Sign in with
Sign up | Sign in
Your question

DHCP Authorization in active directory.

Last response: in Windows 2000/NT
Share
January 9, 2005 10:09:58 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

When a win 2k/3k dhcp server is authorized in active directory
will the DHCP Server just hand out ip addresses even if a user
account does not exist in active directory.

Here is what I am trying to accomplish. Person hooks up their
laptop to company network. Laptop broadcasts for a dhcp assignment
dhcp server responds. Dhcp server checks active directory for a
valid user... None exists. Dhcp declines assigning the ip.

Any insight on this would be most welcome.

Thank You. JJ7
Anonymous
January 10, 2005 1:37:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Has absolutely nothing to do with user account objects at all - unless I am
missing something.

You might want to think about setting up VLANs.

HTH,

Cary

"xxx" <ping@msn.com> wrote in message
news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
> When a win 2k/3k dhcp server is authorized in active directory
> will the DHCP Server just hand out ip addresses even if a user
> account does not exist in active directory.
>
> Here is what I am trying to accomplish. Person hooks up their
> laptop to company network. Laptop broadcasts for a dhcp assignment
> dhcp server responds. Dhcp server checks active directory for a
> valid user... None exists. Dhcp declines assigning the ip.
>
> Any insight on this would be most welcome.
>
> Thank You. JJ7
Anonymous
January 10, 2005 5:51:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> Here is what I am trying to accomplish. Person hooks up their
> laptop to company network. Laptop broadcasts for a dhcp assignment
> dhcp server responds. Dhcp server checks active directory for a
> valid user... None exists. Dhcp declines assigning the ip.

I also posed this question a month back and the answer is no. DHCP
doesn’t authenticate to AD and therefore anyone with a laptop can get
an IP. DHCP is not domain specific.

The only way I have got around this somewhat is to install an ISA
server. The only reason my users plug their laptops in is to get
internet service. The ISA requires AD authentication so therefore no
internet service.

I also scan my DHCP on a daily basis. All my Network Names are easily
identified and start with the same letter R for Room # eg. R123-123

If I see an unidentified machines, I get the mac address and then
assign an ip like 192.0.0.0 which isn’t a correct IP.

Cheers,

Lara

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-DHCP-Auth...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=761049
Related resources
Anonymous
January 10, 2005 11:36:16 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

DHCP works at the IP layer. Which is somewhat lower down the OSI model than
the application layer ;-)


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
Has absolutely nothing to do with user account objects at all - unless I am
missing something.

You might want to think about setting up VLANs.

HTH,

Cary

"xxx" <ping@msn.com> wrote in message
news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
> When a win 2k/3k dhcp server is authorized in active directory
> will the DHCP Server just hand out ip addresses even if a user
> account does not exist in active directory.
>
> Here is what I am trying to accomplish. Person hooks up their
> laptop to company network. Laptop broadcasts for a dhcp assignment
> dhcp server responds. Dhcp server checks active directory for a
> valid user... None exists. Dhcp declines assigning the ip.
>
> Any insight on this would be most welcome.
>
> Thank You. JJ7
January 11, 2005 12:03:26 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Lara, thanks for the info. I had a feeling that your answer
would be no.

It would be real nice if dhcp did auth against AD this would put an
end to free internet access to rouge laptops. As I see it then there
is no point in authorizing dhcp in active directory. I think ms intent
was to try stop rouge dhcp servers from assigning bad ip's with this
method.

The problem with dhcp is that whatever dhcp server responds to a
clients request first normally assigns the ip to the client. If you
really want to hose a internal network just hook up a lowcost netgear
router and hand out dhcp assignments on your subnet,,,

I got about 200 client pc's on the network. In the above test the
netgear typically bet MS Dhcp server in assinging ip's to the client.
Needless to say they were the wrong ips.

Thanks for your insight.

