Microsoft's DHCP Service

Some general/misc notes

Microsoft KB Q927229 describes dhcpexim.exe for exporting in a way that another copy of software may be able to use.

Installation Guide
Overview

Here's a quick set of directions:

Ensure that the DCHP Server role is installed (see software installation: Installing Roles and Features in Microsoft Windows Server operating systems. Those who wish to use the graphical approach may find details in the section about software installation: Microsoft Windows Server's Add Roles Wizard.)

Go to the DHCP server's configuration console. (After the role is installed, this may be found on the Administrative Tools menu.)

Then make sure that a scope is added. Make sure the scope is activated/enabled. (This may require choosing a “Refresh” option on the scope and/or server.) Also, make sure an IP address within that scope is being used by the NIC that is being used by the DHCP server software.

Win Svr 2008 R2's DHCP server checking if a domain controller lists authorized DHCP servers discusses Win Svr 2008 R2's DHCP server. The article discusses using a known domain controller, searching for one if needed, and checking if the DHCP server is authorized before it starts running. If the computer running Windows Server 2008 R2 appears to be on a domain which doesn't authorize this DHCP, then this DHCP may refuse to run. This isn't exactly a security measure, since another (intentionally malicious) DHCP server could easily be run, but this process may help prevent DHCP server code from accidentally causing some problems.

Add the role

First, the role will need to be added. See: software installation: installing roles in Windows Server.

Uninstalling the role is expected to require a restart of the operating system (when tested with Microsoft Windows Server 2008), although it is believed that installing generally does not require a restart (for this service).

Examples using a command line to install rather automatedly

For example, the following may work in an installation which is not using Server Core:

pkgmgr /iu:"DHCPServer" /norestart /l:pkgmgr.log

However, that is not expected to work in Windows Server 2008 Server Core. Instead, for a Server Core installation, something like the following may need to be run:

pkgmgr /iu:"DHCPServerCore" /norestart /l:pkgmgr.log

At the time of this writing, “Package Manager” seems to be one of the most compatible methods of installing. Other options do exist. Once again, these instructions will point out that more details are available in the section on software installation: installing roles in Windows Server.

Using the “Add Roles Wizard” (GUI installation)

This guide was made using Windows Server 2008 with Service Pack 1. (There is nothing particularly magical about Service Pack 1: That is simply the installation media that was handy.)

software installation: Microsoft Windows Server's Add Roles Wizard may see a screen such as: [“Add Roles Wizard” (with “DHCP Server” selected/highlighted].

Then, upon checking the “DHCP Server” checkbox, people may be a bit surprised to find a warning pops up. The Add Roles Wizard performs a check. If applicable, the results of the check may show [“Add Roles Wizard” warning about installing DHCP Server without a Static IP Address]. The dialog box does provide a good reason why the server should have an unchanging IP address. However, there really is no need for that address to be statically assigned. (Although this might not be done as frequently, any method of automatic address assignment method will work just fine as long as it assigns a specific reserved address.) For networks where all end user workstations are turned off when the server is not running (which is not commonplace for deployed networks, but might reasonably happen for a test network consisting of virtual machines), this ends up not being a big deal. In any of these types of example cases, feel free to choose the [“Add Roles Wizard” warning about installing DHCP Server without a Static IP Address: option to “Install DHCP Server anyway”].

[“Add Roles Wizard” introduction to DHCP Server] [“Add Roles Wizard”: DHCP Server installation: “Specify IPv4 DNS Server Settings”]

It is safe to leave this screen blank.

[“Add Roles Wizard”: DHCP Server installation: “Specify WINS DNS Server Settings”]

[“Add Roles Wizard”: Add or Edit DHCP Scopes]

[“Add Roles Wizard”: Configure DHCPv6 Stateless Mode]

[“Add Roles Wizard”: Configure DHCPv6 Stateless Mode]

[“Add Roles Wizard”: DHCP Server installation: “Specify IPv6 DNS Server Settings”]

From this screen, it is recommended to push Shift-tab a couple of times.

[“Add Roles Wizard”: Confirm Installation Selections with “Print, e-mail, or save this information” selected]

This will end up opening a web browser to file:///C:/Windows/logs/ServerManagerInstallationLog.html file (which may have been updated from previously). (The file might also hyperlink to a file:///C:/Windows/logs/ServerManager.log file.)

