This is part 5 of 5 in the series Server 2016 Essentials setup guide

Things are shaping up pretty nicely and we’re almost done with the basic WSE2016 setup.  Now that DNS is set up, let’s turn our attention to DHCP so we can get clients provisioned and connected.  Windows Server makes DHCP pretty easy and plays well with pretty much any type of client.  A good setup interfaces with DNS to dynamically update A and AAAA records on behalf of clients and takes care of pruning expired and duplicate leases whether or not the client supports those features… that’s exactly how we’ll set things up!

The DHCP server component is NOT installed by default since many people opt to use their router/firewall or another server.  Indeed, accepted best-practice is not to have your DHCP, DNS and AD all together, but this series is about small budgets and SOHO environments so let’s just get things set up as securely and reliably as possible.  If you’ve been following the series so far, you’re in good shape.  You have a properly defined IPv4 and IPv6 network with both forward and reverse AD-integrated DNS zones that only accept secure DHCP updates.  Now, the final piece is the DHCP server, so let’s get at that!

Install DHCP Server

  1. Open your Server Manager, click on the Manage menu and select Add Roles and Features. (SCREENSHOT)
  2. Click Next to skip the first page of the wizard.
  3. Choose Role-based or feature-based installation (first choice) and click Next.
  4. Choose Select a server from the server pool and pick your server from the list.  Click Next.
  5. In the Select server roles dialog, check the box next to DHCP Server.  (SCREENSHOT) A new window will pop-up immediately.  Ensure Include management tools… is checked and click Add Features.  (SCREENSHOT)
  6. You’ll be returned to the previous screen and see that the box next to DHCP Server is now checked.  Click Next.
  7. Click Next to skip the Select Features screen.  Click Next again to skip the informational screen.
  8. Verify the correct selections have been made on the Confirm installation selections screen and click Install.  (SCREENSHOT)  The DHCP server does not require a server restart.
  9. Sit back, relax and wait for the DHCP server to be installed.

Post-installation tasks

After the installation is completed, you’ll notice that you have a notification in your Server Manager.  Go ahead and click on the flag with the yellow warning symbol to expand your notifications (SCREENSHOT) and then click on Complete DHCP configuration to start the DHCP Post-Install configuration wizard.  (SCREENSHOT)

  1. Click Next to skip the introductory screen.
  2. Select Use the following user’s credentials and confirm or enter a user with DOMAIN ADMIN privileges.  Click Commit.  (SCREENSHOT)
  3. Note the information screen displayed.  It should show ‘done’ and not report any errors.  Also, notice that it asks us to restart the DHCP Server service.  Click Close.  (SCREENSHOT)
  4. In Server Manager, open the Tools menu and select Services.  (SCREENSHOT)
  5. In the Services MMC, find DHCP Server and Restart it.  (SCREENSHOT)
  6. Close the Services MMC window.

Create a DHCP update user account

If you remember, in Part IV when we set up our DNS server we stated that “only secure updates” would be allowed.  Well, that means that a known account must make those updates instead of them being made by anyone or, worse, anonymously.  To that end, we have to create an account for this task.  This account should just be a regular, plain-old user account with NO special rights, privileges or access.

  1. In Server Manager, open the Tools menu and select Active Directory Users and Computers.  (SCREENSHOT)
  2. Expand your internal domain and open the Users folder.  (SCREENSHOT)
  3. In the righthand pane, right-click and choose New > User.  (SCREENSHOT)
  4. Fill in the user information as desired then click Next.  (SCREENSHOT)
  5. Generate a very complex password using numbers, upper/lowercase letters and symbols
    Warning

    The GUI is limited to a 32-character password, so if you want to use a longer and more secure password, generate a short password for now (that still meets your domain’s password complexity requirements) and check out the expandable section after this section for details on using PowerShell to set a long password.


    Warning

    Do NOT use single-quotes ( ‘ ), double-quotes ( ” ), backticks ( ` ) or spaces in your password as this will cause problems if you ever have to use this account in any kind of scripting environment such as PowerShell


    Warning

    Do NOT misplace this password just yet.  You won’t need to remember it after we’re done setting stuff up, but for now you will need to keep it handy.  Copy it to your clipboard or, better, an empty notepad window for now.

  6. Ensure you UNcheck User must change password at next logon and that you CHECK User cannot change password and Password never expires.  Click Next.  (SCREENSHOT)
  7. Confirm your choices and click Finish.

