Changing static IP Address to DHCP and vice-versa over network

Microsoft has already published an article to change Static IP address to DHCP over the network. One day I had to fight with this situation. I had to change all static clients to DHCP-aware using the article published at Microsoft support site: http://support.microsoft.com/kb/q194407/

In deed, the above article is useful but it requires a lot of manual effort. You need to connect every computer through “Remote Registry API” and then change the required detail in regsitry for all computers – so the pain!

This is lengthy task when you need to do the manual work on more than 100 computers.

I have pointed out a solution for situation for network administrators who fight against manual process.

I have found the following ways to do so:

1. Using WININSTLE you find the registry keys for DHCP Client machine when they obtain IP Address automatically from DHCP Server.

2. Using PSEXEC (if you’re network is in Workgroup Security Model) or Group Policy (If you’re in Domain Security Model) to deploy DHCP Client settings remotely with a text file pre-configured which can be used to differenciate between IP addresses used by client machines.

You need to install and run WinInstLE on one of your client computer.

1. Goto a client machine.

2. Install WININSTLE. This utility is located at Windows 2000 CD.

3. Run WININSTLE. Perform *Before Snapshot* operation.

4. Give a path to save MSI file and registry informations.

5. Restart client computer.

6. Configure client machine to obtain IP address automatically from DHCP Server.

7. After restarting client computer, run *After Snapshot*. This will record any changes made during the operation DHCP Client contacted and got IP Addrss from DHCP Server.

8. Edit the *.REG file and delete the IP Address it got from DHCP Server. This will make sure that all the client computers use unique IP Address on network. Save this file.

9. Now you have two files to deploy either using PSEXEC or Group Policy.

MSI file
REG file

10. You can deploy this MSI file (that is the configuration of DHCP Client) using Group Policy Software Installation snap-in.

OR

You can deploy this MSI file or REG file using PSEXEC remotely on all client computers. By using PSEXEC you can specify a text file which keeps informations about the IP Address+Client computer name.

Now you need to put everything together to get things working. This is how you do it: –

NOTE: The only unique filed required in DHCP Configuration is IP Address.

1. You have got a REG file with you from WININSTLE. Edit this REG file and remove the IP Address value. I think you have already done in above steps.

2. Save this REG file.

3. Copy the full MSI folder to server from where you want to deploy DHCP settings.

4. Deploy this MSI file using Software Installation snap-in.

5. After deploy MSI file all configuration settings will be saved in all client computers except IP Address.

6. Next client computers will restart and obtain IP Address from DHCP Server.

NOTE: If you want to enable DHCP for other connection specify the name of connection in netsh command.

netsh interface ip set address “Local Area Connection” dhcp

This should work well.

SUMMARY: –

The following is required for client to be a DHCP Client when configuring manually

DHCP Client service should be started.

Client LAN connection should be set to *Obtain IP from DHCP Server*.

netsh interface ip set address “Local Area Connection” dhcp

DHCP Client must have a unique IP Address on network.

Some registry entries as described in the above article must be set.

HKLM\SYSTEM\CurrentControlSet\Services\XXXXXX\Parameters\TCPIP, where XXXXXX is the value of ServiceName found in the step 3 in the above article.

EnableDHCP = 1
IPAddress = 0.0.0.0
SubnetMask = 0.0.0.0
DHCPDefaultGateway = 192.168.0.1 — If you are using some other gateway then you need to put it in script or manually in registry.
DHCPIPAddress = 192.168.0.5 — IP got from DHCP server.
DHCPServer = 192.168.0.1 — IP Address of DHCP server.

You don’t need to restart workstation. Simply restart DHCP Client service on destination computer using a script.

Securing your network using Microsoft Windows DHCP

 

This article explains how you can secure a network running DHCP Service.

Microsoft has developed or added some security to DHCP Server by means of CLASS ID. You can use Class ID to secure a network for client who is part of the network or laptop users who recieve their IP Address from this DHCP Server on the network.

In DHCP Server you can configure the Class ID. When you configure Class ID you need to use the Same ID on all client machines so any DHCP Packet sent by the client can be understood by the DHCP server of that class. You set Class ID on client machines using *Ipconfig /setclassid* command.

