Design Step 3: Map the Design Configuration to the Hardware

and Software Configuration

DHCP Hardware Requirements

Component
Component Configuration
Type

Processor Two processors, 700 megahertz (MHz) to 1.6 gigahertz (GHz).

Memory 256 megabytes (MB) to 2 gigabytes (GB). The minimum memory requirement
includes the base requirement for Windows Server 2008 and an additional 128 MB
for the DHCP service.

Local storage  Drive controller: SCSI 3

 Hard disks: 30-36 GB

Network Two 10/100 Fast Ethernet adapters (Configured in a fault-tolerant NIC team)
adapter supporting PXE (Pre-boot Execution Environment).

DHCP Availability
To provide high availability of DHCP Server you will need to consider methods to ensure that your DHCP
service will always be able to respond to DHCP requests. This can be accomplished through split scopes, a
standby server, failover to a network device that supports DHCP allocation, or through the use of a server
cluster.

DHCP Security
Security measures to keep unauthorized DHCP servers off of your network and protect against
unsecured DNS resource records:

 DHCP Server Authorization

 DNS Record Ownership and the DnsUpdateProxy Group
Important: We should enable audit logging for every DHCP server on our network; this provides the
information required to track the source of any attacks made against the DHCP server. We must
regularly check the audit log files and monitor them when the DHCP server receives an unusually high
number of lease requests from clients.

DHCP Scalability
You can create an unlimited number of clients and scopes on a DHCP server. However, a DHCP server
should ideally host no more than 1,000 scopes. When adding a large number of scopes to the server, be
aware that each scope creates a corresponding need for additional disk space for the DHCP server registry
and the server paging file. For example, in a single subnet environment, only one DHCP server is
necessary, although you might want to use two servers or deploy a DHCP server cluster for increased fault
tolerance. In an environment with multiple subnets, router performance can affect the DHCP service
because DHCP messages must be forwarded across subnets. Therefore, scaling the DHCP service involves
network infrastructure issues for most enterprise environments.

Before deployment, you should test your DHCP servers on the network to determine the limitations and
abilities of your hardware and to see whether the network architecture, traffic, and other factors affect
DHCP server performance.

DHCP Manageability
Both the Microsoft Management Console (MMC) and the Netsh command-line tool can be used to
manage all DHCP servers. A mix of DHCP server versions or DHCP servers from different vendors can be
more complex to manage. If you need to manage other services on the DHCP servers that do not have
MMCs, you can use Terminal Services. When the DHCP servers are deployed, Terminal Services should be
installed in remote administration mode.

Role-Based DHCP Administration

If we are running the DHCP service on Windows 2000, Windows Server 2003, or Windows Server 2008,
groups with these role names are created as local groups on the member server where DHCP is installed
and available. You should restrict the membership of these groups to the minimum number of users
required to administer the server.

DHCP Users: Members of the DHCP Users group have read-only DHCP console access to the server that
allows them to view (but not modify) server data, including DHCP server configuration, registry keys,
DHCP log files, and the DHCP database. Members of DHCP Users cannot create scopes, modify option
values, create reservations or exclusion ranges, or modify the DHCP server configuration.

DHCP Administrators: Members of the DHCP Administrators group have full control over the DHCP
configuration only; they do not have full, unlimited administrative access to the server, which would be
the case if the local Administrators group were used instead. Members of DHCP Administrators can view
and modify any data on the DHCP server. They can create and delete scopes, add reservations, change
option values, create Superscopes, or perform any other activity required to administer the DHCP server,
including export and import of the DHCP server configuration and database. These tasks can be
performed using the Netsh commands for DHCP or the DHCP MMC.

If a DHCP server is also configured as a DNS server, members of the DHCP Administrators group can view
and modify the DHCP configuration but cannot modify the DNS server configuration on the same
computer. Because members of DHCP Administrators have rights on the local computer only, they cannot
authorize or unauthorized DHCP servers in AD DS; only members of the Domain Administrators group can
perform this task. If you want to authorize or unauthorized a DHCP server in a child domain, you must
have enterprise administrator credentials for the parent domain.

Administering the DHCP Service

The following are the two main ways of administering the DHCP service:

 Managing DHCP from the command line: The Netsh commands are useful when managing DHCP
servers in WANs; typed command-line instructions give much better response times across slow-
speed network links. When managing a large number of DHCP servers, commands can be used in
batch mode to help script and automate recurring administrative tasks that need to be performed
on all DHCP servers
 Managing DHCP from the console: The DHCP console in Windows Server 2008 includes enhanced
server performance monitoring, additional predefined DHCP option types, dynamic update
support for clients running earlier versions of the Windows operating system, and detection of
unauthorized DHCP servers on your network.