[“Add Roles Wizard”: Confirm Installation Selections: “Install” button selected]

[“Add Roles Wizard”: “Initiating installation...”]

[“Add Roles Wizard”: “Installing...”]

[“Add Roles Wizard”: “Configuring...”]

[“Add Roles Wizard”: “Collecting installation results...”]

[“Add Roles Wizard”: “Installation Results”]

Pressing Shift-Tab a couple of times will lead to:

[“Add Roles Wizard”: “Installation Results”: “Print, e-amil, or save the installation report”] being highlighted. This will end up opening a web browser to file:///C:/Windows/logs/ServerManagerInstallationLog.html file (which may have been updated from previously). (The file might also hyperlink to a file:///C:/Windows/logs/ServerManager.log file.)

[“Add Roles Wizard”: “Installation Results”: “Close” button selected]

[“Server Manager” shows DHCP Server]

Starting and configuring the ographical management interface

This is completely unnecessary if the command line interface is going to be used for handling the server.

Assuming that the full DHCP Server software has been installed (and not just the Server Core variation), the Administrative Tools folder should now have an icon called “DHCP” which runs %SystemRoot%\system32\dhcpmgmt.msc

[#dhcmnosv]: If DHCP was installed from the command line, then this interface might not list any servers. If so, then the newly installed server needs to be added to this interface (before this interface will be significantly useful). To do that:

On the left frame, have the name of the interface (DHCP) be selected. [DHCP Management GUI: Example of having “DHCP” being highlighted in the left frame]

Use the [DHCP Management GUI: “Action” menu, “Add Server...”] option.

[DHCP Management GUI's “Add Server” dialog box]

Do not bother waiting for the “Gathering information...” statement to finish. Either type in the name of the computer or, as will be shown, take the longer way by using the “Browse...” button.

If browsing for the server's name

[“Select Computer” dialog box]

The location is generally auto-detected correctly. (Using the “Locations...” button may be able to override.) Either type in the name of the computer or, as will be shown, take the longer way by pressing the “Advanced...” button.

[“Select Computer” dialog box's “Advanced...” interface]

There are only two new buttons that are not greyed out: “Cancel” and “Find Now”. Go ahead and choose “Find Now”.

[“Select Computer” dialog box, searching for computers]

This should then show one or more computers. One of the computers shown should be the computer that is being used. Go ahead and choose that computer.

[“Select Computer” (with a verified computer name)]

Press OK.

[“Add Server” dialog box with the server's name]

Press OK.

Hopefully the results will then look like: [DHCP Management GUI Interface, showing one server that has been added with successful communication]

If the results are the [DHCP Management GUI Interface, showing that a DHCP server cannot be found], then make sure the service is started. (See: adjusting running software.)

Make sure the service is started

This is probably unnecessary if the “Add Roles Wizard” (graphical interface) was used, just recently, to install the software to the Windows Server operating system (at least, if the software was just installed to that computer for the first time). Otherwise, see adjusting running software.

[#adautdhc]: Informing AD to authorize the DHCP server

If the DHCP server is going to be on a network with an Active Directory Domain Controller that is using Windows Server 2008 or newer, then the DHCP server should ideally be authorized by the domain controller. (This is a step that Microsoft introduced as a requirement for recommendation operation on networks using Active Directory with a Domain Controller using Windows Server 2008, and was not part of any prior DHCP standard.)

To make this authorization occur, Active Directory needs to already be installed. If using the GUI interface, and if Active Directory in not installed, then eventually the GUI interface will show a [“DHCP” warning box stating “The DHCP service could not contact Active Directory.”]

(If Active Directory Domain Services will be installed, but if DHCP is being installed first, then this “authorization” should simply be addressed after Active Directory Domain Services are enabled.)

At the time of this writing, this guide may just be partial... It was written prior to installing Active Directory, and so this guide does not completely discuss this topic.

To add the server via the command line, identify the server's name and IP address, and:

netsh dhcp add server serverName.local 192.0.2.10

If the graphical interface is preferred, then select the name of the graphical interface (in the left frame, above the name of any DHCP server, is a line which says “DHCP”).

[Name of the “DHCP” Management GUI interface (“DHCP”) selected in the left frame]

[“DHCP” GUI interface: Action menu, “Manage authorized servers...”]

