DHCP on Windows 2000 Server

[BHuckfield]

I don't know if this is the right forum for this, it's kinda a hybrid 2k and network question...if not, apologies.
I want to know how to set the 2k DHCP server to restrict machines from leasing IP's if they are not authenticated by the dc...
is this possible?

Thanks in advance.

 

[BOMBOLI]

YES you can via RESERVATIONS into the DHCP. To do so go to ADMINISTRATIVE TOOLS/DHCP/ EXPAND your SCOPE,right click on RESERVATIONS and add the IP you dont want a lease on it.
Hope this helps

 

[lgarner]

I think that's for a different scenario. I also don't see how to restrict the dhcp from granting addresses, since the workstation would have to communicate with the server in order to authenticate.

You could use MAC address restrictions, but I can see that becoming a management headache real fast.

 

[bradhiggins]

I'm not sure you can actually do it in the way that you want.

With DHCP and IP addresses, the workstation needs an IP address before it can communicate with your Domain controller. This means the computer has asked for an address from your DHCP server before the user has tried to log-on for authentication.

Each of these actions are independant of each other so I don't think you can do what you are trying to do.

THe MAC level restrictions will prevent lease assignment but if the worstation doesn't have an IP to start with it won't communicate with your DC

Cheers

Brad

 

[GlenJohnson]

I think lgarner is correct. DHCP works in the following way.
1)DHCP server recieves DHCPDISCOVER message from a client looking for a dhcp server.
2)DHCP server sends a DHCPOFFER message containing an IP address for the client to use.
3)Once the client recieves an ip address from a dhcp server, it sends out a DHCPREQUEST message to the server, asking for the use of the ip address.
4)The dhcp server replies with an DHCPACK leasing the ip adddress to the client for a specified amount of time.
Once the client has an address, it can then get authentication. There are other DHCP messages, but this is the basics as to how it works. Just curios, why are you trying to block clients that shouldn't be authenticated?

Glen A. Johnson
"Fall seven times, stand up eight."
Proverb

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[BHuckfield]

true...the lease happens long before any form of 2k authentication occurs...
I am just curious to see how I can effectivly cripple clients on my network that don't log on to the domain...
MAC Address restrictions won't work in this case because it's not specific MACS that I want to block...
back to the drawing board...
thanks all of you for your input, I appreciate it...

 

[ricpinto]

Let's say you suceeded of what you're trying to accomplish. The guy can just add a static ip adddress and do the same thing. Suggestion: Don't allow them to login locally, by removing their local account. This way if they don't login to domain, their PC is useless. Use policies or proxy server to block internet surfing.