Re: Moved DHCP server to DC, now only works for domain users
- From: "robert.waters" <robert.waters@xxxxxxxxx>
- Date: Tue, 12 Aug 2008 20:36:52 -0700 (PDT)
On Aug 11, 7:12 pm, "Lanwench [MVP - Exchange]"
<lanwe...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
robert.waters <robert.wat...@xxxxxxxxx> wrote:
On Aug 11, 11:39 am, "Phillip Windell" <philwind...@xxxxxxxxxxx>
wrote:
DHCP is anonymous,..it does not care about users.
Machines get an IP Config before the user can even login in the first
place,...therefore it is impossible to wait until the user has
logged in before they get the config,...the IP Config must come
first,..then the login.
Machines always go to the same DHCP they got the last successful
Config Machines always ask for the same IP# they got last time.
If a machine got a Config from the Linksys box then it will keep
trying the Linksys box the next time. Since the linksys box is still
"alive" it will try the Linksys box even of the Linksys DHCP Service
is disabled.
You're screwing yourself by even allowing the Linksys box to have
the DHCP enabled at all in the first place.
Delete and re-create the Scope. *Keep it simple*. Configure only the
basics (IP, mask, DNS, DFG) at first until it works right. Don't get
"creative" until everything works dependably. Do not enable the
Scope until the Linksys DHCP is disabled. Make sure your scope is
activated and the DHCP is authorized. You may want the Scopes to be
inactive and the DHCP Server to be un-authorized until the Linksys
box has the DHCP Disabled.
--
Phillip Windellwww.wandtv.com
The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
"robert.waters" <robert.wat...@xxxxxxxxx> wrote in message
news:78945182-708a-4435-8239-9bc40648caf2@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have just moved the DHCP server role from a domain member server
(which is being decommissioned) to the domain controller. It will
now only provide IP addresses to machines which are logged in to the
domain (domain user accounts).
Previously, it was no problem for the old DHCP server to provide
addresses to any machine that appeared in the network. This was
good/ required behavior, because many of our machines are
journeyman laptops or linux workstations.
I have done a few hours of research on the subject, and most results
point to a problem for non-authenticated users not being able to
interact with DNS properly/securely. I have enabled insecure dynamic
updates on the DNS server, provided a dns domain name via DHCP
option 015 (which was not present on the old server, btw), and made
several more changes (that I cannot remember right now) that might
have helped, but did not.
Please, can anyone help me with this problem? I currently have an
old linksys NAT box providing IPs to everyone, and while that is a
solution, it's not an incredibly robust one.
Thank you in advance,
Robert Waters
The linksys box was not in the network until I had the problems; it
was a last-ditch solution implemented only when I could not get the
new DHCP server working for non-domain PCs.
The DHCP server worked perfectly on a domain member server, but when
moved to the domain controller (using the same configuration with
respect to DNS servers, gateway, WINS etc.) it would only grant IP
addresses to machines (users) authenticated to the domain. e.g. log
into PC with a local (non-domain) user account, no IP assigned; re-
login using a domain account, the IP is provided.
It seems that since I moved the role to the DC, it will only allow
authenticated users to get IP addresses.
Thanks for your help.
As Phil states, there is simply no way DHCP can work only for authenticated
users in the domain. DHCP doesn't know anything about AD, and DHCP lease
assignments happen long before any user has even been prompted to logged in.
Now, dyamic DNS updates *can* be restricted to nuthenticated AD users only,
but that has nothing to do with DHCP & is unlikely to be the issue here. I
agree with Phil - I'd yank out the Linksys box & and start over.
Are you absolutely sure? The DHCP server is integrated with AD at
least insofar as it has been "Authorized" to provide IP addresses to
domain machines.
I have a great deal of trouble not associating this problem with AD,
since a clear relationship has been demonstrated, where domain
accounts work on the same machine upon which non-domain accounts do
not work.
I appreciate your help, and will take your advice and start from
whatever scratch I can (being that I can't wipe my DC without causing
myself a great bit of trouble. I might as well keep the Linksys box).
Thanks again
.
- Follow-Ups:
- Re: Moved DHCP server to DC, now only works for domain users
- From: Phillip Windell
- Re: Moved DHCP server to DC, now only works for domain users
- From: Meinolf Weber
- Re: Moved DHCP server to DC, now only works for domain users
- References:
- Moved DHCP server to DC, now only works for domain users
- From: robert.waters
- Re: Moved DHCP server to DC, now only works for domain users
- From: Phillip Windell
- Re: Moved DHCP server to DC, now only works for domain users
- From: robert.waters
- Re: Moved DHCP server to DC, now only works for domain users
- From: Lanwench [MVP - Exchange]
- Moved DHCP server to DC, now only works for domain users
- Prev by Date: RE: Wireless Security Reference
- Next by Date: RE: folder access on websrvr frm domain account
- Previous by thread: Re: Moved DHCP server to DC, now only works for domain users
- Next by thread: Re: Moved DHCP server to DC, now only works for domain users
- Index(es):
Relevant Pages
|
