Setting up DHCP in Active-Directory


  • Good day,

    we would like to build a network, however there are few things we don't know how to proceed with. Attached below, there is a plan for the network we made.

    To give an explanation to the picture above:

    TL-R600VPN is a router with hardware firewall and also acts as DHCP server.

    The LYNX server is Active Directory Domain Controller, DNS and also DHCP server, running either Windows Server 2008 or Windows Server 2012.

    The idea is that all clients enrolled in the Active Directory should recieve a DHCP address by the LYNX server, where on the other side, all other clients connected through either WiFi or cable and not entrolled in the Active Directory should obtain IP address from the TL-R600VPN DHCP. Point is, that the non-enrolled users will be isolated from accessing the Active Directory network and also we would be able to set up bandwidth management for both internal and external clients.

    Questions is, however, is it even possible to be set up this way and if so, how to set it up?

    Sunday, April 07, 2013 7:43 PM


All replies

  • Hello Jan,
    in my opinion, a good way to separate both sides is physically, at first: it offers more security.
    That said, I have some questions for you:

    • Should non-AD Member Clients "see" LYNX AD Server ?
    • If not, why do you want to add the STATIC on LYNX Server instead of adding a secondary IP Address to TL-R600VPN on IP Class ?

    I suggest to read these articles:


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, April 07, 2013 8:47 PM
  • Hello,

    the DC is multi-homed, more then one ip address is used, which is NOT RECOMMENDED configuration, details about in:

    To separate machines you should think about to configure NAP with some rules so it doesn't matter if they use WiFi or not, instead the rules will provide them access to the correct network.

    DHCP servers will work as first come first serve. So you cannot say by default that a specific DHCP server must be used. In your setup you have to work with dhcpcallout.dll to achieve registered machine to get an ip address only from the domain DHCP.

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, April 08, 2013 6:51 AM
  • Hi Jan,

    Thanks for the post.

    I agree with the above suggestions.

    And, in addition, I suggest to disable DHCP service on TL-R600VPN, and setup separate DHCP servers for your internal and external clients.

    More information:

    Configuring scopes

    Integrating DHCP with DNS

    Best Practices Analyzer for Dynamic Host Configuration Protocol

    Hope this helps.

    Jeremy Wu
    TechNet Community Support

    Monday, April 08, 2013 8:58 AM
  • Thank you for your answers.

    We probably overcomplicated the things with LYNX server having 2 IP addresses, it would have only one IP address -

    Mainly, we would like to distinguish between the AD and the other clients. AD clients would be given different DNS server - the LYNX one, where on the other side, the rest of the clients should recieve different DNS servers - either some public DNS servers or our ISP's - so regular clients wouldn't be able to recieve the DNS records for AD, but assigning the LYNX server as DNS will allow the computer to join the domain.

    @Luca Fabbri: The LYNX server should be visible by non-AD members - need to have the ability to add computers to domain.

    @Meinwolf Weber: Our network has about 100 computers, eventually more, so MAC address filtering probably isn't an option. With using NAP, how would the settings look? As in could you provide some more specifications and how-to do such filtering?

    Tuesday, April 09, 2013 12:53 PM
  • Hello Jan,
    ok your LYNX should be visible by non-AD members, but should it be visible by IP Class ? If not and your networks are physically separated then I suggest my solution it's simpler. If they aren't then I suggest Mainwolf's solution: NAP.


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Edited by Luca Fabbri Tuesday, April 09, 2013 3:47 PM
    Tuesday, April 09, 2013 3:39 PM
  • Hello,

    the networks sadly aren't physically separated and we don't have any option to separate them, even tho it would be the easiest solution. Yet we can still have some students joining the network with their own laptops and using the wire (which I haven't seen in past years, but still).


    Tuesday, April 09, 2013 4:00 PM
  • Hi Jan,

    How is the issue going now? If you still need assistance, would you provide us the latest network diagram for further research.


