Back To Basics: Windows 2000 Rogue DHCP Server Detection? Page 2

Thomas Shinder

We call such an unauthorized DHCP Server a Rogue DHCP Server. Rogue DHCP servers will likely assign inaccurate IP addressing information to DHCP clients, and in the process disrupt network communications for these hapless DHCP clients.

Windows 2000 networks running only Windows 2000 DHCP servers can recognize and shut down rogue DHCP servers by keeping a list of authorized DHCP servers in the Active Directory. Authorized Windows 2000 DCHP Servers in the same broadcast domain will shut down any Windows 2000 DCHP Server that is not authorized in the Active Directory.

Rogue DHCP Server detection is very cool. However, it is severely limited in its efficacy because only Windows 2000 DHCP servers can detect rogue DHCP servers, and the rogue DHCP server must also be a Windows 2000 DHCP Server. If someone were to introduce a Windows NT 4.0 or SCO DCHP Server onto the network, the authorized Windows 2000 DCHP Servers on the network would not shut down that DHCP Server.

How Rogue DHCP Server Detection Works

When a Windows 2000 DHCP server boots up, it broadcasts a DHCPINFORM message to the local segment. The DHCPINFORM message contains Windows 2000 vendor-specific option codes that are interpreted by Windows 2000 DHCP Servers. These vendor option types allow the Windows 2000 DHCP server to obtain information about the network from other Windows 2000 DHCP servers on the segment. Most specifically, they are able to obtain information about servers that are authorized in the Active Directory.

The DCHPINFORM message includes a query asking about the name and location of an Active Directory domain controller. All Windows 2000 DHCP Servers will reply with this information via a DHCPACK message. If DHCP Servers from multiple domain are included on the same segment, then the requesting machine will obtain information about domain controllers in each of these domains.

After the DHCP Server obtains the information about the location of a domain controller, it will query the Active Directory for the list of authorized DHCP servers. If the querying DHCP Server's IP address is on the list, it will successfully initialize its DHCP Server service. If not, DHCP server service will not initialize and will not be able to function as a DHCP Server.

This article was originally published on Oct 9, 2000
Page 2 of 3

Thanks for your registration, follow us on our social networks to keep up-to-date