Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Dynamic Host Configuration Protocol (DHCP) is a client-server technology that allows DHCP servers to
assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients.
When you deploy DHCP servers on your network, you can automatically provide client computers and other
TCP/IPv4 and IPv6 based network devices with valid IP addresses. You can also provide the additional
configuration parameters these clients and devices need, called , which allow them to connect to other
network resources, such as DNS servers, WINS servers, and routers.
The step-by-step instructions in this paper will show you how to deploy link layer-based filtering in a test lab
so that you can better understand how this configuration works.
In this guide
This paper contains an introduction to link layer based filtering and instructions for setting up a test lab
using one DHCP server and three client computers.
Important
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are n
provided on the network and to clearly show the desired functionality. This configuration is not designed to reflect best practi
recommended configuration for a production network. This configuration, including IP addresses and all other configuration p
work on a separate test lab network.
Scenario overview
In this test lab, link layer-based filtering is deployed on one server running the Windows Server® 2008 R2
operating system with DHCP installed, and three client computers running the Windows® 7operating system
with the DHCP Client service running. A computer running Windows Server 2003 is also used in the test lab
as a domain controller and Domain Name System (DNS) server.
• All the domain-joined DHCP clients are configured to dynamically obtain the IP address from the
DHCP server in the domain.
• DHCP Client 1 is a healthy network authorized client computer that is active and has an IP address
from the DHCP server.
• DHCP Client 2 is a malicious unauthorized client computer that is active and has an IP address from
DHCP Server 1.
• DHCP Client 3 is a new client computer that is inactive and does not have network connectivity.
Software requirements
The following are required components of the test lab:
• The product disc for Windows Server 2003 with Service Pack 2 (SP2).
This lab demonstrates link layer-based filtering with a DHCP server in a domain with Active
Directory® directory services and Windows Server 2003 installed. You can also make the domain
controller in this lab run Windows Server 2008 R2.
• Configure DC1.
DC1 is a server running the Windows Server 2003 Standard Edition operating system. DC1 is
configured as a domain controller with Active Directory. It is also configured as the primary DNS
server for the intranet subnet.
DHCP Server 1 is a server running Windows Server 2008 R2. DHCP Server 1 is configured with the
DHCP Server service, and functions as a DHCP server in the domain.
DHCP Client 1, DHCP Client 2, and DHCP Client 3 are client computers running Windows 7. DHCP
Client 1, DHCP Client 2, and DHCP Client 3 are configured to request IP addresses from DHCP
Server 1.
After all the components are configured, this guide will provide steps to demonstrate how link layer-based
filtering gives you the control to allow or deny network access to the three clients based on MAC address.
Configure DC1
DC1 is a computer running Windows Server 2003 Standard Edition with SP2 that provides the following
services:
6. Click OK, click Close, and then close the Network Connections window.
4. Verify that Domain controller for a new domain is selected, and then click Next.
5. Verify that Domain in a new forest is selected, and then click Next two times.
6. On the Install or Configure DNS page, select No, just install and configure DNS on this
computer, and then click Next.
7. Type Contoso.com next to Full DNS name for new domain, and then click Next.
8. Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next.
9. Accept the default Database Folder and Log Folder directories, and then click Next.
10. Accept the default folder location for Shared System Volume, and then click Next.
11. Verify that Permissions compatible only with Windows 2000 or Windows Server 2003
operating systems is selected, and then click Next.
12. Leave the Restore Mode Password and Confirm Password text boxes blank, and then
click Next.
13. View the summary information provided, and then click Next.
14. Wait while the wizard completes configuration of Active Directory and DNS services, and then
click Finish.
16. After the computer is restarted, log on to the CONTOSO domain using the Administrator account.
2. In the console tree, double-click Contoso.com, right-click Users, point to New, and then
click User.
3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name,
type User1.
4. Click Next.
5. In Password, type the password that you want to use for this account, and in Confirm password,
type the password again.
6. Clear the User must change password at next logon check box, and select the Password
never expires check box.
8. Leave the Active Directory Users and Computers console open for the following procedure.
3. In the DHCP Administrators Properties dialog box, click the Members tab, and then click Add.
4. Under Enter the object names to select (examples), type User1, the user name that you
created in the previous procedure, click OK, and then click OKagain.
5. Leave the Active Directory Users and Computers console open for the following procedure.
• Configure TCP/IP.
• Configure DHCP.
3. Follow the instructions that appear on your screen to finish the installation.
2. Under Roles Summary, click Add roles, and then click Next.
3. On the Select Server Roles page, select the DHCP server, and then click Next two times.
4. On the Select Network Connection Bindings page, verify that 172.16.1.2 is selected, and then
click Next on DHCP Server 1. Similarly, on the Select Network Connection Bindings page,
verify that 172.16.1.3 is selected, and then click Next on DHCP Server 2.
5. On the Specify IPv4 DNS Server Settings page, verify that contoso.com is listed under Parent
domain.
