Network Newbie:Apply DHCP Scope to OU?

Hello,

Im at the outer limits of my ability here so if ive got the wrong idea
please just say so. I'm taking a Webmaster class using (at this point)
Win2003/XP.

We have to design a multi region intranet. Ive set it up to use DHCP/DNS.
But then i got to thinking since we have to apply ISA (which i dont yet
know much about) it might be more secure if i make a given DHCP scope apply
to a given OU (specifically another regional office). The idea being that i
could build some kind of "extra protection/flexibility" into the network if
i could apply firewall policy/rules to a given range of IP addresses? i.e
different firewall rules for in region vrs out of region systems.

I dont really know what im talking about yet...... At the moment everyone no
matter where they are in the network just gets an IP from the single scope i
have created? It doesn't "feel" right?
I gather I need to put resources into an OU not users otherwise a travelling
user might end up using an out of regional IP if he/she was in region? Then
i figured i'd attach a DHCP scope to the OU to split
the IPs out according to resource location and then i could apply the
firewall rules to given IP ranges?

O.k so the problem ive got is that i cant find where to do that. Im also
beginning to wonder if im using the right container. Ive looked at sites.
What ive read says maybe i should be using those instead i.e logical vrs
physical.

But i cant see where sites tie into DHCP. How do i associate a site to a
DHCP scope?
Im I making any sense?

Thanks

Richard





Richard Coltrane

DHCP is a broadcast protocol that happens prior to any other communication
happening on the network. Without doing any special configuration of DHCP
relay agents or broadcast forwrding on your router then DHCP is limited to
work on a single network segment (since routers don't forward broadcasts).
It works like this:

Client boots up and network adapter set to DHCP will send a layer 2
broadcast for DHCP servers
DHCP server recevies the broadcast and sends a layer 2 unicast response the
the requester with a DHCP offer
DHCP client accepts the first offer it gets and sends an acknowlegment to
the server accepting the lease.
Thereafter the DHCP client will attempt to renew its lease on the address.

So as you can see this all happens priors to the client even getting an IP
address and establishing communications with AD, but a DHCP server will deal
with any device on your network requesting an address. If you want
protection from unknown devices getting DHCP leases on your network then
look into 802.1X.


"Richard Coltrane" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> Im at the outer limits of my ability here so if ive got the wrong idea
> please just say so. I'm taking a Webmaster class using (at this point)
> Win2003/XP.
>
> We have to design a multi region intranet. Ive set it up to use DHCP/DNS.
> But then i got to thinking since we have to apply ISA (which i dont yet
> know much about) it might be more secure if i make a given DHCP scope
> apply
> to a given OU (specifically another regional office). The idea being that
> i
> could build some kind of "extra protection/flexibility" into the network
> if
> i could apply firewall policy/rules to a given range of IP addresses? i.e
> different firewall rules for in region vrs out of region systems.
>
> I dont really know what im talking about yet...... At the moment everyone
> no
> matter where they are in the network just gets an IP from the single scope
> i
> have created? It doesn't "feel" right?
> I gather I need to put resources into an OU not users otherwise a
> travelling
> user might end up using an out of regional IP if he/she was in region?
> Then
> i figured i'd attach a DHCP scope to the OU to split
> the IPs out according to resource location and then i could apply the
> firewall rules to given IP ranges?
>
> O.k so the problem ive got is that i cant find where to do that. Im also
> beginning to wonder if im using the right container. Ive looked at sites.
> What ive read says maybe i should be using those instead i.e logical vrs
> physical.
>
> But i cant see where sites tie into DHCP. How do i associate a site to a
> DHCP scope?
> Im I making any sense?
>
> Thanks
>
> Richard
>
>
>

Hi Richard,

If your intention is to control the access through IP, you can do so in ISA
configuring the right policis. Secondly, If you plan site based IP scope,
think of the network traffic also.

Pankaj

"Richard Coltrane" wrote:

> Hello,
>
> Im at the outer limits of my ability here so if ive got the wrong idea
> please just say so. I'm taking a Webmaster class using (at this point)
> Win2003/XP.
>
> We have to design a multi region intranet. Ive set it up to use DHCP/DNS.
> But then i got to thinking since we have to apply ISA (which i dont yet
> know much about) it might be more secure if i make a given DHCP scope apply
> to a given OU (specifically another regional office). The idea being that i
> could build some kind of "extra protection/flexibility" into the network if
> i could apply firewall policy/rules to a given range of IP addresses? i.e
> different firewall rules for in region vrs out of region systems.
>
> I dont really know what im talking about yet...... At the moment everyone no
> matter where they are in the network just gets an IP from the single scope i
> have created? It doesn't "feel" right?
> I gather I need to put resources into an OU not users otherwise a travelling
> user might end up using an out of regional IP if he/she was in region? Then
> i figured i'd attach a DHCP scope to the OU to split
> the IPs out according to resource location and then i could apply the
> firewall rules to given IP ranges?
>
> O.k so the problem ive got is that i cant find where to do that. Im also
> beginning to wonder if im using the right container. Ive looked at sites.
> What ive read says maybe i should be using those instead i.e logical vrs
> physical.
>
> But i cant see where sites tie into DHCP. How do i associate a site to a
> DHCP scope?
> Im I making any sense?
>
> Thanks
>
> Richard
>
>
>
>

You'll typically assign scopes to broadcast networks, or subnets. The
DHCP address is assigned to the client before Windows makes any
communications with any other machines (other than the traffic used to
negotiate the DHCP lease). At the time the ip address is leased to the
client via DHCP, nothing has any idea which OU the computer and/or user
resides in.

--

Jack Doyle, Systems Engineer
ScriptLogic Corporation
http://www.scriptlogic.com