Cliente DHCP

18/07/2004 - 23:53 por Javi | Informe spam
Aunque tengo el sevidor DHCP autorizado en AD, si otro
usuario de la red instala otro servidor DHCP (rouge), los
clientes pueden recibir las ofertas del mismo.
Hay alguna forma de conseguir que el cliente DHCP sólo
escuche las respuestas de un servidor?

Preguntas similare

Leer las respuestas

#1 Javier Inglés [MS MVP]
19/07/2004 - 10:20 | Informe spam
El DHCP que dices sólo podrá levantar el el equipo es W2K y está en dominio

Servidores ROGUE DHCP

Preventing Rogue DHCP Servers
The process of authorizing DHCP servers is useful or needed for DHCP
servers
running Windows 2000 Server. Where this scheme is used, authorization is
neither used nor needed if the following conditions exist:

a.. If DHCP servers are running earlier versions of Windows NT Server,
such as versions 3.51 or 4.0.
b.. If DHCP servers are running other DHCP server software.
For the directory authorization process to work properly, it is assumed and
necessary that the first DHCP server introduced onto your network
participate in the Active Directory service. This requires that the server
be installed as either a domain controller or a member server. When you are
either planning for or actively deploying Active Directory services, it is
important that you do not elect to install your first DHCP server computer
as a stand-alone server.

Most commonly, there will be only one enterprise root and therefore only a
single point for directory authorization of the DHCP servers. However,
there
is no restriction on authorizing DHCP servers for more than one enterprise
root.

When configured correctly and authorized for use on a network, DHCP servers
provide a useful and intended administrative service. However, when a
misconfigured or unauthorized DHCP server is introduced into a network, it
can cause problems. For example, if a rogue DHCP server starts, it can
begin
leasing incorrect IP addresses to clients or negatively acknowledging DHCP
clients attempting to renew their current address lease.

Either of these misconfiguration problems can produce further problems for
DHCP-enabled clients. For example, clients that obtain a configuration
lease
from the unauthorized server can then fail to locate valid domain
controllers, preventing clients from successfully logging on to the
network.

Windows 2000 Server provides some integrated security support for networks
that use Active Directory. This avoids most of the accidental damage caused
by running DHCP servers with wrong configurations or on the wrong networks.

This support uses an additional object type (the DhcpServer object) to the
base directory schema. This provides for the following enhancements:

a.. A list of IP addresses available for the computers that you authorize
to operate as DHCP servers on your network.
b.. Detection of rogue DHCP servers and prevention of their starting or
running on your network.


Note

For the directory authorization process to work properly, it is necessary
that the first Windows 2000 DHCP server introduced onto your network
participate in the Active Directory service. This requires that the server
be installed in a domain (as either a domain controller or a member
server),
and not in a workgroup. When you are either planning for or actively
deploying Active Directory services, do not elect to install your first
DHCP
server as a workgroup server. You must have enterprise administrator rights
to authorize a DHCP server in the Active Directory.

How DHCP Servers Are Authorized
The authorization process for DHCP server computers in Active Directory
depends on the role of the server on your network. For Windows 2000 Server
(as in earlier versions) there are three roles or server types for which
each server computer can be installed:

a.. Domain controller. The computer keeps and maintains a copy of the
Active Directory service database and provides secure account management
for
domain member users and computers.
b.. Member server. The computer is not operating as a domain controller
but has joined a domain in which it has a membership account in the Active
Directory database.
c.. Stand-alone Server. The computer is not operating as a domain
controller or a members server in a domain. Instead, the server computer is
made known to the network through a specified workgroup name, which can be
shared by other computers, but is used only for browsing purposes and not
to
provide secured logon access to shared domain resources.
If you deploy Active Directory, all computers operating as DHCP servers
must
be either domain controllers or domain member servers before they can be
authorized in the directory service or start providing DHCP service to
clients. When a DHCP server is authorized, the server computer is added to
the list of authorized DHCP servers maintained in the directory service
database.

