This is a feature I have been waiting for way too long. Up until today if you wanted to
have some control over who is entitled to receive an IP address from your DHCP you
either had to configure reservations (for each of your systems) or had to use some lower
level device to filter out unwanted systems.Finally that is over now.
The Microsoft DHCP team has posted a new DLL called “DHCP Server Callout DLL” on their blog.
This DLL can be used on Windows 2003 and Windows 2008 DHCP servers to limit the scope of
systems entitled to receive an IP address from the server based on their MAC address.
To install it you need to download the installer and run it.
Once the installation completes you will have to new files in your %windir%\system32 directory:
The first file provides documentation (installation and usage) while the second file is the DLL needed
to enable the functionality.
Installation and Configuration
- Create a new directory ,basically anywhere but I would recommend to create under the DHCP
service directory: %windir%\system32\DHCP . Give it an informative name such as MACFilter.
- Copy both files to the new directory (Once copied, you can safely remove the application using
Programs and Features).
- Create a new text file under the new directory called: “MACList.txt”
- Add the following Registry keys to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters:
- Please note, that you have to specify a full path for the log files including filenames (they will be create
automatically when the DHCP service is started).
- Before you start using the feature make sure to edit the MACFilter.txt file using the following format which is
- Basically when choosing the ALLOW action, the server will provide IP addresses only to the systems that have their
MAC addresses listed,while the DENY action will prevent the listed systems from getting an address. The MAC addresses
should be listed without a delimiter and all lower case.
- To enable the feature you have to restart the DHCP service. If successfully started the following event(1033) will be logged:
Which is basically nothing- The DHCP server simply doesn’t respond.
As for the logs, they will help you determine what is happening. If you would like to archive your logs you will need to
provide a mechanism as at every restart the logs are recreated.
Keep in mind that if something is wrong the server will start without enabling this feature.
Nifty yet there are a few issues that I would like to see resolved:
- A better installation process (having to manually change the registry isn’t my idea of fun)
- A better user interface-one that checks for errors
- Logs are ok, but should be integrated with Event Viewer
- Every change needs a restart of the service (removing/adding a MAC). Now that isn’t a big deal
since we are talking about DHCP,but still…
A few more things system admins. need to keep in mind:
- Integration with recovery procedures. Keep in mind that you need to manually take care of recovery
- This isn’t a bulletproof solution, a user or a malicious user may change his MAC address. Although
unlikely it is a possibility.
Don’t get me wrong here (I may have sounded negative) ,this is a great add-on (and a new add-on) that can make
life easier for us, once some of the small issues will be ironed out it will be perfect.