JJ





On 10 Jan 2005 14:51:44 -0500, lforbes
<UseLinkToEmail@WindowsForumz.com> wrote:

>Hi,
>
> > Here is what I am trying to accomplish. Person hooks up their
> > laptop to company network. Laptop broadcasts for a dhcp assignment
> > dhcp server responds. Dhcp server checks active directory for a
> > valid user... None exists. Dhcp declines assigning the ip.
>
>I also posed this question a month back and the answer is no. DHCP
>doesn’t authenticate to AD and therefore anyone with a laptop can get
>an IP. DHCP is not domain specific.
>
>The only way I have got around this somewhat is to install an ISA
>server. The only reason my users plug their laptops in is to get
>internet service. The ISA requires AD authentication so therefore no
>internet service.
>
>I also scan my DHCP on a daily basis. All my Network Names are easily
>identified and start with the same letter R for Room # eg. R123-123
>
>If I see an unidentified machines, I get the mac address and then
>assign an ip like 192.0.0.0 which isn’t a correct IP.
>
>Cheers,
>
>Lara
Anonymous
January 11, 2005 5:00:41 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ping2" wrote:
> Hi Lara, thanks for the info. I had a feeling that your answer
> would be no.
>
> It would be real nice if dhcp did auth against AD this would
> put an
> end to free internet access to rouge laptops. As I see it then
> there
> is no point in authorizing dhcp in active directory. I think
> ms intent
> was to try stop rouge dhcp servers from assigning bad ip's
> with this
> method.
>
> The problem with dhcp is that whatever dhcp server responds to
> a
> clients request first normally assigns the ip to the client.
> If you
> really want to hose a internal network just hook up a lowcost
> netgear
> router and hand out dhcp assignments on your subnet,,,
>
> I got about 200 client pc's on the network. In the above test
> the
> netgear typically bet MS Dhcp server in assinging ip's to the
> client.
> Needless to say they were the wrong ips.
>
> Thanks for your insight.
>
> JJ
>
>
>
>
>
> On 10 Jan 2005 14:51:44 -0500, lforbes
> <UseLinkToEmail@WindowsForumz.com> wrote:
>
> >Hi,
> >
>  > > Here is what I am trying to accomplish. Person hooks
> up their
>  > > laptop to company network. Laptop broadcasts for a
> dhcp assignment
>  > > dhcp server responds. Dhcp server checks active
> directory for a
>  > > valid user... None exists. Dhcp declines assigning
> the ip.
> >
> >I also posed this question a month back and the answer is no.
> DHCP
> >doesn’t authenticate to AD and therefore anyone with a laptop
> can get
> >an IP. DHCP is not domain specific.
> >
> >The only way I have got around this somewhat is to install an
> ISA
> >server. The only reason my users plug their laptops in is to
> get
> >internet service. The ISA requires AD authentication so
> therefore no
> >internet service.
> >
> >I also scan my DHCP on a daily basis. All my Network Names
> are easily
> >identified and start with the same letter R for Room # eg.
> R123-123
> >
> >If I see an unidentified machines, I get the mac address and
> then
> >assign an ip like 192.0.0.0 which isn’t a correct IP.
> >
> >Cheers,
> >
> >Lara

I have also been looking for this, or a similar capability. While I
think that polling the active directory is a good idea, we have quite
a few wireless pda’s that are not in active directory nor should be.

I would rather have / build a table of authorized MAC addresses that
all DHCP servers could verify against before handing out an IP
address.

request for address
server receives
verify valid mac address
if in table - yes, otherwise 0.0.0.0 and flag an admin staffer

Granted, a dhcp scope reservation is exactly the solution, it defeats
the purpose of dhcp with my mobile (l)users. I would rather have one
table that all my servers point to with all authorized mac’s so I
don’t have to worry about what site, what subnet, etc.

No valid MAC, No valid IP address

Or if a script that watched the various scopes watching for change,
verifying each new address against the above prebuild table and
revoking licenses as they come up.

For what it’s worth...

