Detecting Rogue Win2K DHCP Servers
The Win2K DHCP service uses the following process to detect DHCP servers running in the network and determine whether AD has authorized the servers to provide DHCP services. When you first start the DHCP service, the service uses the local limited broadcast address (i.e., 255.255.255.255) to broadcast a DHCPInform message to the network. This action locates the enterprise root directory of the other DHCP servers in the network. They acknowledge the query and reply to the initializing DHCP server (e.g., the first DHCP server that you install in the network) with a DHCPAck message that contains enterprise root directory information. The initializing DHCP server uses the information in the DHCPAck messages to compile a list of the active DHCP servers in the network as well as the root of the directory service enterprise that each of the servers uses. If the initializing DHCP server detects more than one enterprise root, the server queries each of the additional roots to check for DHCP service authorization in the other enterprises.
After the initializing DHCP server builds a complete list, the server determines whether AD is available on its local computer. If the service is available, the server determines whether you have authorized the server to run in the network. If the directory service isn't available, the server provides DHCP services as long as it doesn't discover another DHCP server in the network.
After the DHCP server starts, it sends DHCPInform messages every 5 minutes to collect information about other Win2K DHCP servers in the network. Each time the server sends the DHCPInform message, the server also determines whether the AD service is available.
If a DHCP server is running on a member server or DC, the server queries the AD service for the authorized list of DHCP server addresses. If its IP address is on the authorized list, the server begins providing DHCP service to clients. If the server doesn't find its IP address on the authorized list, it shuts itself down (i.e., the DHCP service shuts down automatically).
If the DHCP server is running on a standalone server, the server queries each of the DHCP servers in the network for their enterprise roots. The server then queries the directory service and includes in the query the enterprise root that each DHCP server in the network returned. If the DHCP server on the standalone system discovers its IP address in each of the enterprise roots that the other DHCP servers return, it begins providing DHCP service to clients. If not, the DHCP server shuts down.
When an unauthorized or rogue Win2K DHCP server shuts itself down, the Event Viewer on the local server lists event ID 1051. In the event's properties dialog box, which Figure 3, page 95, shows, Event Viewer provides the following event description: "The DHCP/
BINL service has determined that it is not authorized to service clients on this network for the Windows domain: name of Windows domain."
Sniffing Out a Rogue
Microsoft designed unauthorized Win2K DHCP servers to shut down to prevent rogue servers from participating in Win2K network transactions. However, this functionality doesn't safeguard mixed networks from rogue DHCP servers. If your network includes NT Server systems or third-party DHCP software, the potential for a rogue DHCP server to infiltrate your network still exists.