Using DHCP Policy-Based Assignment in Windows Server 2012
The Dynamic Host Control Protocol (DHCP) service in Windows Server 2012 has been updated to provide not only failover capability to another server and PowerShell commands, but it also gives the ability to provide devices on the network with an IP address according to different criteria set in DHCP policy. Today I’ll discuss the ins and outs of DHCP Policy-Based Assignment (PBA) and how to configure a DHCP policy in Windows Server 2012.
Policy-Based Assignment allows administrators to assign devices with IP addresses from a specific range, which can be useful if you need to group devices together. For example, you might assign all iPhones an address from a specific range. PBA also allows administrators to set standard or vendor specific DHCP options based on the same criteria.
Before PBA, you could create individual address reservations in DHCP to group devices by IP address, but this could be a time consuming task on large networks. Alternatively, Virtual Local Area Networks (VLANs) or Access Control Lists (ACLs) on switches could be used, but PBA provides administrators with a much simpler way to group devices.
Why Group Devices by IP Address?
Long gone are the days where corporate networks consisted largely of desktop PCs and other static devices. With the proliferation of different IP-enabled devices, such as mobile phones and notebooks, it can be useful to assign devices that are always connected to the LAN with an IP address that has a longer lease time than a notebook. Some devices may need different DHCP options to function correctly, or you could control network traffic based on device type.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
PBA lets administrators assign specific IP addresses or DHCP options according to the following DHCP client attributes:
- MAC address
- Vendor class
- User class
- Relay agent information (and sub options)
- Client identifier
How DHCP Policies Are Applied
DHCP policies are applied in order, starting with those at the scope level, and then upwards if any policies exist at the server level. The DHCP scope to which a client belongs depends on which server network interface the request is received, or according to the gateway IP address of the relay agent. Once the correct scope has been determined, both DHCP policies at the scope and server level are applied.
The first available IP address in the specified range is assigned to a client when it matches the conditions defined in a DHCP policy. If there are multiple address ranges attached to a policy, DHCP will assign the first available IP address from the lowest range. Note that IP address ranges can only be set in policies at the scope level.
A client can match more than one policy, and if DHCP options are set therein, the DHCP server will assign all the options in the policies that the client matches, assuming the options in the policies do not conflict.
Configure a DHCP Policy
In this example, I’m going to configure a DHCP policy that assigns virtual machines (VMs) an IP address from a specific range of addresses. This is an easy place to start learning PBA because you can control how Hyper-V issues MAC addresses to VMs, so we have control over the information that the DHCP client presents to the server.
If you don’t have VMs on your network, you could use DHCP option 60 to create a policy that identifies the device by vendor. Alternatively, the first three figures of the MAC address, sometimes referred to as the OUI, can also be used to identify a device’s manufacturer.
To configure a DHCP policy, log in to Windows Server 2012, or a workstation with the Windows Server 2012 Remote Server Administration Tools (RSAT) installed, with an account that has permission to manage DHCP.
- In Windows Server 2012, press the Windows Key to go to the Start screen and type DHCP.
- Make sure that Apps is selected on the right of the search results screen, and click DHCP on the left.
- In the DHCP management console window, expand your DHCP server, IPv4 and an existing Scope in the left pane.
- In the left pane, right-click the Policies folder under Scope and select New Policy from the menu.
- In the Policy based IP Address and Option Assignment dialog, type Virtual Machines in the Policy Name box and click Next.
- In the Configure Conditions for the policy dialog, click Add.
- In the Add/Edit Condition window, select MAC Address from the Criteria menu.
- Make sure that Operator is set to Equals.
- In the Value box, type 00155D, check Append wildcard(*), click Add and then OK.
Microsoft Hyper-V uses 00-15-5D as the prefix for all MAC addresses that it assigns. All virtualization platforms allow you to control how MAC addresses are assigned to VMs.
- In the Configure Conditions for the policy dialog, click Next.
My DHCP scope is configured with an address pool of 192.168.1.0/24. In this policy, I’m going to assign VMs with addresses starting from 192.168.1.10 to 192.168.1.50.
- Type 192.168.1.10 in the Start IP address box, 192.168.1.50 in the End IP address box and click Next.
- On the next screen, you can set DHCP options. I’m going to set two DNS servers and a router. Make sure DHCP Standard Options is selected in the Vendor class menu.
- Under Available Options check 003 Router.
- Type the desired router address in the IP address box and click Add.
- Under Available Options check 006 DNS Servers.
- Type the desired DNS server address in the IP address box and click Add. The wizard will attempt to validate that the DNS service is running on the address specified. If not, you can opt to add the address to the policy regardless. Repeat this step if you want to add more than one DNS server. When you have finished, click Next.
- Check the policy details on the Summary screen and click Finish.
In the DHCP management console, you will now see the policy in the center pane. To configure additional options, right-click the policy in the center pane and select Properties from the menu.
- On the General tab of the policy’s Properties dialog, you can optionally set a lease duration for the policy that differs from that set in the DHCP scope.
- The DNS tab allows you to set options for DNS, such as enabling dynamic updates, which are not available when creating the policy using the wizard.
- Once you have set any additional configuration that you require for your policy, click OK.
Any VM hosted by Hyper-V using this DHCP server will now acquire an IP address from the limited range specified in the policy we just created.