DHCP and Remote Users
Chapter 7. Advanced DHCP
7.2 Delegating Administration
In Active Directory, you can delegate administrative duties to particular users or groups. Delegating administrative control occurs at the organizational unit level. Of course, determining and creating organizational units should follow the structure of your organization.
By delegating administration, you eliminate the need for separate administrative accounts that may have authority over the entire domain. This allows you to limit control to specific areas of the directory for a small number of administrators.
Some organizations have separate teams responsible for administering different services. For example, a company may have a Windows 2000 team that is responsible for administering Active Directory and a network team responsible for administering network services such as DNS and DHCP. Because of their limited responsibilities, you would not want to add the network team to the Enterprise Administrators group. By delegating administration of DHCP servers to the network team, you avoid giving unnecessary rights.
To delegate the ability to authorize DHCP servers to a non-Enterprise Administrator, follow these steps:
1. Open Active Directory Sites and Services. You must be an Enterprise Administrator to do this.
2. From the View menu, select Show Services Node.
3. In the Sites and Services console's tree pane, select NetServices
4. Select the Action pull-down menu and select Delegate Control. This starts the Delegate Control Wizard.
5. Click Next, the click Add to display the users and groups.
6. Locate the group or user account that you want to permit access to the NetServices object.
7. Click Add, then OK.
8. On Tasks to Delegate, select "Create a custom task to delegate," and click Next.
9. Select "This folder, existing objects in this folder, and creation of new objects in this folder" and click Next.
10.Click Full Control for permissions, and click Next.
You have now delegated DHCP administration to the users or groups that you selected.
7.3 Using Netsh Commands for DHCP
Netsh is a utility that provides command-line and scripting abilities to Windows 2000. It can be used to manage many of the Windows 2000 networking components, such as routing, interfaces, RAS, DHCP, and WINS.
Netsh operates in three command modes: Online
In online mode, Netsh processes commands immediately as they are entered at the Netsh command prompt.
Offline
In offline mode, commands are collected by Netsh. When the user issues the commit
global command, Netsh executes the collected commands as a script. The user can also discard collected commands by issuing the flush command.
Script
A script file containing Netsh commands can be executed by issuing the exec
command at the Netsh command prompt or by using netsh-f scriptfile.
Netsh can support multiple Windows 2000 networking components through the use of Netsh helper DLLs. These helper DLLs extend the functionality of Netsh by providing commands that are specific to a particular networking component. These commands allow Netsh to be used in monitoring or configuring the networking component.
To view the currently loaded helper DLLs, enter the following command at the Netsh command prompt:
netsh> show helper
Command Helper GUID DLL Filename --- -
routing {65EC23C0} IPMONTR.DLL
interface {0705ECA1} IFMON.DLL
ras {0705ECA2} RASMONTR.DLL
dhcp {0F7412F0} DHCPMON.DLL
wins {BF563723} WINSMON.DLL
aaaa {1D0FA29B} AAAAMON.DLL
The Netsh helper DLL that provides DHCP functionality is DHCPMON.DLL. This DLL provides an alternative to using the DHCP console to administer the DHCP environment in Windows 2000. More importantly, an administrator can create scripts that can be used repeatedly on many DHCP servers in an environment.
To use Netsh DHCP commands at the command prompt, follow these steps (see Figure 7.4): 1. Open a Command Prompt
2. Type netsh . You enter Netsh in online mode. Notice that the prompt now reads
netsh>.
Figure 7.4. Managing DHCP using Netsh
3. At the netsh> prompt, type dhcp . Netsh enters the DHCP subcontext, and the prompt
is now dhcp>.
4. Type list to display all commands available at that context level. The list of
commands changes depending on the current context level. For example, at the DHCP context level, the available commands are addserver, deleteserver, showserver,
and server\\<servername> or server <ipaddress>.
5. Type server \\< servername> or server < ip_address> to switch to the server you
6. Type list to display the commands available at this context level.
As you can see, the list of commands changed dramatically. See Table 7.1 for the complete list of Netsh DHCP first-level commands and descriptions of what they do.
Table 7.1. Netsh DHCP First-Level Commands
Command Description
add server Adds a DHCP server to the DHCP console.
delete server Deletes a DHCP server from the DHCP console.
show server Displays all DHCP servers currently added under the DHCP
console.
server \\<servernname> or
server <address> Shifts the current DHCP command-line context to the server specified by either its name or IP address.
Let's walk through a quick example of using Netsh to create a DHCP scope.
First open a command prompt and type netsh to enter the Netsh command mode. If you have ever configured a Cisco router, you will quickly realize that Netsh is very similar to the Cisco IOS command language.
After you start Netsh, you are placed in the main Netsh context. To configure and administrate the DHCP server, you need to switch to the dhcp subcontext. Type dhcp at the Netsh command prompt to enter the dhcp subcontext. At this point you are located at the equivalent to the DHCP console, where you can configure and manage the local DHCP server or remote DHCP servers. To switch to the local DHCP server context, you can simply enter server and press Enter. If you want to configure a remote DHCP server, type server followed by either the DHCP server's name or IP address. For example, to switch to the remote DHCP server, DHCP1, type server DHCP1 .
Now at the DHCP server context, you can create a new scope. The command is the following:
add scope <scope ID> <subnet mask> <scope name> <scope description>
where <scope name> and <scope description> are optional.
For example, I want to create a scope for a production subnet that is located on the first floor of my building. Here is the command I must enter:
dhcp server>add scope 192.168.1.0 255.255.255.0 "Production Subnet
192.168.1.0" "Main Production Subnet for 1st Floor"
Command completed successfully.