Managing the DHCP Database

The DHCP database in Windows Server 2008 uses the Exchange Server Jet storage engine. The DHCP
server database is a dynamic database that is updated as DHCP clients are assigned or as they release
their TCP/IP configuration parameters. Because it is not a distributed database like the WINS server
database, maintaining the DHCP server database is less complex.
There is no set limit to the number of records that a DHCP server can store; the size of the database
depends on the number of DHCP clients on the network. The DHCP database grows over time as a result
of clients starting and stopping on the network; size of the database is not directly proportional to the
number of active client lease entries. Over time, as some DHCP client entries become obsolete and are
deleted, some space remains unused.
To recover the unused space, the DHCP database can be compacted. Dynamic database compaction
occurs on DHCP servers as an automatic background process during idle time or after a database update.
Maintaining a backup of the DHCP database protects you from data loss if the database is lost due to
failure of a hardware component or if it becomes corrupted. The three backup methods supported by the
DHCP service are:

 Synchronous backup: Occurs automatically; the default backup interval is 60 minutes.

 Asynchronous (manual) backups: Performed using the backup command in the DHCP console.
  Windows Backup (ntbackup.exe) or other (non-Microsoft) backup software.

When a synchronous or asynchronous backup occurs, the entire DHCP database is backed up, including
the following:

 All scopes, including Superscopes and multicast scopes

 Reservations

 Leases

 All options, including server options, scope options, reservation options, and class options

Other configuration settings in the DHCP server properties (such as audit log settings and folder location
settings) are stored in the registry and must be backed up using the Registry Editor.
The DNS dynamic update credentials that the DHCP server uses when registering DHCP client computers
in DNS cannot be backed up using any backup method.
Synchronous and asynchronous backups are performed while the DHCP service is running. You do not
need to stop the DHCP service unless you are moving your database to a new server.
Restoring server data
You can use the Restore method to copy a database to another server. Only DHCP databases from the
same language version can be restored. For example, a DHCP database from a server running an English
language version of the operating system cannot be restored to a DHCP server running a Japanese
language version of the operating system.
To restore the DHCP database, the service must be stopped temporarily. When that happens, DHCP
clients will be unable to contact the server and obtain IP addresses until it is restarted.

DHCP Audit Logging

DHCP servers running Windows Server 2008 have several logging features and server parameters that
provide enhanced auditing capabilities. You can specify the following logging parameters:

 The directory path in which the DHCP server stores audit log files. By default, DHCP audit logs are
located in %windir%\System32\Dhcp.

 A maximum size restriction (in megabytes) for the total amount of disk space available for all
audit log files created and stored by the DHCP service.

 An interval for disk checking that is used to determine how many times the DHCP server writes
audit log events to the log file before checking for available disk space on the server.

 A minimum size requirement (in megabytes) for server disk space to determine if sufficient space
exists for the server to continue audit logging.

You can selectively enable or disable the audit logging feature at each DHCP server. The directory path in
which the DHCP server stores audit log files can be modified using the DHCP console; other audit logging
parameters are adjusted through registry-based configuration changes.
 DHCP Performance
The DHCP service is critical to the success of the network infrastructure. Without properly functioning
DHCP servers, IP clients can lose some or all of their ability to access or use the network. Large amounts of
RAM and faster disk drives can improve DHCP server performance; therefore, you should evaluate drive
access time, the average time of read/write operations, and the RAID configuration. In many cases, the
speed of the server's disk drive is more important than other server requirements, such as memory and
processor.
Performance monitoring is available on computers running Windows 2000, Windows Server 2003, and
Windows Server 2008 operating systems to help monitor DHCP server performance on the network and
to evaluate the disk performance.
Windows Server 2008 provides a set of performance counters that can be used to measure and monitor
various aspects of DHCP server activity, including:

 All types of DHCP messages sent and received by the DHCP service.

 The average amount of processing time spent on each message packet sent and received by the
DHCP server.

 The number of message packets dropped because of internal delays at a DHCP server computer.

To access the DHCP performance counters, you must use System Monitor. By default, the performance
monitoring is available after the DHCP service component is installed. The following table describes the
counters used to measure DHCP performance.

Name Description

Packets The number of message packets received per second by the DHCP server.
Received/sec A large number indicates heavy DHCP-related message traffic to the
server.

Duplicates The number of duplicated packets per second dropped by the DHCP
Dropped/sec server. This number can be affected by multiple DHCP relay agents or
network interfaces forwarding the same packet to the server. A large
number here indicates that either clients are probably timing out too
quickly or the server is not responding quickly enough.

Packets The number of packets per second that expire and are dropped by the
Expired/sec DHCP server. When a DHCP-related message packet is internally queued
for 30 seconds or more, it is determined to be stale and expired by the
server. A large number here indicates that the server is either taking too
long to process some packets while other packets are queued and
 becoming stale, or traffic on the network is too high for the server to
manage.

