The dhcploc command lets you see a computer’s DHCP traffic for a broadcast domain. Simply pass in the IP address of the machine from which you are running the command:

> dhcploc 192.168.32.24

You will not see any output from the command until it captures some DHCP traffic. You can try running ipconfig /renew to force some traffic to be generated. You can also press the “d” key when you have dhcploc running to have it generate a DISCOVER message.

Here is some sample output from the command:

9:34:58 (IP)0.0.0.0        NACK      (S)192.168.31.84     ***
 9:36:38 (IP)192.168.190.130 OFFER     (S)192.168.12.226   ***
 9:36:38 (IP)192.168.196.231 ACK       (S)192.168.13.53
 9:36:53 (IP)192.168.196.231 ACK       (S)192.168.13.53
 9:37:05 (IP)192.168.196.234 OFFER     (S)192.168.13.53
 9:37:05 (IP)192.168.193.232 OFFER     (S)192.168.12.198
 9:37:06 (IP)192.168.190.132 OFFER     (S)192.168.12.221   ***

The first column contains a timestamp, the second column is the IP address of the target computer, the third is the DHCP request type, the fourth is the IP address of the DHCP Server, and the fifth is a flag that indicates whether the DHCP Server is authorized. If it is not authorized, you’ll see three stars (***). In the previous output, you can see that 192.168.31.84, 192.168.12.226, and 192.168.12.221 are all unauthorized DHCP Servers.

dhcploc can also send alerts if it detects an unauthorized server. This allows you to start dhcploc, leave it running, and let it proactively notify you when it discovers an unauthorized server. To do so, specify the /a: option followed by the list of users to alert as shown here:

> dhcploc /a:"rallen" 192.168.32.24

dhcploc works by capturing all of the DHCP traffic it sees on the network. Since most DHCP traffic is sent via broadcast, every computer in the broadcast domain (e.g., all computers connected to a hub on a local segment), can look at DHCP traffic. Most computers simply discard the traffic unless it is destined for them, but dhcploc captures all DHCP traffic.

Do not run dhcploc from a DHCP Server. DHCP traffic will be delivered to dhcploc instead of the DHCP Server. By running the command directly on a DHCP Server, it is likely the server won’t be able to respond to any client requests.

If the DHCP Server service is enabled on a domain controller, it is automatically authorized. A DHCP Server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP Server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP Server, it will respond to client requests and give out leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, which can be found in the cn=NetServices,cn=Services,cn=Configuratation, container. The relative distinguished name of these objects is the DHCP Server’s IP address. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP Server is authorized. It has an attribute named dhcpServers that contains all authorized servers. I enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP Servers. You, however, can delegate the rights to authorize a DHCP Server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.
2. In the left pane, expand the Configuration Container CN=Configuration CN=Services CN=NetServices.
3. Right-click on CN=NetServices and select Properties.
4. Select the Security tab.
5. Click the Advanced button.
6. Click the Add button.
7. Use the object picker to select the DHCP Admins group.
8. Check the boxes under Allow for Create dHCPClass objects and Delete dHCPClass objects.
9. Click OK until all dialog boxes are closed.
10. Back in the left pane of ADSI Edit, right-click on CN=dhcpRoot (if you’ve previously authorized DHCP Servers) and select Properties.
11. Select the Security tab.
12. Click the Advanced button.
13. Click the Add button.
14. Use the object picker to select the DHCP Admins group.
15. Check the boxes under Allow for Write.
16. Click OK until all dialog boxes are closed.

Using a graphical user interface

Windows 2000 DHCP Servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP Server has Service Pack 2 or higher installed.

1. Open the DHCP snap-in.
2. In the left pane, right-click on DHCP and select Add Server.
3. Type in the name of the DHCP Server you want to target and click OK.
4. Click on the server entry in the left pane.
5. Right-click on the server and select Authorize.

If the DHCP Server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP Server in Active Directory:

> netsh dhcp add server  

This example shows how to authorize the DHCP Server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

See the Introduction for more information on how to run the netsh command from within a script. The following script prints out the list of authorized DHCP Servers in Active Directory:

' ------ SCRIPT CONFIGURATION ------
 strForestRootDN = ""  ' e.g., dc=rallencorp,dc=com
 ' ------ END CONFIGURATION ---------
 set objCont = GetObject("LDAP://CN=DhcpRoot,CN=NetServices,CN=Services," & _
                         "CN=Configuration," & strForestRootDN)
 colDHCPServers = objCont.GetEx("dhcpServers")
 for each strDHCPServer in colDHCPServers
    Wscript.Echo strDHCPServer
 next

Using a graphical user interface

1. From the Control Panel, open the Add or Remove Programs applet.
2. Click Add/Remove Windows Components.
3. Double-click Network Services.
4. Check the box beside Dynamic Host Configuration Protocol (DHCP).
5. Click OK.
6. Click Next.
7. Click Finish.

Using a command-line interface

First, create a file using a text editor such as Notepad with the following contents:

[netoptionalcomponents]
 dhcpserver=1

Next, use the sysocmgr.exe utility with the following parameters (assuming the file you just created is named c:\dhcp_install.txt):

> sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\dhcp_install.txt

If the server you installed DHCP on is multihomed (i.e., has multiple active network adapters), you’ll want to make sure the correct network adapters are enabled for use by the DHCP Server. You can enable or disable adapters for use by DHCP Server by doing the following:

1. Open the DHCP snap-in.
2. In the left pane, click on the server node.
3. From the menu, select Action > Properties.
4. Select the Advanced tab.
5. Click the Bindings button.
6. Make sure the interfaces where the DHCP Server should respond are checked.
7. Click OK until all dialog boxes are closed.