6. Type 172.16.1.1 under Preferred DNS server IP address, and then click Validate. Verify that
the result returned is valid, and then click Next.
7. On the Specify WINS Server Settings page, accept the default setting of WINS is not required
on this network, and then click Next.
9. In the Add Scope dialog box, type SS Scope next to Scope Name. Next to Starting IP
Address, type 172.16.1.4, next to Ending IP Address, type172.16.1.204, and next to Subnet
Mask, type 255.255.255.0.
10. Select the Activate this scope check box, click OK, and then click Next.
11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for
this server, and then click Next.
12. On the Authorize DHCP Server page, select Use current credentials. Verify
that CONTOSO\user1 is displayed next to Username, and then click Next.
14. Verify that the installation was successful, and then click Close.
2. On the Advanced tab, verify that Default User Class is selected next to User class.
3. Select the 006 DNS Servers check box, in IP Address, under Data entry, type 172.16.1.1, and
then click Add.
4. Select the 015 DNS Domain Name check box, in String value, under Data entry,
type contoso.com, and then click OK.
Note
The 003 Router option is configured in the default user class if a default gateway is required for client computers. Be
lab are located on the same subnet, this option is not required.
• Configure TCP/IP.
3. When prompted for a computer name, type DHCP Client 1, DHCP Client 2, and DHCP Client 3.
5. Follow the rest of the instructions that appear on your screen to finish the installation.
2. Click Network and Internet, click Network and Sharing Center, and then click Manage
network connections.
4. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6
(TCP/IPv6) check box. This will reduce the complexity of the lab, particularly for those who are
not familiar with IPv6.
6. Verify that Obtain an IP address automatically and Obtain DNS server address
automatically are selected.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
8. Close the Network Connections and Network and Sharing Center windows.
To join DHCP Client 1, DHCP Client 2, and DHCP Client 3 to the Contoso.com domain
1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
4. In the Computer Name/Domain Changes dialog box, select Domain, type Contoso.com, and
then, in Computer Name, typeenggmachine1.contoso.com.
5. Click More, and then, in Primary DNS suffix of this computer, type Contoso.com.
8. When you see a dialog box that welcomes you to the Contoso.com domain, click OK.
9. When you see a dialog box that tells you that you must restart the computer to apply changes,
click OK.
11. In the dialog box that prompts you to restart the compute, click Restart the computer now.
• In the Command Prompt window, type ping 172.16.1.1, and then press ENTER.
• In the Command Prompt window, type ipconfig, and then press ENTER.
• In the Command Prompt window, type route print -4, and then press ENTER.
All three clients should have unrestricted access to the network at this point. In the next steps, we will add
clients to the link layer-based filtering on the DHCP Server 1 allow and deny lists and demonstrate that one
client retains access while the other two clients are denied access.
• DHCP Client 1 is a healthy network authorized client computer that is active and has an IP address
from the DHCP server.
• DHCP Client 2 is a malicious unauthorized client computer that is active and has an IP address from
the DHCP Server 1.
• DHCP Client 3 is a new client computer that is inactive and does not have network connectivity.
Note
You can add a valid MAC address to either the Allow or Deny filters, but not both.
To configure the Allow filter
1. In the DHCP console tree of DHCP Server 1, under IPv4, click Filters, under Filters right-
click Allow, and then click New Filter.
2. In the New Allow Filter dialog box, in MAC Address, enter a six hexadecimal number
representing the MAC or physical address of DHCP Client 1, and then click Add.
3. Under Filters right-click the Allow node, and then click the Enable pop-up menu item.
2. In the New Deny Filter dialog box, in MAC Address, enter a six hexadecimal number representing
the MAC or physical address of DHCP Client 2, clickAdd, and then click Close.
3. Under Filters right-click the Deny node, and then click the Enable pop-up menu item.
• In the Command Prompt window, type ping 172.16.1.1, and then press ENTER.
• Verify that the response reads Reply from 172.16.1.1 on DHCP Client 1 and Response timed
out for DHCP clients 2 and 3.
• In the Command Prompt window, type ipconfig, and then press ENTER.
• In the Command Prompt window, type route print -4, and then press ENTER.
• In the command output, below Active Routes, verify that a Network
Destination of 172.16.1.1 is displayed for DHCP Client 1, and that there is no route displayed for
DHCP clients 2 and 3.
Appendix
This appendix will help you with troubleshooting techniques and the setting of optional features in Windows
Server 2008 R2 and Windows 7.
5. By default, the General tab is displayed. Click the Details tab to view additional information.
6. You can also right-click an event and then click Event Properties to open a new window for
reviewing events.
3. In the left tree, navigate to Event Viewer (Local)\Custom Views\Server Roles\DHCP Server.
5. By default, the General tab is displayed. Click the Details tab to view additional information.
6. You can also right-click an event and then click Event Properties to open a new window for
reviewing events. The following are the events that pertain to this feature:
• 20093 - ERROR_DHCP_LINKLAYER_ADDRESS_EXISTS
• 20094 - ERROR_DHCP_LINKLAYER_ADDRESS_RESERVATION_EXISTS
Address to be added to Deny list or to be deleted from allow list has an associated reservation.
