Microsoft Azure AZ-800 — Section 15: Manage IP addressing in on-premises and hybrid scenarios
114. Implement and configure the DHCP server role (on-premises only)
It’s now time for us to discuss this concept of managing and configuring the HP Dynamic Host Configuration Protocol now. Dave Sleep is not a technology that that is new. This has been around for a very long time in the industry, and we use it as a service to issue addresses out to our different devices now. Different companies have different methods that they like to use to manage the ACP.
Some companies prefer to use their router to issue out their IP address is in fact a lot of us. We most of us do that at home in our home networks. But in businesses, it does pay to be able to manage things in a more advanced based system, such as having a server. Windows servers can actually do quite a bit of a pretty advanced features with the CPU that you don’t always get with trying to manage the CPU through a router.
OK, so here I am in front of my NYC server one and I’m going to install the DHP service on my server so that I can learn how to configure it.
OK? So, we’re going to start here. We’re going to go to server manager. And then from server manager, we’re going to go to manage ad roles and features, and we’re going to go to the roles page. All right, here it is, DHP. We’re just going to select that. We’re going to go ahead and click add features. All right. And then it tells you that in my case, because my server does not have a static IP address, it says the validation process found some problems no static IP address for fact. And so, in my lab, I’ve been using a DHP service on the network to handle that.
So what I’m going to now do is I’m going to give this machine a static address.
So, if we go look at the network I’m currently on, I could find that out by going to command prompt here and we will do an IP config slash all. And you can see that my address is 192, 168 one point eighty seven.
So, I’m just going to give that a static address now to match that just so that it matches the network that I’m currently on. All right.
So, I’m going to go to right here on local server. I’m going to go to the properties of my adapter. Right here, TCP IP properties, and we’re going to give it that address 192.168.0.1 Dot eighty seven. All right. Kind of match that and then subnet mask is going to be two five five two five five two five five zero and then my router is 190 to 168 1.1.
So, I’m going to put that in my DHP server or my DNS server is still going to be my domain controller, which is 192, 168, one 186, which again, I’ve mentioned this before that I do jump networks a little bit when I’m doing these videos, so, I do have to kind of stay on top of where what my current address is.
So, if you’ve seen in maybe a previous video, where have it had a different address, that would be why? OK, because I do kind of have to jump networks sometimes.
So here I am. Setting that is on a static address. I’m going to click close on that and that should confirm that everything is good. And then after that, we should be able to go through and get the HDP installed.
So here we go to manage admirals and features. We’re going to go to the roles page. All right. DHP ad feature.
OK.
So there’s no static IP address. The address changes this time. I’m just going to ignore that must continue anyway. And the reason is it just may take a moment to refresh. We’re going to click next now. Next. Next. And then I’m going to tell it if it needs to restart, it can.
OK.
So, we’re going to go ahead and do that. We’re going to click install and I’m going to go and play the video while this being installed.
OK, so after the installation is done, I’ll have this little warning symbol here, and let me show you what this warning symbol is referencing, so, I’m going to go to ols and we go to DCP. And if I open up the ECP right now and click on my server, you can see I have these little red arrows that are pointing down over IPv4 IPv6. That means that my server is currently not authorized.
So something is very important to understand about Microsoft Domains is that in order for a DCP server to be authorized or I’m sorry, in order for a DHB server to issue addresses, it must be authorized.
OK, in order for that to happen.
So authorizing it is going to link it to Active Directory and give it right to do that because our clients in the Windows world and Microsoft domains can be basically instructed not to issue, not to receive any IP addresses from an unauthorized DHCP server. And by default, Windows machines will accept IP addresses from any DHCP server. But you can use group policies if you want to actually instruct Microsoft clients not to accept addresses from anything that’s not an authorized HCV server.
So this what this feature is for. It’s to try to prevent what is called rogue DHCP servers on the network, but it is this feature. Even though you have to authorize it, you do have to implement that feature through group policies before it’s really going to matter. But how do I do this? Well, I can go right here to the sort of warning symbol I can see complete the DHCP configuration. And so right here, it says that the following steps will be formed to plate the DHB server on the target computer, create the HP security group.
So, it’s going to create a couple of groups. The HP administrators that have admin rights over DHCP is going to create a user group called HP Users, which can go in there and actually see all the HP configuration. And then it’s going to authorize your HP server.