As you can see, when Netsh completes the creation of the scope, it reports that the command completed successfully. If there were any problems, Netsh returns a message stating that the command failed due to an incorrect command or another reason such as the server was not available.
Now that the scope itself has been created, I still need to specify the IP address range as well as any exclusions and options I want to configure. To start this, I need to switch to the scope's context in Netsh:
dhcp server>scope 192.168.1.0
Changed the current scope context to 192.168.1.0 scope.
Once in the scope's context, I can begin to configure the scope. Notice how the Netsh command prompt now says dhcp server scope to let me know that my current context is
within a scope:
dhcp server scope>add iprange 192.168.1.1 192.168.1.254
Command completed successfully.
This specifies that the IP address range will be 192.168.1.1 through 192.168.1.254. Since I have some network devices such as servers and network printers on this subnet, I want to exclude the first 50 IP addresses from the range:
dhcp server scope>add excluderange 192.168.1.1 192.168.1.50
Command completed successfully.
Also, there is one DHCP client on this subnet that requires a specific IP address at all times. The format of the reservedip command is reservedip <IP address> <MAC address>.
Using this command, I can enter the DHCP reservation:
dhcp server scope>add reservedip 192.168.1.125 0c001003451c
Command completed successfully.
Finally, what is a DHCP scope without some DHCP options? Using the set optionvalue
command, you can enter DHCP options. The format of the command is set optionvalue <option ID> <option element type> <option element value>. For this subnet, I want to
specify two DNS servers and a default gateway:
dhcp server scope>set optionvalue 006 ipaddress 192.168.1.10 192.168.1.11
Command completed successfully.
dhcp server scope>set optionvalue 003 ipaddress 192.168.1.1
Command completed successfully.
By using the show optionvalue command, I can confirm that I entered the option values
correctly:
dhcp server scope>show optionvalue
Options for Scope 192.168.1.0: DHCP Standard Option :
General Option Values: OptionId : 51
Option Value:
Number of Option Elements = 1 Option Element Type = DWORD Option Element Value = 691200 OptionId : 3
Option Value:
Number of Option Elements = 1 Option Element Type = IPADDRESS Option Element Value = 192.168.1.1 OptionId : 6
Option Value:
Number of Option Elements = 2 Option Element Type = IPADDRESS
Option Element Value = 192.168.1.10 Option Element Value = 192.168.1.11 Command completed successfully.
Now, when all is said and done . . . or maybe typed and done, you can open the DHCP console and see all of the items that were just configured in Netsh, much like those shown in
Figure 7.5.
Figure 7.5. DHCP console following Netsh configuration
You can also create a Netsh script. This helps automate many tasks. For example, if you are implementing DHCP on a network that is primarily using static IP addresses, you can create a Netsh script that automatically changes a computer's IP configuration from static to DHCP. Say the network also uses static addresses for DNS and WINS servers, and you want to switch these to DHCP as well. You could execute the Netsh script either manually or from a logon script:
1. First, create a text file called switchdhcp.scp. Enter the following commands: interface ip
set address "Local Area Connection" dhcp set dns "Local Area Connection" dhcp set wins "Local Area Connection" dhcp
Although the default name for the connection in Windows 2000 is Local Area Connection, it can be renamed. Also, if the workstation is multihomed, there is more than one connection displayed. Verify that you are configuring the correct connection by removing the network cable. The icon changes to show it has been disconnected. Once you have verified the connection, plug the network cable back in.
2. Save the text file.
3. Create a batch file called switchdhcp.cmd. This batch file will be called from a logon script to execute the Netsh script. It maps a drive (Z:) to a DHCP server named DHCP1. It also writes a flag file to the workstation. If the flag file is present, the script will not be executed. This keeps the script from executing unnecessarily once the configuration change has been made. The following commands should go in the switchdhcp.cmd batch file:
if not exist %systemroot%\switchdhcp.flg net use z: \\dhcp1\switchdhcp
netsh -f z:\switchdhcp.scp
4. Copy the script switchdhcp.scp to a common network share, such as SysVol in Windows 2000 or Netlogon in Windows NT. Add the following command to the logon script:
switchdhcp.cmd
When a user logs on to the workstation, the workstation executes the logon script, which in turn calls the switchdhcp.cmd batch file. The batch file looks for the flag file, switchdhcp.flg. If the flag file exists, the Netsh script is not executed. If it is not present, the batch file maps Z: to a network share called SWITCHDHCP on the server DHCP1. Next, it executes the Netsh script found on Z:. After the Netsh script is executed, the batch file copies the flag file from Z: to %systemroot% (usually C:\WINNT ) and disconnects from the network share.
To have the user execute a Netsh script, you need to give them the appropriate rights to modify the IP configuration. You can do this by adding them to an administrators group (not recommended) or via Group Policy.
Thanks to the addition of a Telnet Server service to Windows 2000, you can also utilize Netsh to administer remote DHCP servers. Simply start the Telnet Server service on the DHCP server. From a remote workstation, open a command prompt and enter the command telnet
<dhcp server name>. This will start a telnet session on the DHCP server. At this point, you
can use Netsh or execute a Netsh script as though you are at a command prompt on the DHCP server.
To create a Telnet session, you must be a member of the Administrators group on the Telnet server.
Netsh is a powerful utility that can be used to manage many different network components, from a single DHCP server to an entire DHCP infrastructure. Although it may seem like more work to configure a DHCP server with Netsh because of the typing, it gives administrators the option of automating and scripting tasks that may be very time consuming using the GUI interface. Hopefully Microsoft and third-party vendors will continue to add more helper DLLs, extending this functionality.