    Jeremy Wu
    TechNet Community Support

    Friday, April 12, 2013 3:33 AM
  • Hello, the updated diagram is below. As per the tips we have been given, we will update it soon with only one DHCP server - the LYNX machine. The current issue we are having is how to assign IPs to clients in AD, blocks 192.168.2.X - 192.168.5.X and the others - nonAD members would get a different block of IP addresses. We don't want to go through MAC address filtering, which would be way too static and could be easily bypassed.

    For the most part, we want the AD and nonAD clients separated mostly due to DNS, we don't want external devices to be routed through our DNS server, but use a different one.

    Friday, April 12, 2013 4:58 AM
  • Hello Jan,
    to complete my previous answer: you could have separated networks by using VLAN too.

    That said, look at this: DHCP Step-by-Step Guide: Demonstrate DHCP Link Layer-based Filtering in a Test Lab; described scenario could be similar to yours, but it is based on MAC filtering.

    You can also see this interesting TechNet Library article: Step-by-Step: Configure DHCP Using Policy-based Assignment.


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, April 13, 2013 12:03 PM
  • Hi Jan,

    I would like to check if there is any update.


    Jeremy Wu
    TechNet Community Support

    Monday, April 15, 2013 8:40 AM
  • Hello Luca,

    how can we handle the filtering for a network of 100 (and eventually more in the future) computers which are domain members? As I really don't see MAC address filtering being a solution in this case. Is there a way to filter the users based on the domain membership? Member of X.domain gets this block of IP addresses, the non-members get a different block of IPs?

    Thank you.

    Monday, April 15, 2013 2:34 PM
  • Hello Jan,
    but did you read this TechNet Library article: Step-by-Step: Configure DHCP Using Policy-based Assignment ? It should fire your needs, but new policy based IP Address assignment feature comes with Windows Server 2012:

    "With a DHCP server running Windows Server 2012, administrators can define an address assignment policy at the server level or scope level. A policy contains a set of conditions to evaluate when processing client requests. Policy based assignment enables flexibility for some common scenarios, including:

    1. Multiple device types: A network includes many different DHCP client devices, such as printers, IP phones, and desktops. Administrators need the ability to classify these devices using different IP address ranges. This enables router policies and quality of service (QoS) based on IP address range policies to control network access or traffic. For example, you can add a vendor class of “Hewlett-Packard JetDirect” or Cisco Systems, Inc. IP Phone CP-7940G and configure printer and IP-phone policies to assign a specific IP address range to these devices.
    2. Multiple roles: A network includes different types of computers, such as laptops, desktops, and servers in the same subnet. Depending on the type of client, the administrator might wish to provide different lease duration settings. All the wireless clients that connect via a specific relay agent can be assigned a four-hour lease duration. DNS dynamic update protocol can be disabled for clients matching this policy. Similarly, a server policy can be created using a list of server MAC addresses. Servers can be assigned a 12-day lease duration
    3. Virtualization: A data center network employs virtualization for different workloads and applications. Virtual machines are added and removed dynamically depending upon load requirements at a given time. An administrator wishing to route traffic on the network differently for VMs can create a policy based on MAC address prefix to assign a short lease duration, specific IP address range, and different default gateway."

    The alternative that I see is to use logical network separation by using VLANs.


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, April 15, 2013 2:42 PM
  • Thank you for your response, I indeed read this article. I just tried setting it up on a test network. Now if I understood it correctly, all computers in domain will have a class of the allowed scope and the rest of the computers would just enter the scope which allows such access. Is that right? Now, making all computers in domain have the same class can be achieved by Active Directory Group Policies, right?

    I also found some helpful topic over here:

    Monday, April 15, 2013 8:21 PM
  • Hi Jan,

    I think you can archive this via startup script.

    More information:

    Assigning options

    Set DHCP class ID information at a client computer

    How to Create a New DHCP User or Vendor Class

    Hope this helps.

    Jeremy Wu
    TechNet Community Support

    Thursday, April 18, 2013 6:13 AM
  • Thank you all for your opinions and help and time to provide a solution to this network.
    Thursday, April 18, 2013 11:24 AM