So that’s the process this wizard is going to do. Years ago, they didn’t actually have this wizard, and a lot of admins didn’t know what they were supposed to do and had to go, Look it up, this wizard is this to kind of help with that.
So, we’ll click next here. This all right. Specify the credentials to be used to authorize the HP server in ADC.
Now I will say this a fact you’re going to want to be aware of. If you are in the root domain in the forest, then you only have to be a domain administrator to authorize a DHP server. However, any other domain in the forest, any other domain, child domain, anything like that you must be an enterprise admin to have the right to authorize the HP server. Remember and enterprise admin? If you’re going to activate vector users computers, you can see there’s a group under the users folder called Enterprise Admins. You have to make sure that your user account is in there, but a domain admin can do it in the root domain. That’s the way that this works. This always worked, essentially, and this authorization thing has been around since the year 2000, when the FCP in Active Directory first came out. All right.
So, I’m going to go ahead now. That’s fine, says use these credentials. I’m going to say commit. And it looks like it’s done, we’re going to hit close. We’re going to go to ols and we’re going to open up the HDP. And expand out my server, and as you can see, I now have the two green check marks which indicate that the server is officially authorized.
OK, so from there I’ve got I can expand these out and as you can see, basically your Microsoft server does have the ability to issue addresses out to IP version for an IP version six. And to do that, we would right basically right click and we can create scopes and all that. But I’m not going to show that in this video. I just wanted to show you the concept of getting this roll installed on our server, which it is. And of course, it’s now officially authorized.
So, we got our DHP server set up, and now we’re ready to begin creating scopes and making sure that our clients are able to get the addresses that we want issue out.
115. Create and manage scopes
I like to take a look at creating scopes on our DHCP server, so here I am on my NYC server one machine. The first thing I want to show you is the two groups that were created whenever the DHP server gets authorized.
So, I’m going to right click my start button and on my go to computer management. And once I get into computer management, we’re going to get a local user in groups and there is a couple of groups. One is called the HP administrators, the other is called the HP users.
So the HP administrators are people. You’re going to give authority over just this HP server.
So, if you had an IT person that you wanted to give admin rights over, you could do that. Or the HP users are four of you only people.
So, if you have an administrator, you’d like to give you rights or maybe like it’s a help person that you want helpdesk person to be able to go and just look at the HP service to see if an address has been issued out. Maybe, they’re trying to troubleshoot something that’s a great, a great group for dealing with that.
So, if you wanted to add somebody to these groups, you could. All right. The next thing we’re going to do is we’re going to go to start, we’re going to click to go to server manager and we’ll open up our HP servers and we’ll see how we can start creating and configuring scopes on servers.
So, we’re going to go right here to ols. We’re going to go to the HP. Open up the DCP service here. Expand that out, and if I want to create scope for either IP version four or version six, then that’s how we’re going to do that. We’re going to expand those out now, the green check mark. Again, that doesn’t mean that the server has been authorized, which is good.
So, we’re going to right click and we’re going to click to create a new scope. From there, we’re going to click next on the new scope. Wizard will give the scope a name, so, I’m just going to call this scope a. And then next, we’ll give it the addressing system that we want to issue out.
So, for example, if were going to issue out, let’s say we’ll say 10 dot, 0.2 zero dot or let’s make it 10 dot, 10 zero dot one through 10.10 dot zero dot 254 and we will do a 24 bit mass there. We’re going to give out two hundred and fifty four addresses. 10.10.
Now one thing that’s important, if you’re integrating with Azure, you want to make sure that the addressing system that you are using on-premise does not conflict with what you have in Azure.
Now I also do realize that in my lab computer here, I’m using a 192 168 range, but that doesn’t really matter. I can still issue out whatever addresses that I want.
So, in the real world, if 10 was my addressing system and I’m also, integrating with Azure, I would want to make sure that the two don’t conflict with each other.
OK. If you’re really concerned about that, you know, I could even do just do you know, ten point one hundred because I have created quite a few different scopes in my azure environment right now.
So this will guarantee it that I’m not conflicting with any subsets in Azure.
So from there, I’ve set my length and you can adjust your subnet link based on that anyway you want with TCP IP subletting, which I’m not teaching TCP subletting here, but you can adjust that right there the subnet mask, then you can click next, then you can set exclusions if you want. And so an exclusion is going to be addresses that you don’t want to hand out.