[“Manage Authorized” (DHCP) “Servers” dialog box, which is empty]

[“Authorize DHCP Server” dialog box asking for Name or IP address of the DHCP server to authorize]

Type in an IP address. (The example address shown, 192.0.2.8, is based on 192.0.2/24 and Net address usage: .8 host address. For other/related details about creating a network plan, see also net address planning.)

[“Authorize DHCP Server” dialog box, with a name or IP address typed in]

Press OK.

[DHCP Management: adding an authorized server: “Confirm Authorization” dialog box needing a Name added]

[DHCP Management: adding an authorized server: “Confirm Authorization” dialog box (filled out)]

Press OK.

(That is the point where these directions currently stop.)

Creating an activated scope
Add a scope
Via the command line
netsh dhcp server add scope /?

If UAC is enabled, use an use a UAC-elevated command prompt.

netsh dhcp server add scope 198.51.100.0 255.255.255.0 scopeName optionalScopeComment
Observations

Creating a scope using netsh will create a scope that does not yet have a pool, which is a bit of an interesting concept because the GUI installer does not provide a way to do that. (It is not clear why the pool does not get made: The IP address details are required parameters when creating the scope.) This will cause the new scope to look a bit interesting in the GUI: The Start IP address will be 0.0.0.0, as will the End IP address, and the lease time will be zero. The icon for the scope will show a white exclamation point in a blue circle that shows up over the lower-right corner of the folder. The scope's context/“shortcut”/“right click” menu will have more options than a scope created in the GUI.

Assign a pool (a.k.a. the IPaddress range) that the DHCP server can use when handling this scope.

netsh dhcp server scope 198.51.100.0 /?
netsh dhcp server scope 198.51.100.0 add iprange 198.51.100.50 198.51.100.99

Adding the IP address range seems to also clear up the abnormalities in the GUI: the icon looks normal and the lease time flips from zero (instant, no time, useless) to 8 days.

Via GUI

Run %SystemRoot%\system32\dhcpmgmt.msc as follows: Go to Start. If an “Administative Tools” shortcut is not visible, or if there is simply a desire to go the long way, choose “Control Panel”. Choose “Administrative Tools”. Once Administrative Tools is visible, choose DHCP.

[DHCP Management GUI Interface, showing one server that has been added]

Under the name of the server, highlight the network protocol to support.

[DHCP Management GUI Interface: IPv4 protocol]

[DHCP Management GUI Interface: Action, “New Scope...”]

[New (DHCP) Scope Wizard: Introduction]

[New (DHCP) Scope Wizard: “Scope Name”]

A name is indeed required. Type in anything.

[New (DHCP) Scope Wizard showing an example “Scope Name”]

[New (DHCP) Scope Wizard showing an example “Scope Name” (“Next button selected)]

[New (DHCP) Scope Wizard: Needs IP address range]

The Length field may auto-fill as soon as the Start IP address is filled out. (The default value is based on the IPv4 class.)

[New (DHCP) Scope Wizard: IP address range filled]

Note that the addresses being shown in the above example are not meant for actual use. (For further details, see 192.0.2/24. Instead, the recommended address ranges for private use are covered by IETF BCP 5 (RFC 1918) (e.g. 192.168/16 addresses).

Error checking

Upon choosing “Next >”, multiple checks will be performed. One possibility is that there may be an error message that says [“DHCP” uwarning box: “The starting address is not valid for this range.  Make sure that the host ID is not 0.”] (The input cursor will then move to the Start IP address.) This exact error message can actually come up as the result of a few different scenarios:

  • If the Start IP address is a Network ID...
    • ... and if the Start IP address actually ends with .0, then this error message is pretty nice and informative.
    • ... and if the Length is not a multiple of 8, the warning box's reference to .0 may be a bit confusing/misleading. Just ignore the second sentence. Make sure the Start IP address does not end with a Network ID. (This can be done by simply increasing the Start IP address by one.)
  • If the Length is too high of a number to support the range described by the Start IP address and the End IP address, then this message might come up. Indeed, this may be an actual problem that is appropriate to stop right here. However, the error message is rather unhelpful.

It is possible to have a range that starts with a number that ends with .0, such as a /8 with the second or third octet being non-zero.

If a warning comes up complaining about a broadcast address being used, subtract one from the End address.