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-DHCP-Auth...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=762163
Anonymous
January 11, 2005 10:05:36 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"ping2" wrote:
> Hi Lara, thanks for the info. I had a feeling that your answer
> would be no.
>
> It would be real nice if dhcp did auth against AD this would
> put an
> end to free internet access to rouge laptops. As I see it then
> there
> is no point in authorizing dhcp in active directory. I think
> ms intent
> was to try stop rouge dhcp servers from assigning bad ip's
> with this
> method.
>
> The problem with dhcp is that whatever dhcp server responds to
> a
> clients request first normally assigns the ip to the client.
> If you
> really want to hose a internal network just hook up a lowcost
> netgear
> router and hand out dhcp assignments on your subnet,,,
>
> I got about 200 client pc's on the network. In the above test
> the
> netgear typically bet MS Dhcp server in assinging ip's to the
> client.
> Needless to say they were the wrong ips.
>
> Thanks for your insight.
>
> JJ
>
>
>
>
>
> On 10 Jan 2005 14:51:44 -0500, lforbes
> <UseLinkToEmail@WindowsForumz.com> wrote:
>
> >Hi,
> >
>  > > Here is what I am trying to accomplish. Person hooks
> up their
>  > > laptop to company network. Laptop broadcasts for a
> dhcp assignment
>  > > dhcp server responds. Dhcp server checks active
> directory for a
>  > > valid user... None exists. Dhcp declines assigning
> the ip.
> >
> >I also posed this question a month back and the answer is no.
> DHCP
> >doesn’t authenticate to AD and therefore anyone with a laptop
> can get
> >an IP. DHCP is not domain specific.
> >
> >The only way I have got around this somewhat is to install an
> ISA
> >server. The only reason my users plug their laptops in is to
> get
> >internet service. The ISA requires AD authentication so
> therefore no
> >internet service.
> >
> >I also scan my DHCP on a daily basis. All my Network Names
> are easily
> >identified and start with the same letter R for Room # eg.
> R123-123
> >
> >If I see an unidentified machines, I get the mac address and
> then
> >assign an ip like 192.0.0.0 which isn’t a correct IP.
> >
> >Cheers,
> >
> >Lara

I have also been looking for this, or a similar capability. While I
think that polling the active directory is a good idea, we have quite
a few wireless pda’s that are not in active directory nor should be.

I would rather have / build a table of authorized MAC addresses that
all DHCP servers could verify against before handing out an IP
address.

request for address
server receives
verify valid mac address
if in table - yes, otherwise 0.0.0.0 and flag an admin staffer

Granted, a dhcp scope reservation is exactly the solution, it defeats
the purpose of dhcp with my mobile (l)users. I would rather have one
table that all my servers point to with all authorized mac’s so I
don’t have to worry about what site, what subnet, etc.

No valid MAC, No valid IP address

Or if a script that watched the various scopes watching for change,
verifying each new address against the above prebuild table and
revoking licenses as they come up.

For what it’s worth...

--
Posted using the http://www.WindowsForumz.com/ interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-DHCP-Auth...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=762163
Anonymous
January 12, 2005 1:45:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Paul,

I used to know this stuff!

I thought that you could set up VLANS and then reservations ( MAC
Addresses ) so that no unauthorized computer could attach itself to the
internal network. Looks like having a baby ( and another on the way! ) has
affected my brain. I speak fluent ga-ga now, though!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:ek82GQ19EHA.3120@TK2MSFTNGP12.phx.gbl...
> DHCP works at the IP layer. Which is somewhat lower down the OSI model
> than
> the application layer ;-)
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
> Has absolutely nothing to do with user account objects at all - unless I
> am
> missing something.
>
> You might want to think about setting up VLANs.
>
> HTH,
>
> Cary
>
> "xxx" <ping@msn.com> wrote in message
> news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
>> When a win 2k/3k dhcp server is authorized in active directory
>> will the DHCP Server just hand out ip addresses even if a user
>> account does not exist in active directory.
>>
>> Here is what I am trying to accomplish. Person hooks up their
>> laptop to company network. Laptop broadcasts for a dhcp assignment
>> dhcp server responds. Dhcp server checks active directory for a
>> valid user... None exists. Dhcp declines assigning the ip.
>>
>> Any insight on this would be most welcome.
>>
>> Thank You. JJ7
>
>
>
Anonymous
January 12, 2005 1:45:26 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I very much doubt you've forgotten this stuff Cary ;-)

What you're saying seems very possible, if a little tedious to implement.

