none
how to force DHCP server to assign Address to domain-joined computers only

    Question

  • hi all

    i have a win 2008 R2 domain and a joined win2008 R2 DHCP server. i want do a task so that my  DHCP Server assings ip address to computers which are join to domain only ( but not to non-joined computers ).

    how can achive this goal ?

    can i achive this with the combination of NAP and CA server ?

    please tell me the title of steps in detail ( not the hole steps ).

    thanks in advance

     


    • Edited by john.s2011 Thursday, February 02, 2012 3:39 PM
    Thursday, February 02, 2012 3:39 PM

Answers

All replies

  • So, you are on the correct path.  DHCP itself does not have security built in so only assigning IPs to domain members is not really an option.  Think about networking as a whole...  The DHCP protocol is used for any TCP/IP enabled host, not just windows.  So, to accomplish what you are trying to do requires additional networking services such as 802.1x, NAP, CAs, RADIUS, etc...

    Even with these technologies in place, the computer will still require an IP address.  once the IP is given, you use these technologies to restrict access until certain pre-requisites are met, such as domain membership, service pack levels, AV client installation, etc...

    I would start with getting an overview on Network Access Protection and go from there.  There are way too many steps to discuss in a single forum thread.

    Maybe start here: http://technet.microsoft.com/en-us/network/bb545879

     


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube
    Thursday, February 02, 2012 4:57 PM
  • So, you are on the correct path.  DHCP itself does not have security built in so only assigning IPs to domain members is not really an option.  Think about networking as a whole...  The DHCP protocol is used for any TCP/IP enabled host, not just windows.  So, to accomplish what you are trying to do requires additional networking services such as 802.1x, NAP, CAs, RADIUS, etc...

    Even with these technologies in place, the computer will still require an IP address.  once the IP is given, you use these technologies to restrict access until certain pre-requisites are met, such as domain membership, service pack levels, AV client installation, etc...

    I would start with getting an overview on Network Access Protection and go from there.  There are way too many steps to discuss in a single forum thread.

    Maybe start here: http://technet.microsoft.com/en-us/network/bb545879

     


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    hi jorge. thank you for answer. that link is very General.   i am familiar with NAP.  my you please tell me only the step titles in brief ?

    thanks

    Friday, February 03, 2012 2:18 AM
  • Hi John,

     

    Thanks

     

    Please start form the steps in the checklists and select to use DHCP enforcement method that we are going to deployment:

     

    Checklist: Staging a NAP Deployment

    http://technet.microsoft.com/en-us/library/dd314146(WS.10).aspx

     

    Meanwhile, we may also consider to have 802.1X capable devices and setting RADIUS server with defining policies on it in order to restrict the unauthenticated host into our network :

     

    802.1X Authenticated Wired Access

    http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

     

    802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marked as answer by john.s2011 Friday, February 03, 2012 4:38 PM
    Friday, February 03, 2012 7:38 AM
  • Hi John,

     

    Thanks

     

    Please start form the steps in the checklists and select to use DHCP enforcement method that we are going to deployment:

     

    Checklist: Staging a NAP Deployment

    http://technet.microsoft.com/en-us/library/dd314146(WS.10).aspx

     

    Meanwhile, we may also consider to have 802.1X capable devices and setting RADIUS server with defining policies on it in order to restrict the unauthenticated host into our network :

     

    802.1X Authenticated Wired Access

    http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

     

    802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Tiger Li

    TechNet Community Support

    Hi Tiger.  thank you very much for solution
    Friday, February 03, 2012 4:38 PM