Common practice is to not assign addresses from the very first part of the net block being used. Instead, those addresses are commonly provided to infrastructure devices (such as a firewall, or other router). Some places might not even start numbering servers until addresses ending in about .10. Then, there may be a number of servers (such as network address servers, name resolution servers, authentication servers, file servers, and/or database servers). If this DHCP pool is just meant for devices used by end users (which is a common setup), starting at .25 or an even higher number (like the previous example) is probably a good practice. This is not a universal recommendation (and might not match some network designs that try to maximize the number of workstations used within a block), but is a generally good idea for small networks and good practice.

[New (DHCP) Scope Wizard: Exclusions]

If there are known devices in the pool, either set them up as reservations or exclusions. This can just as easily be done to existing scopes, so setting up exclusions during the scope's creation is not absolutely required. (Setting them up sooner, rather than later, may minimize the chance of an accidental assignment and resulting IP address conflict. If there are known devices on the network to exclude, then go ahead and exclude them at this time. If there are not, feel free to leave this screen blank at this time.)

[New (DHCP) Scope Wizard: Lease Duration]

This is generally not a very critical setting. (The lease is extremely important, but most networks won't usually be seriously impacted if this was lowered to some number of hours or increased to some small number of days.) As a contrasting comparison, ISC DHCP may have a default of 21,600 seconds (6 hours). Leaving this at the default setting of 8 Days is generally acceptable.

[New (DHCP) Scope Wizard: Checking whether to configure DHCP Options]
[New (DHCP) Scope Wizard: Selecting to not configure DHCP Options immediately]

These options can just as easily be set up later, after the scope is created. Therefore, choosing to skip this for now is a sensible choice.

However, for thoroughness, this documentation will cover the remaining options.

If DHCP options are being entered immediately
Default Gateway

[New (DHCP) Scope Wizard: Entering Router (Default Gateway)]

This is something that should probably be done eventually. The trick is, after typing in the IP address, do not push “Next >” before adding the address. ([New (DHCP) Scope Wizard: Entering Router (Default Gateway): Showing that an IP address has been typed (but not yet accepted).] Press Add show the number shows up in the lower box. [New (DHCP) Scope Wizard: Entering Router (Default Gateway): Showing a properly added IP address].

Domain Name and DNS servers

[New (DHCP) Scope Wizard: Domain Name and DNS servers

Leaving this blank may be acceptable for many simple setups.

WINS Servers

[New (DHCP) Scope Wizard: Domain Name and DNS servers

Leaving this blank may be acceptable for many simple setups.

Activate Scope

[New (DHCP) Scope Wizard: “Activate Scope”]

[New (DHCP) Scope Wizard: “Activate Scope” (with “Next >” button selected]

Generally, this is a good idea. (This makes the scope functional.) Perhaps the main reason why this would be good to delay is if there is a currently functional network that would somehow be disrupted if the new settings started to apply immediately. Such a scenario seems rare.

[New (DHCP) Scope Wizard: “Activate Scope” (with “Next >” button selected]

Make sure the scope is activated

This might be particularly likely if the scope was created using the graphical interface, but if the “DHCP Options were skipped. (In other cases, this step is usually not necessary.) Furthermore, when this step has been necessary, the user interface has been known to be a bit tricky.

After creating the scope using the wizard, the new scope may still need to be “Activate”d.

Handling via the command line

One method of doing this is to use the command line. For example:

netsh dhcp server scope 192.0.2.0 show state
netsh dhcp server scope 192.0.2.0 set state 1
netsh dhcp server scope 192.0.2.0 show state

Another option is to use the DHCP Management GUI Interface.

[New (DHCP Management GUI: Showing an unactivated scope]

The solution to get rid of that red (downward) arrow is definitely to Activate the scope. However, accessing the scope's context/“shortcut”/“right click” menu may indicate that the necessary option is, quite annoyingly, greyed out. (This commentary is based primarily on experience with Windows Server 2008.) [New (DHCP Management GUI: refusing to allow a scope to Activate]

Resolving that might be as easy as choosing the context menu of the network family (IPv4), and then pressing “Refresh” on the [context menu of the network protocol (in the DHCP Management GUI interface)]. Once that is done, then the scope's “Activate” option may suddenly appear available (and should be used if the goal is to get the DHCP scope to be functioning).