I like the look of your site -keep up the great work!!!

I'll link to it if you don't mind...


....and congratulations on what will soon be your second baby!!


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/


"Cary Shultz [A.D. MVP]" wrote:

> Paul,
>
> I used to know this stuff!
>
> I thought that you could set up VLANS and then reservations ( MAC
> Addresses ) so that no unauthorized computer could attach itself to the
> internal network. Looks like having a baby ( and another on the way! ) has
> affected my brain. I speak fluent ga-ga now, though!
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:ek82GQ19EHA.3120@TK2MSFTNGP12.phx.gbl...
> > DHCP works at the IP layer. Which is somewhat lower down the OSI model
> > than
> > the application layer ;-)
> >
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> > news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
> > Has absolutely nothing to do with user account objects at all - unless I
> > am
> > missing something.
> >
> > You might want to think about setting up VLANs.
> >
> > HTH,
> >
> > Cary
> >
> > "xxx" <ping@msn.com> wrote in message
> > news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
> >> When a win 2k/3k dhcp server is authorized in active directory
> >> will the DHCP Server just hand out ip addresses even if a user
> >> account does not exist in active directory.
> >>
> >> Here is what I am trying to accomplish. Person hooks up their
> >> laptop to company network. Laptop broadcasts for a dhcp assignment
> >> dhcp server responds. Dhcp server checks active directory for a
> >> valid user... None exists. Dhcp declines assigning the ip.
> >>
> >> Any insight on this would be most welcome.
> >>
> >> Thank You. JJ7
> >
> >
> >
>
>
>
Anonymous
January 12, 2005 5:53:14 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Paul,

Thank you. I am still working on the Active Directory site ( using plain
old HTML and tables for layout! ) but will soon upgrade it to XHTML and CSS
( Just have to learn those first! ). The Group Policy site will be
available 'soon'. Nothing there at all yet.

I know that using VLANS and reservations was a solution somewhere in my
life.......just can not remember where! But it probably is a bit tedious.
I seem to like tedious!

Link to it....I do not mind at all! I will return the favor in my links
page ( currently just a handful of some more common MSKB Articles ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
news:EC600700-02B1-490A-86DE-3C1CB81F30B8@microsoft.com...
>I very much doubt you've forgotten this stuff Cary ;-)
>
> What you're saying seems very possible, if a little tedious to implement.
>
> I like the look of your site -keep up the great work!!!
>
> I'll link to it if you don't mind...
>
>
> ...and congratulations on what will soon be your second baby!!
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Paul,
>>
>> I used to know this stuff!
>>
>> I thought that you could set up VLANS and then reservations ( MAC
>> Addresses ) so that no unauthorized computer could attach itself to the
>> internal network. Looks like having a baby ( and another on the way! )
>> has
>> affected my brain. I speak fluent ga-ga now, though!
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "ptwilliams" <ptw2001@hotmail.com> wrote in message
>> news:ek82GQ19EHA.3120@TK2MSFTNGP12.phx.gbl...
>> > DHCP works at the IP layer. Which is somewhat lower down the OSI model
>> > than
>> > the application layer ;-)
>> >
>> >
>> > --
>> >
>> > Paul Williams
>> >
>> > http://www.msresource.net/
>> > http://forums.msresource.net/
>> >
>> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> > news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
>> > Has absolutely nothing to do with user account objects at all - unless
>> > I
>> > am
>> > missing something.
>> >
>> > You might want to think about setting up VLANs.
>> >
>> > HTH,
>> >
>> > Cary
>> >
>> > "xxx" <ping@msn.com> wrote in message
>> > news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
>> >> When a win 2k/3k dhcp server is authorized in active directory
>> >> will the DHCP Server just hand out ip addresses even if a user
>> >> account does not exist in active directory.
>> >>
>> >> Here is what I am trying to accomplish. Person hooks up their
>> >> laptop to company network. Laptop broadcasts for a dhcp assignment
>> >> dhcp server responds. Dhcp server checks active directory for a
>> >> valid user... None exists. Dhcp declines assigning the ip.
>> >>
>> >> Any insight on this would be most welcome.
>> >>
>> >> Thank You. JJ7
>> >
>> >
>> >
>>
>>
>>
Anonymous
January 12, 2005 11:47:47 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Well it's looking good - I can't wait for some articles - your posts are
almost articles in themselves.

I'd like to see an article on SRV record prioritisation -the weights and
priorities that you always do a great job of explaining...

> ...I will return the favor in my links page...

Awesome!!! I'd be honoured.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:u1MDTBO%23EHA.2180@TK2MSFTNGP12.phx.gbl...
Paul,

Thank you. I am still working on the Active Directory site ( using plain
old HTML and tables for layout! ) but will soon upgrade it to XHTML and CSS
( Just have to learn those first! ). The Group Policy site will be
available 'soon'. Nothing there at all yet.

I know that using VLANS and reservations was a solution somewhere in my
life.......just can not remember where! But it probably is a bit tedious.
I seem to like tedious!

Link to it....I do not mind at all! I will return the favor in my links
page ( currently just a handful of some more common MSKB Articles ).

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
news:EC600700-02B1-490A-86DE-3C1CB81F30B8@microsoft.com...
>I very much doubt you've forgotten this stuff Cary ;-)
>
> What you're saying seems very possible, if a little tedious to implement.
>
> I like the look of your site -keep up the great work!!!
>
> I'll link to it if you don't mind...
>
>
> ...and congratulations on what will soon be your second baby!!
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Paul,
>>
>> I used to know this stuff!
>>
>> I thought that you could set up VLANS and then reservations ( MAC
>> Addresses ) so that no unauthorized computer could attach itself to the
>> internal network. Looks like having a baby ( and another on the way! )
>> has
>> affected my brain. I speak fluent ga-ga now, though!
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24014
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "ptwilliams" <ptw2001@hotmail.com> wrote in message
>> news:ek82GQ19EHA.3120@TK2MSFTNGP12.phx.gbl...
>> > DHCP works at the IP layer. Which is somewhat lower down the OSI model
>> > than
>> > the application layer ;-)
>> >
>> >
>> > --
>> >
>> > Paul Williams
>> >
>> > http://www.msresource.net/
>> > http://forums.msresource.net/
>> >
>> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>> > news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
>> > Has absolutely nothing to do with user account objects at all - unless
>> > I
>> > am
>> > missing something.
>> >
>> > You might want to think about setting up VLANs.
>> >
>> > HTH,
>> >
>> > Cary
>> >
>> > "xxx" <ping@msn.com> wrote in message
>> > news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
>> >> When a win 2k/3k dhcp server is authorized in active directory
>> >> will the DHCP Server just hand out ip addresses even if a user
>> >> account does not exist in active directory.
>> >>
>> >> Here is what I am trying to accomplish. Person hooks up their
>> >> laptop to company network. Laptop broadcasts for a dhcp assignment
>> >> dhcp server responds. Dhcp server checks active directory for a
>> >> valid user... None exists. Dhcp declines assigning the ip.
>> >>
>> >> Any insight on this would be most welcome.
>> >>
>> >> Thank You. JJ7
>> >
>> >
>> >
>>
>>
>>
Anonymous
January 12, 2005 11:47:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Consider the SRV Records weights and priority done! Well, later, but
definitely done! that will probably be in the Intermediate section!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uU4d6fO%23EHA.3932@TK2MSFTNGP10.phx.gbl...
> Well it's looking good - I can't wait for some articles - your posts are
> almost articles in themselves.
>
> I'd like to see an article on SRV record prioritisation -the weights and
> priorities that you always do a great job of explaining...
>
>> ...I will return the favor in my links page...
>
> Awesome!!! I'd be honoured.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:u1MDTBO%23EHA.2180@TK2MSFTNGP12.phx.gbl...
> Paul,
>
> Thank you. I am still working on the Active Directory site ( using plain
> old HTML and tables for layout! ) but will soon upgrade it to XHTML and
> CSS
> ( Just have to learn those first! ). The Group Policy site will be
> available 'soon'. Nothing there at all yet.
>
> I know that using VLANS and reservations was a solution somewhere in my
> life.......just can not remember where! But it probably is a bit tedious.
> I seem to like tedious!
>
> Link to it....I do not mind at all! I will return the favor in my links
> page ( currently just a handful of some more common MSKB Articles ).
>
> --
> Cary W. Shultz
> Roanoke, VA 24014
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
> news:EC600700-02B1-490A-86DE-3C1CB81F30B8@microsoft.com...
>>I very much doubt you've forgotten this stuff Cary ;-)
>>
>> What you're saying seems very possible, if a little tedious to implement.
>>
>> I like the look of your site -keep up the great work!!!
>>
>> I'll link to it if you don't mind...
>>
>>
>> ...and congratulations on what will soon be your second baby!!
>>
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>>
>> "Cary Shultz [A.D. MVP]" wrote:
>>
>>> Paul,
>>>
>>> I used to know this stuff!
>>>
>>> I thought that you could set up VLANS and then reservations ( MAC
>>> Addresses ) so that no unauthorized computer could attach itself to the
>>> internal network. Looks like having a baby ( and another on the way! )
>>> has
>>> affected my brain. I speak fluent ga-ga now, though!
>>>
>>> --
>>> Cary W. Shultz
>>> Roanoke, VA 24014
>>> Microsoft Active Directory MVP
>>>
>>> http://www.activedirectory-win2000.com
>>> http://www.grouppolicy-win2000.com
>>>
>>>
>>>
>>> "ptwilliams" <ptw2001@hotmail.com> wrote in message
>>> news:ek82GQ19EHA.3120@TK2MSFTNGP12.phx.gbl...
>>> > DHCP works at the IP layer. Which is somewhat lower down the OSI
>>> > model
>>> > than
>>> > the application layer ;-)
>>> >
>>> >
>>> > --
>>> >
>>> > Paul Williams
>>> >
>>> > http://www.msresource.net/
>>> > http://forums.msresource.net/
>>> >
>>> > "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
>>> > news:ube%23dWs9EHA.1408@TK2MSFTNGP10.phx.gbl...
>>> > Has absolutely nothing to do with user account objects at all - unless
>>> > I
>>> > am
>>> > missing something.
>>> >
>>> > You might want to think about setting up VLANs.
>>> >
>>> > HTH,
>>> >
>>> > Cary
>>> >
>>> > "xxx" <ping@msn.com> wrote in message
>>> > news:gih3u0ls5d3128cgmr4fg6ecjajv67voqd@4ax.com...
>>> >> When a win 2k/3k dhcp server is authorized in active directory
>>> >> will the DHCP Server just hand out ip addresses even if a user
>>> >> account does not exist in active directory.
>>> >>
>>> >> Here is what I am trying to accomplish. Person hooks up their
>>> >> laptop to company network. Laptop broadcasts for a dhcp assignment
>>> >> dhcp server responds. Dhcp server checks active directory for a
>>> >> valid user... None exists. Dhcp declines assigning the ip.
>>> >>
>>> >> Any insight on this would be most welcome.
>>> >>
>>> >> Thank You. JJ7
>>> >
>>> >
>>> >
>>>
>>>
>>>
>
>
>
May 6, 2005 3:22:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Infrastructure products to assist:

Cisco ACS
Cisco WLSE (Wireless)

** A Cisco Agent hooks into AD, then, when a client asks for an IP address
the Cisco device simply asks for the AD credentials. If they match they get
an IP, if they don't, no access.

