Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
DHCP Load Balanced and Failover Features Security

Answered DHCP Load Balanced and Failover Features Security

  • Thursday, May 03, 2012 7:14 AM
     
     
    Sign In to Vote
    0

    When two servers are configured with a shared secret/key to communicate DHCP information what type of security is used? Are sync updates of lease status communicated on RPC port 135? is the data encrypted? If encryption is used does anyone know the strength?

    Carl Smith MCITP-EA

     

All Replies

  • Friday, May 04, 2012 6:47 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Carls233,

    Thanks for posting here.

    Both nodes will authentic with each other with Kerberos protocol :

    Account for administering the cluster: When you first create a cluster or add servers to it, you must be logged on to the domain with an account that has local administrator rights on all servers in that cluster. The account does not need to be a Domain Administrator account, but can be a Domain Users account that is in the DHCP Administrators group on each clustered server. In addition, if the account is not a Domain Administrator account, the account (or the group that the account is a member of) must be given the Create Computer Objects and Read All Properties permissions in the domain.

    DHCP Step-by-Step Guide: Demonstrate DHCP Failover – Clustering in a Test Lab

    http://technet.microsoft.com/en-us/library/ee405263(WS.10).aspx

    For any detail information about cluster and other failover methods it is suggested post to High Availability (Clustering) forum:

    http://social.technet.microsoft.com/Forums/en/winserverClustering/threads

    Thanks.

    Tiger Li

    Tiger Li

    TechNet Community Support

    • Marked As Answer by Tiger LiModerator Tuesday, May 08, 2012 1:30 AM
    • Unmarked As Answer by Carls233 Wednesday, May 09, 2012 7:59 AM
    •  
     
  • Wednesday, May 09, 2012 7:58 AM
     
     
    Sign In to Vote
    0
    I understand from documentation that the DHCP load balancing and cluster features are supported within a workgroup (browse master) environment, as a result kerberos cannot be used in this scenario. The pre-shared key that is entered to setup the DHCP failover relationship seems to be what is used to generate the shared secret but I am unable to determine what the strength of the cryptography is, can anyone from Microsoft provide information on this?

    Carl Smith MCITP-EA

     
  • Friday, May 11, 2012 4:59 AM
     
     Answered
    Sign In to Vote
    1

    Hi Carl,

    The shared secret is used for providing message authentication for the DHCP Failover messages (IP address lease synchronization) exchanged between the 2 DHCP servers in a failover relationship. By default, SHA-256 is used to generate the message authentication code for each message. In case an admin wishes to use a different crypto algorithm (other than  SHA-256), it can be changed adding a registry value FailoverCryptoAlgorithm under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\.

    Let us know if you have further questions.

    Thanks,

    Prasad [MSFT]

    • Marked As Answer by Carls233 Thursday, December 06, 2012 11:14 AM
    •