[“Activate” (not greyed out) selected on a new scope].

[DHCP Management graphical interface showing an activated scope].

Adjusting Lease Time

In the GUI: Access the context/“shortcut”/“right click” menu of the scope.

From the command line: This is treated rather similar to any other DHCP option. Here is an example of how to change it:

netsh dhcp server scope 198.51.100.0 set optionvalue 051 DWORD 691200

That would set the lease to 691,200 seconds (which is eight days).

[#msdhcopt]: Hand out the desired Options
Options

These are often defined at the scope level. Choose the “Scope Options”, view the context/“shortcut”/“right click” menu, and choose “Configure Options”.

To view the current value of DHCP options, from the command line:

netsh dhcp server scope 192.0.2.0 show optionvalue | more

[DHCP Management graphical interface: “Scope Options” context menu]

[DHCP Management graphical interface: “Scope Options”, “Configure Options...”]

[DHCP Management graphical interface: “Scope Options”]

Default Gateway

If the computer running the DHCP server software is in the same subnet as the address pool that is being handed out (which is usually the case), then the Default Gateway to hand out will generally be the same as the Default Gateway that is being used by the computer that is running DHCP server software. The processes for getting this information are often similar to getting a computer's IP address. From the command line, use IPConfig/ALL to make sure the DNS Server(s) are shown.

To handle this from the command line, use a syntax identical to setting DNS servers, but specify 003 after the word optinvalue.

[DHCP Management graphical interface: “Scope Options”: DHCP Option #3: Router, a.k.a. “Default Gateway”]

What needs to happen is to get an IP address into the lower box. Optionally, a name can be placed in the “Server name:” field, which will enable (un-gray-out) the “Resolve” button.

[DHCP Scope Options: Router (a.k.a. “Default Gateway”) options: “Server name” field filled, “Resolve” button available]

Then, pressing the “Resolve” button will try to determine an address to fill into the IP address” field. This can be a bit more convenient than needing to manually look up an IP address.

[DHCP Scope Options: Router (a.k.a. “Default Gateway”) options: “Server name” field led to the IP address” field being filled. The Add button is enabled/available.]

Now, the important part to realize here is that so far, NO changes have been made, and NO DNS server addresses will get handed out yet. First, make sure to use the Add button.

[DHCP Scope Options: Router (a.k.a. “Default Gateway”) IP address” has been “Add”ed.]

Choosing the Apply button will make the changes take effect.

[DHCP Management Interface showing DHCP option 3: Router (a.k.a. “Default Gateway”) address (as a Scope Option)]

DNS servers

The address to use will often be the DNS server that is used by the computer that is running the DHCP server, unless that address is a loopback address (IPv6 ::1 or IPv4 most commonly 127.0.0.1). If the DNS server on that computer is a loopback address, then just enter in the actual IP address of the machine. (A private address is okay. A loopback address is not something that will be good to hand out.)

Most often, a good idea is to use a local, privately run DNS server. If there is some reason that such a local server is not going to be existing (which would be unusual, since the Windows Server operating system comes with a DNS server which could then relay any requests of external addresses to any other preferred server), then publicly available usable DNS servers should work suitably.

Setting a new set of DNS servers, using the command line
netsh dhcp server scope 198.51.100.0 set optionvalue 006 IPADDRESS 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 4.2.2.2 4.2.2.1 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6
Adjusting via GUI

This is quite similar to setting up a Router/“Default Gateway”, so this section will simply show some screenshots.

[DHCP Management Interface showing DHCP option 6: DNS Servers]

[DHCP Management Interface showing DHCP option 6: DNS Servers (and also Router/“Default Gateway” settings). These are shown as Scope Options.]

After setting the options on the server, test the changes by having a DHCP client re-obtain settings, and verify that the client has changed relevant settings.

Interacting with DNS servers
DNS Credentials
Troubleshooting

If the scope is created, and is Activated, and yet communication is still not working, this may often be because the Scope does not match the subnet that the server is listening for traffic on. (This probably means that the Scope does not match the "Server Bindings", which can be viewed by accessing the context menu of the server name, and choosing “Add/Remove Bindings...”. It is also believed that the available bindings tend to be related to the first IP address of each network connection. In practice, simply making the scope match the IP address of a network connection has been sufficient to make DHCP be startable.)