Milliseconds The average time, in milliseconds, used by the DHCP server to process
per packet each packet it receives. This number can vary depending on the server
(avg.) hardware and its I/O subsystem. A sudden or unusual increase might
indicate a problem, either with the I/O subsystem becoming slower or
because of intrinsic processing overhead on the server.

Active Queue The current length of the internal message queue of the DHCP server. This
Length number equals the number of unprocessed messages received by the
server. A large number might indicate heavy server traffic.

Conflict Check The current length of the conflict check queue for the DHCP server. This
Queue Length queue holds messages without responses while the DHCP server performs
address conflict detection. A large value here might indicate that the
Conflict Detection Attempts value was set too high or that there is
unusually heavy lease traffic at the server.

Discovers/sec The number of DHCP discover messages (DHCPDISCOVER) received

per second by the server. These messages are sent by clients when they
start on the network and obtain a new address lease. A sudden or unusual
increase indicates a large number of clients are attempting to initialize and
obtain an IP address lease from the server, such as when a number of
client computers start at the same time.

Offers/sec The number of DHCP offer messages (DHCPOFFER) sent per second by
the DHCP server to clients. A sudden or unusual increase in this number
indicates heavy traffic on the server.

Requests/sec The number of DHCP request messages (DHCPREQUEST) received per

second by the DHCP server from clients. A sudden or unusual increase in
this number indicates a large number of clients trying to renew their leases
with the DHCP server. This might indicate that scope lease durations are
too short.

Informs/sec The number of DHCP information messages (DHCPINFORM) received

per second by the DHCP server. DHCPINFORM messages are used when
the server queries the directory service for the enterprise root and when
dynamic updates are being performed on behalf of clients by the server.

Acks/sec The number of DHCP acknowledgment messages (DHCPACK) sent per

second by the server to clients. A sudden or unusual increase in this
number indicates that a large number of clients are being renewed by the
 DHCP server. This might indicate that the scope lease durations are too
short.

Nacks/sec The number of DHCP negative acknowledgment messages (DHCPNAK)

sent per second by the DHCP server to clients. A very high value might
indicate potential network trouble in the form of an incorrectly configured
server or clients. When servers are incorrectly configured, one possible
cause is a deactivated scope. For clients, a very high value can be caused
by computers moving between subnets, such as laptops or other mobile
devices.

Releases/sec The number of DHCP release messages (DHCPRELEASE) received per

second by the server from clients. A high value indicates that several
clients have found their address to be in conflict, possibly indicating
network trouble. Temporarily enabling conflict detection can help in this
situation.

DHCP Consolidation
Service layering (the deployment of multiple services on a single server) reduces the cost of deployment.
For example, in a branch office, a single server can act as the DHCP, DNS, WINS, and AD DS server. The
effect of running multiple services on a single server must be measured against the potential reduction of
performance and administrative control across all the services. In addition, interoperability issues might
arise when combining services on a single server. For example, DHCP running on a domain controller with
the DNS dynamic update protocol must be configured to run under an impersonation account in order to
prevent DNS record hijacking.
The DHCP service has a low resource requirement compared to services such as domain controllers. Other
than periodic bursts of activity, such as the initial flood of lease requests, DHCP should be able to run with
WINS and other core infrastructure services.
Another way of consolidating servers is to combine DHCP servers across the enterprise network into a
smaller number of larger capacity servers. Thus, separate DHCP servers do not need to be deployed in
each subnet; it might be possible to use headquarters DHCP servers to support SBO scenarios.

DHCP Interoperability
If you plan to integrate DHCP with other technologies on your network, be sure to read the topics in this
section.
 DNS servers provide name resolution for network resources, allowing DHCP servers and DHCP
clients to register with DNS.
 For proper authorization and operation, the DHCP server relies on a valid AD DS configuration.
The DHCP server must find a valid directory services-enabled domain controller.
 You can use the DHCP Relay Agent with Routing and Remote Access to give scope options to
dial-up clients or to virtual private network (VPN) clients. The dial-up or the VPN client will
continue to receive an IP address from the Routing and Remote Access server, but it might use
DHCPInform packets to obtain additional WINS and DNS addresses, a DNS domain name, or
other DHCP options. The purpose of DHCPInform messages is to obtain DHCP scope option
information without getting an IP address.

 Using NAP, DHCP servers and Network Policy Server (NPS) can enforce health policy when a
computer attempts to lease or renew an Internet Protocol version 4 (IPv4) address. However, if
client computers are configured with a static IP address or are otherwise configured to circumvent
the use of DHCP, this enforcement method is not effective.

1. DHCP Interoperability with DNS

2. DHCP Interoperability with ADDS
3. DHCP Interoperability with R&RAS
4. DHCP Interoperability with NAP
5. DHCP Interoperability with WINS