OK. And so this way we can make sure that if there’s any types of addresses that we don’t want to hand out, maybe these addresses are in use statically by somebody on our network, then like a server. This when you would want to use exclusions.
So, when a client machine is requesting an address, we don’t want to hand out certain addresses because maybe these addresses are going to be used by maybe our servers on our network.
So let’s pretend for a moment that we have a ten point one hundred dot, zero dot, let’s say twenty three or ten point one hundred dot 0.30. Maybe, those addresses are excluded because maybe we’re handing those addresses out to our servers.
So the next thing you’ll notice here is you have some day delay in milliseconds. What that does is if I had multiple the ATP servers and I wanted to stagger which one response first, you can or you could update in milliseconds.
Now the thing is that the way clients work is generally they’ll go first, come first, serve.
So, if there’s two DHB servers on the network, your client is going to accept the address from the first DHP server that sends a offer message.
OK. And so, If you had to DHB servers that were near each other, they’re going to send them at the same time. You’re going to have an issue the client is going to accept from the whichever one goes first. If you wanted to sort of stagger that so that at one DHB server gets the address, gives out its address over another, you can up this number right here, and that’s what that’s going to do for you.
OK, from there I have least duration, so the least durations, the amount of time that the devices will get an address. Remember that clients will renew their address every time they come online.
So, if it’s up to eight days, they’ll continue to renew it whenever they come online back to eight days. The other thing is, if a client stays online, a client will refresh its renew its address when half of the period is up, when 50 percent of the period is up.
So, in four days, my clients would ought to renew if they didn’t reboot or anything like that. Of course, you can also run IP config slash release and renew on a client. Also have it renew its address that way if a client requests an address. If it tries to renew its address after 50 percent of the time is up, it’ll try again when it’s eighty seven percent of the time is up, and then it’ll try again when, of course, the time is up completely. And at that point, if the DHB server doesn’t respond and there’s no DHB servers to handle, decline and address, the client will use an API IP address, automatic private IP addressing, which is the one six nine Port 244 address that your computer will give itself whenever it can’t get one from the ACP, which doesn’t really work all that well, which that’s why it’s important. We always want to have a failover, we want to have multiple the HP servers, but I’m only that set to eight days. I’m going to click next. And then it says, Do you want to configure your DHCP scope option? So scope options are the additional things that clients need to know about when they are on a network.
So say yes to that. Click next. And so, I would specify my router let’s let’s say that my router is 10 Dot one hundred dot 0.1.
So add that, OK, well, pretend that’s our router, OK? You can’t have multiple and a client clients can prioritize based on the order they’re going in.
So, if one router doesn’t respond, it can respond to another one.
So certainly fall gateway, then we can specify our domain information.
So our domain is exam line practice .com that’s going to tell the clients that they belong to that domain. That’s their DNS name. At least they’re going to register. They’ll automatically register with DNS based on that. And then you can specify the DNS server here. All right.
So that’s fine. We have winds winds as a legacy service from the nineteen nineties that was used for net by US names.
So, if God forbid, you’ve still got some older systems in there that are expecting for what’s called a Windows server for net boss names, then you can use that. Net boss names were 15 character names that were used in the nineties and the eighties before DNS sort of became the standards that Microsoft moved into when Windows 2000 came out.
So that’s what that is. We’re going to click next.
So, OK, you want to go and activate the scope? I want to say no to that for right now. And then I’m going to click next and I’m going to click finish.
So at that point, I now officially have a scope.
OK. And I am going to. Create another scope, someone say scope. It’s called a Scope B, OK? Click next. And let’s say that it is ten point one two one zero two one three ten dot one two one zero Dot two fifty four. And will set this to two five five two five five two five five zero subnet mass of 234 addresses. Not going to do any exclusions this time. Eight days, not going to do any options, this time just going to create a couple more scopes just to demonstrate something here.
So let’s create one more. We’ll just call the scopes. See? OK. Remember, the scope name could could illustrate which area of the network this going to. Maybe, maybe it’s a server building. Or maybe it’s a third floor on the building based on the way your company’s wired. You could configure this.
OK, so then we’ll go 10 dot one or two dot 0.1 through 10 Dot one two to dot zero two 254 24 bit mask.