• 20095 - ERROR_DHCP_LINKLAYER_ADDRESS_DOES_NOT_EXIST
• 20096 - EVENT_FILTER_DENIED_IN_DENY_LIST
DHCP services were denied to computer with hardware address %1, hardware type %4, and
FQDN/Hostname %2 because it matched entry %3 in the Deny list.
• 20097 - EVENT_FILTER_DENIED_NOT_IN_ALLOW_LIST
DHCP services were denied to computer with hardware address %1, hardware type %3, and
FQDN/Hostname %2 because it did not match any entry in the Allow list.
• 20098 - EVENT_FILTER_EMPTY_ALLOW_LIST
No DHCP clients are being served because the Allow list is empty and the server was configured to
provide DHCP services to clients whose hardware addresses are present in the Allow list.
• 20099 - EVENT_FILTER_DENIED_IN_DENY_LIST_UNSPECIFIED
DHCP services were denied to computer with hardware address %1, hardware type %4, and
unspecified FQDN/Hostname%2 because it matched entry %3 in the Deny list.
• 20100 - EVENT_FILTER_DENIED_NOT_IN_ALLOW_LIST_UNSPECIFIED
DHCP services were denied to computer with hardware address %1, hardware type %3, and
unspecified FQDN/Hostname%2 because it did not match any entry in the Allow list.
• 20101 - ERROR_DHCP_HARDWARE_ADDRESS_TYPE_ALREADY_EXEMPT
• 20102 - ERROR_DHCP_UNDEFINED_HARDWARE_ADDRESS_TYPE
You are trying to delete an undefined hardware type. To define/add a hardware type, use
'add filterexemption'.
DNS Operations Guide
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows
Server 2003 with SP2
The DNS Operations Guide provides administering and troubleshooting information for Domain Name
System (DNS) in the Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1) operating system.
In this guide
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows
Server 2003 with SP2
This Domain Name System (DNS) Administering guide provides administering information for DNS in the
Microsoft Windows Server 2003 with Service Pack 1 (SP1) operating system.
In this guide
• Managing DNS
• Monitoring DNS
• Optimizing DNS
• Securing DNS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows
Server 2003 with SP2
This guide explains how to administer Microsoft Domain Name System (DNS). These activities are part of
the operating phase of the information technology (IT) life cycle. If you are not familiar with this guide,
review the following sections of this introduction.
When to Use This Guide
You should use this guide when:
This guide assumes a basic understanding of what DNS is, how it works, and why your organization uses it
for name resolution. You should also have a thorough understanding of how DNS is deployed and managed
in your organization. This includes an understanding of the mechanism that your organization uses to
configure and manage DNS settings.
This guide can be used by organizations that have deployed Windows Server 2003 Service Pack 1 (SP1). It
includes information that is relevant to different roles within an IT organization, including IT operations
management and administrators. This guide contains high-level information that is required to plan a DNS
operations environment, along with management-level knowledge of the DNS and IT processes that are
required to operate it.
In addition, this guide contains more detailed procedures that are designed for operators who have varied
levels of expertise and experience. Although the procedures provide operator guidance from start to finish,
operators must have a basic proficiency with Microsoft Management Console (MMC) and snap-ins and know
how to start administrative programs and access the command line. If operators are not familiar with DNS,
it might be necessary for IT planners or managers to review the relevant operations in this guide and
provide the operators with parameters or data that must be entered when the operations are performed.
• Objectives are high-level goals for managing, monitoring, optimizing, and securing DNS. Each
objective consists of one or more high-level tasks that describe how the objective is accomplished.
In this guide, Managing Domain Name System Servers is an example of an objective.
• Tasks are used to group related procedures and provide general guidance for achieving the goals of
an objective. In this guide, Modifying an Existing DNS Server is an example of a task.
• Procedures provide step-by-step instructions for completing tasks. In this guide,Change the name-
checking method of a DNS server is an example of a procedure.
If you are an IT manager who will be delegating tasks to operators in your organization, you will want to:
• Read through the objectives and tasks to determine how to delegate permissions and whether you
need to install tools before operators perform the procedures for each task.
• Before assigning tasks to individual operators, ensure that you have all the tools installed where
operators can use them.
• When necessary, create “tear sheets” for each task that operators perform in your organization. Cut
and paste the task and its related procedures into a separate document and then either print these
documents or store them online, depending on the preference of your organization.
Managing DNS
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows
Server 2003 with SP2
This guide describes processes and procedures for improving the management of Windows Server 2003
Domain Name System (DNS) in your network infrastructure. Ensuring that DNS is functioning properly helps
increase system availability for your users.
The following tasks for managing DNS are described in this objective: