The Dynamic Host Control Protocol (DHCP) service in Windows Server 2012 has been updated to provide not only failover capability to another server and PowerShell commands, but it also gives the ability to provide devices on the network with an IP address according to different criteria set in DHCP policy. Today I’ll discuss the ins and outs of DHCP Policy-Based Assignment (PBA) and how to configure a DHCP policy in Windows Server 2012.
Policy-Based Assignment allows administrators to assign devices with IP addresses from a specific range, which can be useful if you need to group devices together. For example, you might assign all iPhones an address from a specific range. PBA also allows administrators to set standard or vendor specific DHCP options based on the same criteria.
Before PBA, you could create individual address reservations in DHCP to group devices by IP address, but this could be a time consuming task on large networks. Alternatively, Virtual Local Area Networks (VLANs) or Access Control Lists (ACLs) on switches could be used, but PBA provides administrators with a much simpler way to group devices.
Long gone are the days where corporate networks consisted largely of desktop PCs and other static devices. With the proliferation of different IP-enabled devices, such as mobile phones and notebooks, it can be useful to assign devices that are always connected to the LAN with an IP address that has a longer lease time than a notebook. Some devices may need different DHCP options to function correctly, or you could control network traffic based on device type.
PBA lets administrators assign specific IP addresses or DHCP options according to the following DHCP client attributes:
DHCP policies are applied in order, starting with those at the scope level, and then upwards if any policies exist at the server level. The DHCP scope to which a client belongs depends on which server network interface the request is received, or according to the gateway IP address of the relay agent. Once the correct scope has been determined, both DHCP policies at the scope and server level are applied.
The first available IP address in the specified range is assigned to a client when it matches the conditions defined in a DHCP policy. If there are multiple address ranges attached to a policy, DHCP will assign the first available IP address from the lowest range. Note that IP address ranges can only be set in policies at the scope level.
A client can match more than one policy, and if DHCP options are set therein, the DHCP server will assign all the options in the policies that the client matches, assuming the options in the policies do not conflict.
In this example, I’m going to configure a DHCP policy that assigns virtual machines (VMs) an IP address from a specific range of addresses. This is an easy place to start learning PBA because you can control how Hyper-V issues MAC addresses to VMs, so we have control over the information that the DHCP client presents to the server.
If you don’t have VMs on your network, you could use DHCP option 60 to create a policy that identifies the device by vendor. Alternatively, the first three figures of the MAC address, sometimes referred to as the OUI, can also be used to identify a device’s manufacturer.
To configure a DHCP policy, log in to Windows Server 2012, or a workstation with the Windows Server 2012 Remote Server Administration Tools (RSAT) installed, with an account that has permission to manage DHCP.
Microsoft Hyper-V uses 00-15-5D as the prefix for all MAC addresses that it assigns. All virtualization platforms allow you to control how MAC addresses are assigned to VMs.
My DHCP scope is configured with an address pool of 192.168.1.0/24. In this policy, I’m going to assign VMs with addresses starting from 192.168.1.10 to 192.168.1.50.
In the DHCP management console, you will now see the policy in the center pane. To configure additional options, right-click the policy in the center pane and select Properties from the menu.
Any VM hosted by Hyper-V using this DHCP server will now acquire an IP address from the limited range specified in the policy we just created.