OK, cable. Click Next. Next Next. We’re not going to do an option this time, and there you go.
So, we got our three our three options.
So, let’s say for a moment that maybe scope avi and see were part of the same building.
OK. Or better yet, we, you know, if we had, let’s just do one more just to illustrate a building, an example.
So, we’ll say Scope D, OK? And so Scope D will be 10 dot one of 3.0 to one through ten point one to 3.0 Dot 254. And then a 24 bit mask will click Next. Next, next.
OK, so, let’s say that we had two buildings in our environment. Maybe, And B were in a building together. And C and D were in building together and the two buildings, maybe they’re connected by like a fiber connection or something like that. I can go right here. I can create this thing called a super scope that’ll group your scopes together so, I can go here and I’ll say building one. All right, and we’ll put and B together. And then we’ll do one more super scope, we’ll call it building two. All right, we’ll put those two together. This just a way to group scopes together.
So now I’ve got my scopes group together. And that’s really the grouping is just for me to visually group things together for this DHB server is handing scopes out to all these different locations. Of course, your router would be responsible for routing traffic and on a router there’s a thing called IP helpers that you can enable on the router. We don’t learn much about setting that up on the router. I’m just telling you that for the real world, you can enable something called IP helpers on most routers to fix that problem. Cisco routers, too. There’s a thing called IP UDP Command that canconfigure that, or you can figure it through the web portal that a lot of the routers have nowadays. But based on where the request is coming from, the router, what subnet the request is coming on. If it’s coming from the ten point one to one subnet, then this the scope that’ll apply. If it’s ten point one hundred, it’s going to come here ten point one or three, it’s going to go from there. You’re DHP. Servers are going to hand out the address based on the request of where the packet is coming from on the network.
OK. And so that’s how it’ll do that, of course, right now. You’ll notice the little red arrow pointing down all my scopes. That doesn’t mean it’s not authorized. It means it’s not activated.
So the terminology is very important here that you understand with your DHB server, it must be authorized. But when it comes to scopes, it must be activated. You can activate individual scopes by right clicking and clicking activate. If you if you want to activate them all at once, you can just activate the super scope.
So right click will say Activate, right click Activate. And we’ve now activated our scope. That basically means that our DHB server is now able to start issuing addresses based on these scopes.
OK, now if there’s additional things I want to configure there, I can expand this out right here, and here’s my address pool that I’m handing out.
So these are addresses that I want to hand out. These are exclusions that I do not want to hand out because again, maybe they are being used by servers on the network. I can see any address leases that have been handed out so far, so no clients have gotten any addresses. I can reserve addresses with what’s called a reservation, not getting into that just yet. And then I’ve got scope options.
So these are the additional things that my clients can be told. If I want to add additional information to that, I can right click and say, configure options, and you have all these different things that you can configure. Obviously, I’m not going to explain every one of these in this course right now. You can look them up and Microsoft’s if you do a quick search, you can look at what these are, but there’s lots and lots of different services here that can be you can associate with it if you want.
OK, your router, your DNS server, your domain name, those are your three key ingredients key things that you want your clients to know about.
OK. And so you definitely want to want to put those in there.
OK.
Now to activate a scope, by the way, I didn’t say this to activate a scope. You just need to be a DHP administrator or domain administrator or something like that. Unlike where the it comes to authorizing a server. If you’re in a child domain or anything, you have to add enterprise admin with scopes. You just need to be at least a DHCP admin or domain name. And to do that? Right? And from there, the other thing I can do is like create what’s called a multicast scope. That’s for using what are called multicast groups, multicast networks, which aren’t really used all that often anymore. That was a technology that was started to kind of get popular in the early 2000s, but but a little less popular now. But multicast is the process of creating group of devices in the issuing out a bunch of addresses, a bunch of information to the same devices that are in that group. It is still it is still occasionally used in the imaging world where people are deploying images. But you can create a multicast scope by running through this little wizard here, and multicast scopes can be issued out to any devices that maybe you can do the stream, video or imaging or something like that with. All right. But all in all, as you can see, creating a scope is relatively easy, and if you ever want to deactivate a scope, you can do that. You can deactivate the whole scope, super scope, or if you just want to deactivate a specific one, you can. Not a problem.
OK. And so as far as configuring your scopes goes, pretty straightforward.