Tuesday, October 8, 2013

Windows Server 2012 - DHCP - Part 3 - exclusions and reservations (command line)

DHCP exclusions...

Some devices on a network should have an IP address that does not change.
 
For example, we just saw, in my previous blog post, that we can use DHCP to designate key network nodes such as the default router (gateway) and the DNS servers. When you think about this a second, you realize that those IP addresses must not change.
 
If the IP address of the DNS server was dynamically assigned (by DHCP), and was initially 10.0.0.5, and if IP settings configured by DHCP for other clients pointed to 10.0.0.5 for the DNS server, and then... if the DNS server IP address changed to 10.0.0.50... well, name resolution could become quite unreliable.
 
For this reason, we usually need to ensure that at least some addresses of a particular subnet are not allocated by DHCP... or... if they are, ensure that the clients always receive the same IP address.
 
We can achieve this with one of two methods.
 
Let's say we have the scope 10.1.1.0 with a subnet mask of 255.255.255.0.
 
If we want to reserve the first 20 addresses for devices requiring a static IP, we can either begin the scope at 10.1.1.21 or begin the scope at 10.1.1.1 and exclude the first 20 addresses.
 
I opted for the first possibility in my previous blog post on DHCP.
 
 
Now let's recreate that scope but this time with exclusions.


Remove-DhcpServerv4Scope -ComputerName dc-001.machlinkit.biz -scopeID 10.0.0.0 -force

Note: if the scopes are active and if there are active leases, you may encounter this message:

PS C:\> Remove-DhcpServerv4Scope -ComputerName dc-001.machlinkit.biz -scopeID 10.0.0.0

Remove-DhcpServerv4Scope : Failed to delete scope 10.0.0.0 on DHCP server dc001.machlinkit.biz.

We can use the -force parameter in this case (simply add it to the end of the command).


 
I thought I would try something: start the range at 10.1.1.0 which is the (sub)network ID and end the range at 10.1.1.255 which is the broadcast address for the subnet. I thought the command would fail but it succeeded:
 

PS C:\> Add-DhcpServerv4Scope -Name MACH1 -StartRange 10.1.1.0 -EndRange 10.1.1.255 -SubnetMask 255.0.0.0



Regardless, we will exclude these addresses (it is possible that DHCP would not allocate the first and last address of the range - I don't have time to test everything so if someone else knows for sure, please feel free to comment).


We can exclude either a range of IP addresses or a single IP address:

PS C:\> Add-DhcpServerv4ExclusionRange -ScopeID 10.0.0.0 -StartRange 10.0.0.0 -EndRange 10.0.0.20

PS C:\>

PS C:\> Add-DhcpServerv4ExclusionRange -ScopeID 10.0.0.0 -StartRange 10.0.0.255 -EndRange 10.0.0.255

PS C:\>

PS C:\> Add-DhcpServerv4ExclusionRange -ScopeID 10.0.0.0 -StartRange 10.0.0.254 -EndRange 10.0.0.254


That's right: to exclude a single IP address just list it as the start and end IP address.


Here is the Powershell cmdlet that shows DHCP exclusions:


PS C:\> Get-DhcpServerv4ExclusionRange -ScopeID 10.0.0.0

ScopeId  StartRange EndRange
-------         ----------        --------
10.0.0.0  10.0.0.0      10.0.0.20
10.0.0.0  10.0.0.255  10.0.0.255
10.0.0.0  10.0.0.254  10.0.0.254


And this is how the exclusions would appear in DHCP Manager:






... And DHCP reservations



Lastly, let's take a look at reservations.
 
We could assign static IP addresses to certain devices whose IP address must remain the same. Or we could use DHCP but create reservations so the same IP would always be allocated to the device in question. Associating the IP address in question with the MAC address of the device ensures this.
 
Let's say that we want the DHCP client with MAC address 00-0C-29-F8-C0-46 to always receive IP address 10.1.1.21
 
This commands fulfills that objective:
 

PS C:\> Add-DhcpServerv4Reservation -ScopeID 10.0.0.0 -IPAddress 10.1.1.21 -ClientID 00-0C-29-F8-C0-46


Note: there are a number of ways to determine the MAC address of the node in question.