Let’s just shore up a few more settings on this account to add a description so we remember what it’s used for, limit it to logging in only on this server (i.e. no workstations) and turn off any remote control functions on the account.  Yes, it’s a little paranoid and not necessary, but it also only takes a few extra minutes.

  1. Right-click on the new account you just created and select Properties.  (SCREENSHOT)
  2. On the General tab: Type a description so that you remember why this account exists.  (SCREENSHOT)
  3. On the Account tab: Click the Log On To… button.  (SCREENSHOT)  In the new window that pops up, Select The following computers.  Type your server’s computer (NETBIOS) name and click Add so that the name shows up in the box below where you were typing.  Click OK.  (SCREENSHOT)
  4. On the Remote control tab: Uncheck Enable remote control.  Click OK to close the user’s properties dialog.  (SCREENSHOT)

The Active Directory Users and Computers GUI limits password lengths to 32 characters for some reason.  This makes sense for normal human users, but sucks for proxy accounts like our DHCP Update account.  Having a 64 character password is way more than just twice as good!  Let’s use PowerShell to quickly set that nice long password.

  1. Use a password generator and create a password of whatever length you want.  I use 64 characters including numbers, upper/lowercase letters and symbols.  The standard password rule applies here: don’t use single-quotes ( ‘ ), double-quotes ( ” ), backticks ( ` ) or spaces since these will cause problems here in PowerShell and in any scripting tool.  Copy your new super-long complex password to the clipboard or, better, paste it into an empty notepad window as temporary storage that you can easily access.
  2. Open PowerShell as an administrator.  Type the following at your PowerShell prompt: (replace the red DHCPUpdate with the username of the user you created earlier)
    Set-ADAccountPassword -Identity DHCPUpdate -Reset
  3. You will be prompted to enter and confirm the new password.  You can paste your super-long complex password from your clipboard/notepad.
    Warning

    Don’t clear your clipboard or close that notepad window just yet. We’ll need that password later!


    Warning

    Note: If you don’t use the -Reset flag then you are changing the password instead of resetting it.  Password changes occur in the user’s context and that’s why you are asked for the current password and then the new password.  However, the user CANNOT change their password because we set that checkbox when we created the user account (remember?).  So we skip all that and use our super-Administrator-God powers to just RESET the password by passing the -Reset flag.

  4. Exit PowerShell

Update DnsUpdateProxy group membership

This Security Group controls which CLIENTS are allowed to update DNS records on behalf of other machines.  We want this to only be our server so let’s make sure that’s the case.  Fortunately, this is easy since we’re already in the  Active Directory Users and Computers MMC snap-in.

  1. Find the DnsUpdateProxy Security Group in the same Users list as the account we just created.  Right-click on it and choose Properties.  (SCREENSHOT)
  2. Members tab:  Click Add.
  3. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog, click Object Types.
  4. Select Computers and click OK.  (SCREENSHOT)
  5. Type the computer (NETBIOS) name of your server and click Check Names to verify the name.  Click OK.  (SCREENSHOT)
  6. Your server should now be the ONLY thing listed in the Members box.  If this is not the case, remove any and all other listed objects regardless of what they are.  Your Members tab should look like my SCREENSHOT.

Setup DHCP server

Ok, all the preliminary setup is done and we can actually set up the DHCP server.  Don’t worry, this part is really quite fast since, assuming you followed Part IV (DNS), the IPv4 and IPv6 server settings are already set up and mostly configured for you!  Let’s just tweak a few settings to make everything work seamlessly.  In Server Manager, open the Tools menu and select DHCP.  (SCREENSHOT)

Verify bindings

The bindings control which interface(s) your DHCP server will listen on for requests.  In most cases, you want to just use all your interfaces since you probably only have one anyways.  If you have a special setup, then you’ll want to tweak this so DHCP is only exposed on the correct NICs.

  1. In your DHCP Server MMC window, expand your server then right-click on it and select Add/Remove Bindings…  (SCREENSHOT)
  2. Go ahead and verify or change as needed and close this up when you’re done.

