This is a quick overview of how DHCP works
DHCP is a service that assigns IP address to client computers. Even DHCP sends packets using the transport layer it is considered an application layer protocol because the data is actually handled in the application layer.
Without a DHCP server on a network a network administrator would have to go around to each client computer and manually and statically set an IP address on every computer. Windows Server, Linux, routers, and many other server type operating systems almost all have the ability to act as a DHCP server. The information here is fairly general but is written from a Windows environment perspective but still a lot will apply outside of the windows environment.
How DHCP works: It takes a 4 broadcast packet exchange between the client and DHCP server. The client and server must use broadcast, which means the packet is sent to every computer on the network. The Packets must be sent to every compute because neither the client nor server knows how to reach the other. This is because the client doesn’t have an IP address or now the IP address of the DHCP server yet.
The Packet Exchange:
- The Client broadcasts a DHCP Discover packet to every computer on the network asking for a DHCP server to send back configuration information including the MAC Address of the DHCP server.
- The DHCP server then broadcasts a DHCP Offer packet to every computer which includes the configuration information.
- When the client receives the Offer packet it will broadcast a DHCP Request packet which basically says it accepts the configuration information but will not use it unless it receives the final word back from the DHCP server saying it can. In this step if the client received multiple Offer packets from different DHCP servers it would also send back a decline packet to the servers it does not choose and because these are also broadcasts it would include the server’s MAC address in the packet to differentiate between the servers.
- When the DHCP server receives the Offer packet it will broadcast it last packet for the client called a DHCP Pack packet. This packet tells the client it may go-ahead and us the configuration information that was sent in the Offer packet. Once the client receives this packet it sets its IP address and any other settings sent by the server and now the client can communicate with computers on the network without having to broadcast every packet.
DHCP Lease/Renew:
Unless configured to do so a DHCP server doesn’t hand out permanent IP addresses, instead it leases the IP address to the client with a set expiration time. Once that time has reaches 50% the client will try to renew the IP address by sending out a DHCP Request packet again but it can use the IP address of the DHCP server instead of a broadcast because it now knows the IP address of the DHCP server. If the server doesn’t respond back the client will try again when 87.5% of the time is used up. If the server still doesn’t respond the client will try one last time when 100% of the time is used up and if the server still doesn’t respond the client will start the whole process again from step one by broadcasting a Discover packet for any server to respond. If the server did respond at any of those points it would have sent out a DHCP ACK packet saying the client may renew its IP address or a DHCP NAK packet saying it may not renew its IP address.
Specific Windows settings/commands
Netsh – Used by Windows command prompt to manage DHCP
Scope – The IP address range used by a DHCP server. Different settings can be applied for different scopes.
Super Scope – Used by Windows DHCP server to combine two network scopes on a DHCP server into a single logical scope.
Multicast Scope – scope within the IP range 224.0.0.0 – 239.255.255.255 used to send packets to a group of computers instead of one IP.
Reservation – Used by DHCP servers set client reservations. A reservation is where the DHCP server assigns the same IP address to the same client based on the MAC address of the client’s network card. Different settings can be applied for different reservations.
DHCP Vender Class – Used by Windows DHCP server to use different scopes for a client based on the client’s operation system.
DHCP User Class – Used by Windows DHCP server to use different scopes for a client based on how the client is connected to the network or the class ID on the client computer.
Class ID – Used by Windows to set up DHCP groups. Each client can be set up with a different class ID group by using the ipconfig /setclassid [ID of your choice] command. The DHCP server will use a scope defined for that User Class.
Managing your Windows DHCP Server
Repair a corrupt DHCP database – Event viewer may give you message saying that the DHCP database is corrupt. To fix this Backup you DHCP Database and then run jetpack from the command line with in the directory containing the dhcp.mdb and temp files. Example: jetpack dhcp.mdb tempfile
DHCP Logs are stored by the day of the week and they can tell you about problems your DHCP server may have.
Statistics, Loggs & Codes:
Within the DHCP mmc snapin you can view DHCP statistics which show you the percent of IP addresses used as well as some other information.
The Performance tool can be used to view the number of Discovers/sec which if high could mean your lease time is too short. It can also show you the number of Declines/sec which could mean you have a rouge DHCP server on your network trying to hand out IP addresses.
Windows DHCP server Log ID codes:
00 – audit log started
01 – audit log stopped
02 – audit log stopped due to disc space too small
10 – New IP address assigned to client
11 – Lease was renew by client
12 – A Lease was released by client
13 – Certain IP address is already in use on the network
14 – Client could not obtain lease – no available address in scope
15 – DHCP lease denied
16 – DHCP Lease deleted
17 – Lease expired
50+ – Messages correspond to rouge Servers or unauthorized DHCP serves
Event Viewer ID Codes:
1040 Successfully restarted the DHCP database
1044 DHCP server is authorized
1045/1046 DHCP server is not authorized
1052 Duplicate IP
1056 Dynamic DNS credentials not configured
1059 Could not contact a domain controller for authorization
Useful command line tools:
Renew your IP address: ipconfig /renew
Release your IP address: ipconfig /release
View your IP configuration: ipconfig /all
Test connectivity to another computer: Ping [IP address of remote computer] example: ping 192.168.0.1
