Windows Server 2012 : Exploring Advanced DHCP Concepts

Understanding DHCP Superscopes

A DHCP Superscope is a container that can include several DHCP scopes. A Superscope can be created when a single network includes multiple network ranges. For example, if an organization wanted to support different network clients or organizations with a single router, a superscope with multiple scopes configured with different network address spaces could be created. Policies for each scope range could be configured along with reservations to ensure that the desired clients get the right network scope leases when they request a DHCP lease.

Examining DHCP Multicast Scopes

Organizations that require multicast functionality might want to set up DHCP multicast scopes. Multicast clients are used for media and deployment applications where several systems will be accessing the same content. A few examples are operating system deployments or video or audio presentations that each client will access simultaneously. There are special uses for multicast addressing, and DHCP multicast scopes can simplify the setup and delivery in those scenarios.

Delegating Administration of DHCP

Even though DHCP services are quite critical in most networking environments, organizations usually do not dedicate servers specific for this service. DHCP services are usually bundles on servers that host other services. In situations when DHCP administration needs to be delegated to, say, the networking group or a certain administrator, but access to the host server is not desirable, DHCP delegation is the answer. To delegate DHCP administration, first the administrator needs to have access to the DHCP server tools, and those should be installed on the administrator’s IT administrative workstation or on an IT central console server. Once the tools are accessible, the IT administrator’s user account, or admin account, can be added to the local DHCP security group named DHCP Administrators.

DHCP Netsh and PowerShell Administration

Like most Microsoft services today, DHCP can be fully managed through a wide array of PowerShell functions and via the Netsh command-line utility. To get a list of the available commands, follow these steps.

1. On a system with the DHCP server tools installed, open a PowerShell console session.

2. Type get-command *DHCP* and press Enter to get the list of all the DHCP-related functions or cmdlets.

For example, type get-DHCPServerv4Binding -Computername server10.companyabc.com and press Enter to get the IPv4 address bound to the DHCP server named server10.companyabc.com.

3. To learn how to use any PowerShell function or cmdlet (for example, the get-DHCPServerv4Binding function), in the PowerShell window type get-help get-DHCPServerv4Binding -Full and press Enter to list the help information.

4. In the same window or in a command prompt window, to access the DHCP Netsh commands type Netsh DHCP List and press Enter to get a list of the commands available.

5. For example, if the DHCP Post-Install Wizard was skipped or closed, the DHCP administrator can add the security groups for delegation to the local server by using the command Netsh DHCP Add SecurityGroups and pressing Enter.

This completes the overview of some of the DHCP administrative tasks that you can perform using PowerShell commands or Netsh.

Securing DHCP

DHCP by default is an unsecure service and should be treated as such. For example, in a basic DHCP deployment, if a malicious user gains access to the physical network or a wireless network that the DHCP server provides IP addresses leases for, that user can quickly get on the network and begin to try and hack and communicate with the organizations’ systems. Wireless networks get hacked every day, but that is a different topic. Getting access to physical connectivity is less likely, but when it occurs the same risk is presented. This is why every DHCP implementation should include some form of security or frequent auditing.