linksys box then it will keep
>>>> trying the Linksys box the next time. Since the linksys box is
>>>> still
>>>> "alive" it will try the Linksys box even of the Linksys DHCP
>>>> Service
>>>> is disabled.
>>>> You're screwing yourself by even allowing the Linksys box to have
>>>> the DHCP enabled at all in the first place.
>>>>
>>>> Delete and re-create the Scope. *Keep it simple*. Configure only
>>>> the basics (IP, mask, DNS, DFG) at first until it works right.
>>>> Don't get "creative" until everything works dependably. Do not
>>>> enable the Scope until the Linksys DHCP is disabled. Make sure your
>>>> scope is activated and the DHCP is authorized. You may want the
>>>> Scopes to be inactive and the DHCP Server to be un-authorized until
>>>> the Linksys box has the DHCP Disabled.
>>>>
>>>> --
>>>> Phillip Windellwww.wandtv.com
>>>> The views expressed, are my own and not those of my employer, or
>>>> Microsoft, or anyone else associated with me, including my cats.
>>>> -----------------------------------------------------
>>>>
>>>> "robert.waters" <robert.wat...@gmail.com> wrote in message
>>>>
>>>> news:78945182-708a-4435-8239-(E-Mail Removed).
>>>> com...
>>>>
>>>>> I have just moved the DHCP server role from a domain member server
>>>>> (which is being decommissioned) to the domain controller. It will
>>>>> now only provide IP addresses to machines which are logged in to
>>>>> the
>>>>> domain (domain user accounts).
>>>>> Previously, it was no problem for the old DHCP server to provide
>>>>> addresses to any machine that appeared in the network. This was
>>>>> good/ required behavior, because many of our machines are
>>>>> journeyman laptops or linux workstations.
>>>>> I have done a few hours of research on the subject, and most
>>>>> results point to a problem for non-authenticated users not being
>>>>> able to interact with DNS properly/securely. I have enabled
>>>>> insecure dynamic updates on the DNS server, provided a dns domain
>>>>> name via DHCP option 015 (which was not present on the old server,
>>>>> btw), and made several more changes (that I cannot remember right
>>>>> now) that might have helped, but did not.
>>>>>
>>>>> Please, can anyone help me with this problem? I currently have an
>>>>> old linksys NAT box providing IPs to everyone, and while that is a
>>>>> solution, it's not an incredibly robust one.
>>>>>
>>>>> Thank you in advance,
>>>>> Robert Waters
>>> The linksys box was not in the network until I had the problems; it
>>> was a last-ditch solution implemented only when I could not get the
>>> new DHCP server working for non-domain PCs.
>>>
>>> The DHCP server worked perfectly on a domain member server, but when
>>> moved to the domain controller (using the same configuration with
>>> respect to DNS servers, gateway, WINS etc.) it would only grant IP
>>> addresses to machines (users) authenticated to the domain. e.g. log
>>> into PC with a local (non-domain) user account, no IP assigned; re-
>>> login using a domain account, the IP is provided.
>>> It seems that since I moved the role to the DC, it will only allow
>>> authenticated users to get IP addresses.
>>> Thanks for your help.
>>>
>> As Phil states, there is simply no way DHCP can work only for
>> authenticated users in the domain. DHCP doesn't know anything about
>> AD, and DHCP lease assignments happen long before any user has even
>> been prompted to logged in. Now, dyamic DNS updates *can* be
>> restricted to nuthenticated AD users only, but that has nothing to do
>> with DHCP & is unlikely to be the issue here. I agree with Phil - I'd
>> yank out the Linksys box & and start over.
>>
> Are you absolutely sure? The DHCP server is integrated with AD at
> least insofar as it has been "Authorized" to provide IP addresses to
> domain machines.
> I have a great deal of trouble not associating this problem with AD,
> since a clear relationship has been demonstrated, where domain
> accounts work on the same machine upon which non-domain accounts do
> not work.
> I appreciate your help, and will take your advice and start from
> whatever scratch I can (being that I can't wipe my DC without causing
> myself a great bit of trouble. I might as well keep the Linksys box).
> Thanks again
>

"robert.waters" <(E-Mail Removed)> wrote in message
news:ef8606fd-3e3c-4efb-84ba-(E-Mail Removed)...
On Aug 11, 7:12 pm, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
Are you absolutely sure? The DHCP server is integrated with AD at
least insofar as it has been "Authorized" to provide IP addresses to
domain machines.
I have a great deal of trouble not associating this problem with AD,
since a clear relationship has been demonstrated, where domain
accounts work on the same machine upon which non-domain accounts do
not work.

[Phil]
Meinolf Weber already covered that the same as I would have said.

[Robert]
I appreciate your help, and will take your advice and start from
whatever scratch I can (being that I can't wipe my DC without causing
myself a great bit of trouble. I might as well keep the Linksys box).

[Phil]
No one is telling you to wipe the DC. At minimum delete the Scope in DHCP
and recreated it,...at maximum uninstall the DHCP Service and then reinstall
it. The Linksys DHCP must *NOT* be functioning on the LAN when you do this.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------