How Unauthorized Servers Are Detected
The DHCP implementation under Windows 2000 Server provides detection of
both
authorized and unauthorized DHCP servers in two ways:

a.. The use of information messaging between DHCP servers using the
DHCPInform message.
b.. The addition of several new vendor-specific option types, used for
communicating information about the directory service enterprise root.
The Windows 2000 DHCP service uses the following process to detect other
DHCP servers currently running on the reachable network and determine if
they are authorized to provide service.

When the DHCP service starts, it sends a DHCPInform request message to the
reachable network, using the local limited broadcast address
(255.255.255.255), to locate the directory service enterprise root on which
other DHCP servers are installed and configured.

This message includes several vendor-specific option types that are known
and supported by other DHCP servers running Windows 2000 Server. When
received by other DHCP servers, these option types provide for the query
and
retrieval of information about the directory service enterprise root.

When queried, other DHCP servers reply with DHCPAck messages to acknowledge
and answer with directory service enterprise root information. In this way,
the initializing DHCP server collects and compiles a list of all currently
active DHCP servers on the reachable network, along with the root of the
directory service enterprise used by each server.

Typically, only one single enterprise root is detected: the same one for
all
DHCP servers that are reachable and that respond to acknowledge the
initializing server. However, if additional enterprise roots are detected,
each root is queried in turn to see if the computer is authorized for DHCP
service for those other enterprises discovered during this phase.

After a list is built of all DHCP servers running on the network, the next
step in the detection process depends on whether a directory service is
available from the local computer.

If the directory service is not available (such as where the initializing
DHCP server is installed in a confined network environment used for
testing), the initializing server can start if no other DHCP servers are
discovered on the network that are part of any enterprise. When this
condition is met, the server successfully initializes and begins serving
DHCP clients.

However, the server continues every 5 minutes to collect information about
other DHCP servers running on the network, using DHCPInform as it did at
startup. Each time, it checks to see whether the directory service is
available. If a directory service is found, the server makes sure it is
authorized by following the procedure, depending on whether the server is a
member server or a stand-alone server.

a.. For member servers (a server joined to some domain that is part of
the
enterprise), the DHCP server queries the directory service for the DHCP
server list of addresses that are authorized.
b.. If the server finds its IP address in the authorized list, it
initializes and starts providing DHCP service to clients. If it does not
find itself in the authorized list, it does not initialize, and stops
providing DHCP services.
c.. For stand-alone servers (a server not joined to any domain or part of
an existing enterprise), the DHCP server queries the directory service with
the root of the enterprise returned by each of the other DHCP servers to
see
if it can find itself on the authorized list with any of the reported
enterprises.
The server initializes and starts providing DHCP services to clients only
if the server finds its IP address in the authorized list for each of the
enterprise roots reported by other DHCP servers. If it does not find itself
in the authorized list for each of the reported enterprise roots, it does
not initialize, and the DHCP service is stopped.


Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

:
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho


"Javi" escribió en el mensaje news:2e6b801c46d11$b2b84970$
Aunque tengo el sevidor DHCP autorizado en AD, si otro
usuario de la red instala otro servidor DHCP (rouge), los
clientes pueden recibir las ofertas del mismo.
Hay alguna forma de conseguir que el cliente DHCP sólo
escuche las respuestas de un servidor?
Respuesta Responder a este mensaje
#2 Javier Inglés [MS MVP]
19/07/2004 - 10:21 | Informe spam
Perdón, si es W2K y no está en dominio no podrá levantar tampoco

Salu2!!!

Javier Inglés, MS-MVP
http://mvp.support.microsoft.com/default.aspx

:
<<<QUITAR "NOSPAM" PARA MANDAR MAIL>>>

Este mensaje se proporciona "como está" sin garantías de ninguna clase, y no otorga ningún derecho


"Javi" escribió en el mensaje news:2e6b801c46d11$b2b84970$
Aunque tengo el sevidor DHCP autorizado en AD, si otro
usuario de la red instala otro servidor DHCP (rouge), los
clientes pueden recibir las ofertas del mismo.
Hay alguna forma de conseguir que el cliente DHCP sólo
escuche las respuestas de un servidor?
email Siga el debate Respuesta Responder a este mensaje
Ads by Google
Help Hacer una preguntaRespuesta Tengo una respuesta
Search Busqueda sugerida