A new way to identify DHCP failures and prevent them

A new way to identify DHCP failures and prevent them

DHCP servers are essential to your network's operation. The failure at this level could cause office-wide downtime, which puts even more pressure on you to resolve the problem as quickly as possible. Unfortunately, there are many ways in which DHCP services can fail, so it's often difficult to diagnose the issue and fix it quickly. Here are a few more tips on how to fix DHCP failures and prevent them from recurring down the road.

More about DHCP failures

I explained different types of DHCP failures and provided tips on how to troubleshoot them in the Daily Drill Down "Troubleshooting Windows 2000 DHCP servers.". Below I will elaborate more on DHCP failure types and how to fix them.

Running out of IP addresses

DHCP server failures are often caused by something that isn't really a failure at all. When a DHCP server runs out of addresses to lease, all kinds of problems can occur. Users who boot up their workstations will not be able to connect to the network unless additional addresses are leased. Those who are already connected to the network may lose connectivity-and important work-if their lease expires and they can't renew it. The good news is that there are several things you can do to make sure that there are plenty of leases available.

Depending on your individual DHCP implementation, you can decrease the lease time to force the systems to request a new lease more frequently. I should mention, though, that decreasing the duration of a DHCP lease increases the workload on the DHCP server since clients have to renew IP address leases more frequently. Therefore, if your server is already overworked, then decreasing the lease time probably isn’t the best solution to your problems.

The lease time can be decreased so that systems that have been turned off will not hold a lease for as long, which allows another system to use the address. A dial-up client follows the same principle. It is possible for DHCP servers to continue viewing an IP address as being in use even after a dial-up client has disconnected. IP address leases are released by some systems as soon as a system disconnects or goes offline, while others keep the address until the lease expires.

You can create some bogus addresses for your clients to use if you run out of IP addresses. Obviously, making up IP addresses is dangerous; however, in some situations, it is a very viable option. A system's IP address is only important when a DNS server maps the address to a specific application, such as a Web server or an e-mail server, or when the address is designed to identify a specific computer. However, the fact that you're using DHCP in the first place means that most of your machines are probably address independent. As long as the IP address is valid and uses a similar subnet structure to others, the PC will work regardless of what IP address it uses.

When you create an IP address, there's a good chance that the address is already owned by someone else and is being used on a Web server somewhere else in the world. The trick is to ensure that the legitimate owner of the address that you have chosen, or rather the range of addresses that you have chosen, is not put in a situation where your use of the address interferes with his or her use of the same address. To accomplish this, the addresses must be hidden from the outside world.

Because most firewalls and proxy servers use a single, legitimate IP address to communicate with the outside world, your IP addresses may already be invisible outside the firewall. Whenever a PC on your network needs to communicate with the outside world, the request goes to the gateway server or the server acting as a firewall or proxy server. After receiving the request, the gateway server uses its own IP address to forward it to the outside world. When the requested information is retrieved, it is sent to the gateway PC, which passes it to the client who originally requested it. A great thing about this operation is that all communications with the outside world appear to originate from one single legitimate IP address. In this way, any illegitimate IP addresses you might use are never exposed to the outside world.

One of your clients might need to access a Web site whose IP address happens to be the same as one of your internal addresses. In such a case, the client would typically connect to the machine on the local network instead of to the Web server online. It's highly unlikely that anyone in your office will actually visit a Web site that duplicates the address.

You can always look at the address to see who owns it if you're still worried about this happening. As an example, the address range I selected for my personal network corresponds to an address range used by the military. Since I have little chance of accessing military systems, this address range seemed to be a safe choice.

Alternatively, if you want to make sure your server room isn't taken over by Marines, you can use one of the private, reserved IP addresses. The addresses shown in Table A are reserved for private use only and do not exist on the Internet. They can be used without encountering any conflicts on your network.

Table A

Address Block                                           Netmask                                                           Class

10.x.x.x                                                   255.255.255.0                                                            A

176.16.0.0/12–176.31.255.255            255.255.0.0                                                                 B

192.168.0.0– 192.168.255.0                  255.255.255.0                                                           C

You can use these private IP addresses.

Address reservations can also help you avoid running out of addresses. DHCP address reservations are used to reserve a specific address for a specific PC. Typically, you would use a static IP address for your servers. Alternatively, you can use DHCP to reserve the desired IP address for your servers. Some servers require a hard-coded IP address, so this technique won't work for them. Reservations aren't just applicable to servers. If you want your clients to have access to the network at all times, you can reserve addresses for them. The clients are guaranteed IP addresses whenever they reserve an address.

Overlapping IP addresses

When you have multiple DHCP servers, if you don't carefully sequence the TCP/IP numbers they can offer, you can sometimes have an accidental address duplication by another DHCP server. The DHCP servers each have scopes of addresses that they can assign to clients. These scopes combine to make up a super scope.

Your network is protected from address duplication with this organizational structure. Yet, some types of DHCP servers do not check whether there are any other DHCP servers on the network, let alone which address range they are using. In order to avoid duplicate IP addresses, make sure your DHCP servers contain unique scopes so that each server has its own IP address.

Mismatched addresses

DHCP failures are more common in larger organizations due to mismatched IP addresses. A computer number is followed by a network number to create an IP address. The subnet mask separates the two numbers. A subnet mask of 255.255.0.0, for instance, tells Windows that the first two numbers represent the network number, while the last two represent the computer number.

When IP addresses with different subnet masks are assigned to the same network segment, the problem occurs. Say, for example, that one DHCP server assigns IP addresses in the 255.255.0.0 format, while another DHCP server assigns addresses in the 255.255.255.0 format. My readings indicate that the client PCs should still be able to communicate. According to my own experience, however, unless the two address formats exist on separate segments, the PCs will not be able to communicate.

I have seen such an arrangement a few times, but the machines using the 255.255.0.0 format were unable to communicate with the machines using the 255.255.255.0 format. And the reverse was also true. The machines with the 255.255.255.0 address format could communicate with the machines using the 255.255.255.0 address format, but not with the machines using the 255.255.0.0 address format.

In order to prevent communication problems between machines with such mismatched addresses, make sure all your DHCP scopes conform to a common subnet mask format.

Rogue DHCP servers

A hacker could actually set up their own DHCP server before the release of Windows 2000 and cause some serious trouble on a network. An unauthorized DHCP server can duplicate IP addresses or assign clients invalid addresses, preventing them from connecting to the Internet or other network resources.

Windows 2000 provides protection against this. The new DHCP server must be specifically authorized to service the network when Windows 2000 DHCP services are installed on the server.

Service failure

In the event that DHCP fails on your Windows NT or Windows 2000 DHCP servers, it is important to remember that DHCP is a service-based protocol. In such a situation, you should first check if the DHCP service is still running. Depending on the circumstances, resuming the service may be all that is needed to fix the problem.

Conclusion

A problem at the DHCP level can cause considerable user downtime, since your DHCP servers are such an important part of your network. Knowing some of the major causes of DHCP failures will make it easier for you to recover from the failure or prevent another one in the future.