Prevent computers gaining IP Address from DHCP Server if they are not authorized

A computer is authorized to obtain an IP Address on network only when it is configured with DHCP Class ID where you have implemented MS DHCP Server. This Class ID mechanism can be understood by MS DHCP Servers only.

We have secured our DHCP Network using *MS Class Options* (You can find this mechanism only in MS DHCP Implementation).

 
Client machines can’t get IP Address from any DHCP server available on the network  *IF* you have configured Class ID on client machines using *Ipconfig /setclassid* command. A DHCP packet will be dropped by DHCP server if *same Class ID* scope is not found on the network or MS DHCP server.

This is what happen when you implement Class ID on your network:

1. A computer plugs in your network.

2. DHCP client service starts and shouts on network to get an IP address (I assume this is a new computer and configured with Class ID).

3. DHCP Server goes throught its database or scopes check to see if it belongs to any Class ID scope, a simple scope or superscope if request is coming from different network id:

        a. If DHCP packet from client machine contains Class ID information, DHCP  
           Server goes through the Class ID Scopes. If it doesn’t find same class ID in
           its database, the DHCP packet is dropped off. Exit Loop. Next, if DHCP server
           finds the Class ID Scope, it leases out the IP address to client machine and
           Exit Loop.

        b. DHCP server goes to next condiation available that is *DHCP Scope for
           same subnet*. HERE DHCP server can lease out IP address from any scope
           if you haven’t configured client machine with Class ID. This is where DHCP
           Security is failing
. If DHCP server finds no other scope, DHCP packet is
           dropped off. Exit Loop.

        c. Next available condition is to check in *DHCP Superscope for same or other
            subnet* or if client doesn’t belong to same subnet. B condition applies  in this case.

3. After checking above conditions, DHCP Server finally decides to drop off packets therefore client obtains IP Address using APIPA (169.254.x.x). This makes client out of network or it can’t participate in network.

Restrict IPs to known MAC addresses (both static or DHCP) when the unauthorized machine has physical access to a NAM on the network.

 

1. Create a class on your network

2. Define a scope for these MAC systems only.

3. Create a unqiue Class ID for this scope.

4. Configure client machines using *Ipconfig /setclassid*. Set the Class ID which you have configured at DHCP Server.

Now when a DHCP server receive a packet from a client machine configuerd for the same Class ID, it will go through it’s scopes to check whether they belong to any Scope Class you have configured at DHCP server.
If DHCP Server finds Class Scope with same Class ID then this will lease IP address *ONLY* from this class regardless of the subnet clinet machines belong to. Condition No. A applies in this scenario.

NOTE:

1. This way you can secure your DHCP Server.

2. This only applies when client machines has configured to obtain IP address automatically from a DHCP Server. If client machine has configured with Static IP address then you can’t. You need to disable DHCP client service on client machine or unregister a DLL from their system or set permissions on registry on client machine so they can’t save informations.

3. You shouldn’t have any other Scope configured in your DHCP server without Class ID. If you do so DHCP server can lease out IP addresses from this scope if client request is coming without Class ID information or DHCP Packet from a client doesn’t contain Class ID. Either you can use scopes or Class ID but you can’t use both to implement this securtiy stuff. Check option A.B.C. described earliear in this article.

More here:  –
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/111527dc-1e28-4c25-ba20-67daeffa5d1b.mspx

DHCP Security: –

The following articles only address how you secure or detect rouge DHCP servers running in a network. It’s worth reading.

Part 1
http://www.windowsecurity.com/articles/DHCP-Security-Part1.html
Part 2: –
http://www.windowsecurity.com/articles/DHCP-Security-Part2.html

If your DHCP clients are all Windows 2000 or newer, then this will work pretty well for you.  If you have non-Windows 2000 or newer clients that need to use DHCP, this won’t work.

Class ID won’t work for:

Windows 9x/NT clients
PXE boot clients/other boot clients (Altiris Bootworks)
Non-Windows clients (Linux and Mac are most common)