VLANs are also a way of helping limit unauthorized users to a degree.

"MoscowHippy" wrote:

> "ping2" wrote:
> > Hi Lara, thanks for the info. I had a feeling that your answer
> > would be no.
> >
> > It would be real nice if dhcp did auth against AD this would
> > put an
> > end to free internet access to rouge laptops. As I see it then
> > there
> > is no point in authorizing dhcp in active directory. I think
> > ms intent
> > was to try stop rouge dhcp servers from assigning bad ip's
> > with this
> > method.
> >
> > The problem with dhcp is that whatever dhcp server responds to
> > a
> > clients request first normally assigns the ip to the client.
> > If you
> > really want to hose a internal network just hook up a lowcost
> > netgear
> > router and hand out dhcp assignments on your subnet,,,
> >
> > I got about 200 client pc's on the network. In the above test
> > the
> > netgear typically bet MS Dhcp server in assinging ip's to the
> > client.
> > Needless to say they were the wrong ips.
> >
> > Thanks for your insight.
> >
> > JJ
> >
> >
> >
> >
> >
> > On 10 Jan 2005 14:51:44 -0500, lforbes
> > <UseLinkToEmail@WindowsForumz.com> wrote:
> >
> > >Hi,
> > >
> > > > Here is what I am trying to accomplish. Person hooks
> > up their
> > > > laptop to company network. Laptop broadcasts for a
> > dhcp assignment
> > > > dhcp server responds. Dhcp server checks active
> > directory for a
> > > > valid user... None exists. Dhcp declines assigning
> > the ip.
> > >
> > >I also posed this question a month back and the answer is no.
> > DHCP
> > >doesn’t authenticate to AD and therefore anyone with a laptop
> > can get
> > >an IP. DHCP is not domain specific.
> > >
> > >The only way I have got around this somewhat is to install an
> > ISA
> > >server. The only reason my users plug their laptops in is to
> > get
> > >internet service. The ISA requires AD authentication so
> > therefore no
> > >internet service.
> > >
> > >I also scan my DHCP on a daily basis. All my Network Names
> > are easily
> > >identified and start with the same letter R for Room # eg.
> > R123-123
> > >
> > >If I see an unidentified machines, I get the mac address and
> > then
> > >assign an ip like 192.0.0.0 which isn’t a correct IP.
> > >
> > >Cheers,
> > >
> > >Lara
>
> I have also been looking for this, or a similar capability. While I
> think that polling the active directory is a good idea, we have quite
> a few wireless pda’s that are not in active directory nor should be.
>
> I would rather have / build a table of authorized MAC addresses that
> all DHCP servers could verify against before handing out an IP
> address.
>
> request for address
> server receives
> verify valid mac address
> if in table - yes, otherwise 0.0.0.0 and flag an admin staffer
>
> Granted, a dhcp scope reservation is exactly the solution, it defeats
> the purpose of dhcp with my mobile (l)users. I would rather have one
> table that all my servers point to with all authorized mac’s so I
> don’t have to worry about what site, what subnet, etc.
>
> No valid MAC, No valid IP address
>
> Or if a script that watched the various scopes watching for change,
> verifying each new address against the above prebuild table and
> revoking licenses as they come up.
>
> For what it’s worth...
>
> --
> Posted using the http://www.WindowsForumz.com/ interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.WindowsForumz.com/Active-Directory-DHCP-Auth...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=762163
>
Anonymous
May 6, 2005 9:07:30 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ryan,