IPv4 settings

  1. Right-click on the IPv4 heading and select Properties.  (SCREENSHOT)
  2. DNS tab: Ensure Enable DNS dynamic updates… is CHECKED.  In the Name Protection section at the bottom, click the Configure button.  (SCREENSHOT)
  3. CHECK Enable Name Protection and click OK.  This essentially sets DHCP Option 81 which ensures the server owns and updates all DNS records for clients with an active DHCP lease or reservation regardless of the client’s settings/preferences.  (SCREENSHOT)
  4. You should now see that all the middle checkboxes are greyed-out since Name Protection is taking care of these settings.  You’ll also see that the Name Protection section now reads “DHCP name protection is enabled at the server level.”  (SCREENSHOT)
  5. Advanced tab: Click the Credentials… button  (SCREENSHOT)
  6. Fill out the information for the user we created earlier including your super-complex password.  Paste it off the clipboard/from notepad to avoid typos.  (SCREENSHOT)
    Warning

    If you used a 32+ character password via PowerShell you can just paste that same password into this box.  It does NOT seem to have the same limitations as the GUI in Active Directory Users and Computers.  I always use a 64 character password and everything works fine.  However, I don’t know what happens if you try using a 64+ character password.  You may have to set the password using PowerShell and the Set-DhcpServerDnsCredential cmdlet

  7. Click OK.
  8. Click OK to close the IPv4 properties

IPv6 settings

  1. Right-click on the IPv6 heading and select Properties.  (SCREENSHOT)
  2. DNS tab: Ensure Enable DNS dynamic updates… is CHECKED.  In the Name Protection section at the bottom, click the Configure button.  (SCREENSHOT)
  3. CHECK Enable Name Protection and click OK.  This essentially sets the DHCPv6 equivalent of DHCP Option 81 which ensures the server owns and updates all DNS records for clients with an active DHCP lease or reservation regardless of the client’s settings/preferences.  (SCREENSHOT)
  4. You should now see that all the middle checkboxes are greyed-out since Name Protection is taking care of these settings.  You’ll also see that the Name Protection section now reads “DHCP name protection is enabled at the server level.”  (SCREENSHOT)
  5. Advanced tab: Click the Credentials… button  (SCREENSHOT)
  6. This is already filled out based on our IPv4 setup!  Perfect.  Click OK.
  7. Click OK to close the IPv6 properties

IPv4 server options

These are the options inherited by all IPv4 scopes from the server to be passed on to all lease-holders.  You should at least set the following options:

  • DHCP option 003: Router (your gateway IPv4 address)
  • DHCP option 006: DNS Servers (the IP address of this server since it is the authoritative DNS server for the internal domain)
  • DHCP option 015: DNS Domain Name (your internal domain name that will be appended to all client hostnames)
  • DHCP option 042: NTP Servers (OPTIONAL: set to the IP address of this server or another NTP server in your network)

Ok, here goes:

  1. Right-click on the Server Options folder under the IPv4 heading, select Configure Options…  (SCREENSHOT)
  2. Check off the settings you want to configure and provide the appropriate values.
  3. When you’re done, your configured options should look something like mine (SCREENSHOT).

IPv6 server options

These are the options inherited by all IPv6 scopes from the server to be passed on to lease-holders depending on how they are obtaining their DHCPv6 addresses.  You should at least set the following options:

  • DHCPv6 option 00023: DNS Recursive Name Servers (IPv6 address of this server.  Enter the address directly!  Using the name resolution lookup feature will lock up the MMC on most systems)
  • DHCPv6 option 00024: Domain Search List (your internal domain name that will be appended to all client hostnames)

Exactly like IPv4 above…

  1. Right-click on the Server Options folder under the IPv6 heading, select Configure Options…  (SCREENSHOT)
  2. Check off the settings you want to configure and provide the appropriate values.
  3. When you’re done, your configured options should look something like mine (SCREENSHOT).

Secure DnsUpdateProxy group

  1. Open a command prompt as a DOMAIN ADMIN
  2. Type the following command:
    dnscmd /config /OpenAclOnProxyUpdates 0
  3. You should get a message saying Registry property OpenAclOnProxyUpdates successfully reset.

Final notes

Well, that’s it.  Your DHCP server is set up to respond to both IPv4 and IPv6 requests, securely update your DNS server with client information to construct relevant records and will provide your clients with proper information on where to find your DNS server, what their DNS suffix should be and how to access the internet via your network’s default gateway.  Very cool.  You should note that if you’re using this setup on an existing DHCP server, it will not auto-update DNS with existing leases.  So, delete all your leases and let the new configuration work it’s magic along with your DNS server.

This finishes up the basic elements of a WSE2016 setup.  In the next few parts, we’ll delve into setting up common group policy configurations including folder redirection, setting up a full certificate server, remote anywhere secure access and certificate-secured remote desktop connection to your clients, IIS and more.  See you again in a week!

Thanks for reading my techie-thoughts on this issue. Have any comments? Suggestions? Want to add your tips? Things you want me to cover in a future article? Comment below!
read more in this series<< Server 2016 Essentials setup guide: Setup DNS server and download updates (Part IV)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu