Active Directory and DHCP

[dbkdorf]

Is anyone aware of a way to block DHCP requests from being processed
to computers that are not listed in Active Directory? My problem is
rogue machines coming into my LAN and plugging in to an empty outlet.
We have spare outlets to allow mobile workstations and laptops to
change locations within the building. We also have a high volume of
guest traffic that come in and just plug in anywhere they see fit.
Most of the time this is not an issue, but we would like to be aware
of when outside machines use our network outlets, and to ensure this
by blocking requests for a DHCP addresses when they are not authorized
to do so.
Any help on this would be greatly appreciated. Maybe I am attacking
this the wrong way, if you can think of an alternative approach, bring
it on.

 

[Danny Sanders]

I don't know if this is possible on your network, but on my network all
network outlets end at the patch panel. Only the outlets for my users are
connected to the switch from the patch panel. Free outlets are not plugged
into the switch at all.
Users can plug into a free network outlet but unless I run the patch cable
from that patch panel port to the switch they are plugging into a network
outlet that leads no where.


hth
DDS W 2k MVP MCSE

 

[Scott Harding - MS MVP]

This is a little tough. You could do MAC address reservations for your
network and then not allow any other machines to get addresses but that
would mean touching every machine on your LAN and entering all their
respective MAC addresses. You could also use Class ID's but this would also
entail touching every pc on your LAN. There really is not easy way that I
have found to do this and DHCP is broadcast based so it doesn't care what
your domain from or what machine it gives leases to. You also could isolate
those open connections from your network with a router and then not have
DHCP on that subnet and when people need access they have to get an IP
address from you or you could have a seperate DHCP server on that subnet
just for these people....Any other ideas fellas?

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

scrockel@***No_SPAM***hotmail.com

 

[dbkdorf]

This is a little tough. You could do MAC address reservations for your
network and then not allow any other machines to get addresses but that
would mean touching every machine on your LAN and entering all their
respective MAC addresses. You could also use Class ID's but this would also
entail touching every pc on your LAN. There really is not easy way that I
have found to do this and DHCP is broadcast based so it doesn't care what
your domain from or what machine it gives leases to. You also could isolate
those open connections from your network with a router and then not have
DHCP on that subnet and when people need access they have to get an IP
address from you or you could have a seperate DHCP server on that subnet
just for these people....Any other ideas fellas?

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

scrockel@***No_SPAM***hotmail.com

Thanks for the input Scott,
We had considered your suggestion by segregating the ports with a
router. We decided against that though since the available ports were
dynamic and changed on a regular basis. I had heard (in the past,
either from a newsgroup or article) about blocking DHCP requests using
Active Directory. I was of the impression that it was a relatively
routine task, but I guess not. If I was to change cables running to
the router from the patch panel I may as well change the patch cables
manually every time they change vacancy.
Anybody else have a suggestion or run into a similar situation with an
easier workaround?