You might also consider enabling 802.1x with EAP to authenticate the
computer account before an IP address is even assigned. This would require
computer certificates on all machines and a well planned PKI.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:2CA49A1C-5D63-4301-83C0-EF3005E4AC21@microsoft.com...
> Infrastructure products to assist:
>
> Cisco ACS
> Cisco WLSE (Wireless)
>
> ** A Cisco Agent hooks into AD, then, when a client asks for an IP address
> the Cisco device simply asks for the AD credentials. If they match they
> get
> an IP, if they don't, no access.
>
> VLANs are also a way of helping limit unauthorized users to a degree.
>
> "MoscowHippy" wrote:
>
>> "ping2" wrote:
>> > Hi Lara, thanks for the info. I had a feeling that your answer
>> > would be no.
>> >
>> > It would be real nice if dhcp did auth against AD this would
>> > put an
>> > end to free internet access to rouge laptops. As I see it then
>> > there
>> > is no point in authorizing dhcp in active directory. I think
>> > ms intent
>> > was to try stop rouge dhcp servers from assigning bad ip's
>> > with this
>> > method.
>> >
>> > The problem with dhcp is that whatever dhcp server responds to
>> > a
>> > clients request first normally assigns the ip to the client.
>> > If you
>> > really want to hose a internal network just hook up a lowcost
>> > netgear
>> > router and hand out dhcp assignments on your subnet,,,
>> >
>> > I got about 200 client pc's on the network. In the above test
>> > the
>> > netgear typically bet MS Dhcp server in assinging ip's to the
>> > client.
>> > Needless to say they were the wrong ips.
>> >
>> > Thanks for your insight.
>> >
>> > JJ
>> >
>> >
>> >
>> >
>> >
>> > On 10 Jan 2005 14:51:44 -0500, lforbes
>> > <UseLinkToEmail@WindowsForumz.com> wrote:
>> >
>> > >Hi,
>> > >
>> > > > Here is what I am trying to accomplish. Person hooks
>> > up their
>> > > > laptop to company network. Laptop broadcasts for a
>> > dhcp assignment
>> > > > dhcp server responds. Dhcp server checks active
>> > directory for a
>> > > > valid user... None exists. Dhcp declines assigning
>> > the ip.
>> > >
>> > >I also posed this question a month back and the answer is no.
>> > DHCP
>> > >doesn't authenticate to AD and therefore anyone with a laptop
>> > can get
>> > >an IP. DHCP is not domain specific.
>> > >
>> > >The only way I have got around this somewhat is to install an
>> > ISA
>> > >server. The only reason my users plug their laptops in is to
>> > get
>> > >internet service. The ISA requires AD authentication so
>> > therefore no
>> > >internet service.
>> > >
>> > >I also scan my DHCP on a daily basis. All my Network Names
>> > are easily
>> > >identified and start with the same letter R for Room # eg.
>> > R123-123
>> > >
>> > >If I see an unidentified machines, I get the mac address and
>> > then
>> > >assign an ip like 192.0.0.0 which isn't a correct IP.
>> > >
>> > >Cheers,
>> > >
>> > >Lara
>>
>> I have also been looking for this, or a similar capability. While I
>> think that polling the active directory is a good idea, we have quite
>> a few wireless pda's that are not in active directory nor should be.
>>
>> I would rather have / build a table of authorized MAC addresses that
>> all DHCP servers could verify against before handing out an IP
>> address.
>>
>> request for address
>> server receives
>> verify valid mac address
>> if in table - yes, otherwise 0.0.0.0 and flag an admin staffer
>>
>> Granted, a dhcp scope reservation is exactly the solution, it defeats
>> the purpose of dhcp with my mobile (l)users. I would rather have one
>> table that all my servers point to with all authorized mac's so I
>> don't have to worry about what site, what subnet, etc.
>>
>> No valid MAC, No valid IP address
>>
>> Or if a script that watched the various scopes watching for change,
>> verifying each new address against the above prebuild table and
>> revoking licenses as they come up.
>>
>> For what it's worth...
>>
>> --
>> Posted using the http://www.WindowsForumz.com/ interface, at author's
>> request
>> Articles individually checked for conformance to usenet standards
>> Topic URL:
>> http://www.WindowsForumz.com/Active-Directory-DHCP-Auth...
>> Visit Topic URL to contact author (reg. req'd). Report abuse:
>> http://www.WindowsForumz.com/eform.php?p=762163
>>
!