We can enter ipconfig /all at the device itself (probably the most common method) or enter the following command on a remote computer:

nbstat -A 10.1.1.21

Where the IP address is the current IP address of the node in question.

Currently, that client has another IP address but... if we run the ipconfig /release and then the ipconfig /renew commands on the client machine, it immediately has the reserved IP address.

C:\>ipconfig /release

[...]

C:\>ipconfig /renew


C:\>ipconfig /all

[...]

Link-local IPv6 Address . . . . . : fe80::e07e:50de:a86e:edc7%11

IPv4 Address. . . . . . . . . . . : 10.1.1.21

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Default Gateway . . . . . . . . . : 10.1.1.2



PS C:\> Get-DhcpServerv4Reservation -ScopeID 10.0.0.0 | fl

IPAddress : 10.1.1.21

ClientId : 00-0c-29-f8-c0-46

ScopeId : 10.0.0.0

Name : PC1.machlinkit.biz

[...]


Here's what the reservation looks like in DHCP Manager:



 
***


NETSH reference
 
creation of scope, scope options, exclusions and reservations



In the steps below, I'm going to create scope "192.168.1.0" using the NETSH commands.

 
Important note:
 
Unless the DHCP server has an interface with an IP address in this subnet (it will be a /24 subnet), we would have to configure a DHCP "relay" (or "helper" in Cisco terms) so broadcasts from another subnet could reach it. Remember that communication between DHCP clients and servers begins with a broadcast and that routers, by default, do not forward broadcast traffic.


Create a scope

PS C:\> netsh dhcp server add scope 192.168.1.0 255.255.255.0 B1 "Building 1 subnet"

Command completed successfully.

PS C:\>

Note: if "Command completed successfully." displays after each command entered, that means... what it means. I'll exclude the command from the output below.

Note "Building 1 subnet" is the description. For a complete guide to NETSH commands for DHCP, please see the link at the end of this blog post.


Add the IP address range to the scope

PS C:\> netsh dhcp server scope 192.168.1.0 add iprange 192.168.1.1 192.168.1.254


Add exclusions (respectively either a single IP address or a range)

PS C:\> netsh dhcp server scope 192.168.1.0 add excluderange 192.168.1.254 192.168.1.254

PS C:\> netsh dhcp server scope 192.168.1.0 add excluderange 192.168.1.1 192.168.1.10


Add a reservation

PS C:\> netsh dhcp server scope 192.168.1.0 add reservedip 192.168.1.11 000c29f8c999

PS C:\>


Since the server options apply to all scopes, we will have to make at least one change to the inherited scope options for scope 192.168.1.0: the default gateway.
 
The default gateway address for subnet 192.168.1.0 must be within that IP address range so we'll make it 192.168.1.254. This will be perfect since we've already created an exclusion for what would probably be the IP address of a router.


PS C:\> netsh dhcp server scope 192.168.1.0 set optionvalue 003 IPADDRESS 192.168.1.254

*

For a complete reference to NETSH commands for DHCP, please click on the link below (Microsoft Technet):

Netsh commands for DHCP

5 comments:

  1. What is the need to enable a dynamic DHCP for windows server?

    Thanks
    Silvester Norman

    Change MAC Address

    ReplyDelete
  2. Hi Silvester,

    DHCP by definition is dynamic: "dynamic host configuration protocol".

    So do you mean dynamic as in not configuring reservations?

    David

    ReplyDelete
    Replies
    1. hi David,
      Never read about DHCP but read that it should be dynamic.So i would like to know why dynamic DHCP is used can't we use static DHCP..

      Thanks
      Silvester Norman

      Change MAC Address

      Delete
  3. You can use either. "Static DHCP" (with reservations) is useful if you want a particular device to always have the same IP address but still want the benefit of being able to change options (like default gateway and DNS servers) centrally - without having to go to each device to adjust them.

    In general, with clients for example, you just use "dynamic DHCP" which is sort of a pleonasm since DHCP is, by default, dynamic (that's what the D stands for).

    ReplyDelete