Professional Documents
Culture Documents
2 out of 3 rated this helpful Rate this topic Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows operating system. The use of Name Protection in the Windows Server 2008 R2 operating system prevents name squatting by non-Windows-based computers. Name squatting does not present a problem on a homogeneous Windows network where Active Directory Domain Services (AD DS) can be used to reserve a name for a single user or computer. Name Protection is based on the Dynamic Host Configuration Identifier (DHCID) in the Dynamic Host Configuration Protocol (DHCP) server, and support for the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force (IETF) in RFCs 4701 and 4703. DHCID is an RR stored in DNS that maps names to prevent duplicate registration. This RR is used by DHCP to store an identifier for a computer, along with other information for the name such as the A, AAAA records of the computer. The unique position of DHCP in the name registration process enables it to request this match, and then refuse the registration of a computer with a different address attempting to register a name with an existing DHCID record. DHCID prevents the following name squatting situations:
Server name squatting by a client. Server name squatting by another server. Client name squatting by another client. Client name squatting by a server.
In addition, support for DHCP Unique Identifier (DUID) is added to the IPv4 registration on the DHCP client. DUID is described by the IETF in RFC 4361. Name Protection can be configured for IPv4 and IPv6 at the network adapter level or scope level. Name Protection settings configured at the scope level take precedence over the setting at the IPv4 or IPv6 level. If Name Protection at the scope level is not configured at all, then the setting at the IPv4 or IPv6 network adapter takes precedence. DHCID protects names on a first comefirst served basis. The step-by-step instructions in this paper show how to set up Name Protection in a test lab so that you can better understand how this feature works.
In this guide
This step-by-step guide contains an introduction to Name Protection and instructions for setting up a test lab using one DHCP server and three client computers. Two client computers have windows installed and the other client computer has a third-party operating system installed. Important The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is not designed to reflect best practices, nor does it reflect a recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Scenario overview
In this test lab, Name Protection is configured on a computer running Windows Server 2008 R2 that has the DHCP Server service installed. Three DHCP client computers are also configured: one client computer running the Windows 7 operating system with the DHCP Client service running, and two client computers running a third-party operating system. A computer running Windows Server 2008 R2 is also used in the test lab as a domain controller and DNS server. Although Name Protection supports both IPv4 and IPv6 networks, this document details the configuration for IPv4 only to reduce the complexity of the test lab and demonstrate the feature. Having obtained an IP address from DHCP Server 1, (Windows) DHCP Client 1, with the name enggmachine1.contoso.com, is assigned an A record by registering with DNS. (Non-Windows) DHCP Client 2, with the name enggmachine2.contoso.com, also obtains an IP address from DHCP Server 1 and is assigned an A record and a DHCID record by registering with DNS. Name Protection is demonstrated in the lab when (non-Windows) DHCP Client 3 attempts DNS registration with an already used FQDN. Although DHCP client 3 has obtained an IP address, the DNS registration is denied.
Software requirements
The following are required components of the test lab:
The product disc for Windows Server 2008 R2. The product disc for Windows 7.
Configure DC1. DC1 is a server running Windows Server 2008 R2. DC1 is configured as a domain controller with AD DS and the primary DNS server for the intranet subnet.
Configure DHCP Server 1. DHCP Server 1 is a server running Windows Server 2008 R2. DHCP Server 1 is configured with the DHCP Server service, and functions as a DHCP server in the domain.
Configure the Windows-based DHCP clients DHCP Client 1 is a DHCP client running Windows 7.
Configure non-Windows (Linux/Solaris/Unix)-based DHCP clients. DHCP Client 2 and DHCP Client 3 are DHCP clients running a non-Windows-based operating system.
Configure DC1
DC1 is a computer running Windows Server 2008 R2, which provides the following services:
A domain controller for the Contoso.com AD DS domain. A DNS server for the Contoso.com DNS domain.
Install the operating system. Configure Transmission Control Protocol/Internet Protocol (TCP/IP). Install AD DS and DNS. Create a user account and group in AD DS.
The following sections explain these steps in detail. Install the operating system on DC1 Install Windows Server 2008 R2as a stand-alone server. To install the operating system on DC1 1. Start your computer using the Windows Server 2008 R2 product disc. 2. When prompted for a computer name, type DC1.
Configure TCP/IP on DC1 Configure the TCP/IP protocol with a static IP address of 172.16.1.1 and the subnet mask of 255.255.255.0. To configure TCP/IP on DC1 1. Click Start, click Control Panel, and then double-click Network and Internet, click Network and Sharing Center, and then click Change Adapter Settings. 2. Right-click Local Area Connection, and then click Properties. 3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Select Use the following IP address. Type 172.16.1.1 next to IP address and 255.255.255.0 next to Subnet mask. 5. Verify that Preferred DNS server is blank. 6. Click OK, click Close, and then close Network Connections. Configure DC1 as a domain controller and DNS server DC1 serves as the only domain controller and DNS server for the Contoso.com domain. To configure DC1 as a domain controller and DNS server 1. To start the AD DS Installation Wizard, click Start, click Run, type dcpromo, and then press ENTER. 2. In the AD DS Installation Wizard dialog box, click Next. 3. Operating system compatibility information is displayed. Click Next again. 4. Verify that Domain controller for a new domain is selected, and then click Next. 5. Verify that Domain in a new forest is selected, and then click Next two times. 6. On the Install or Configure DNS page, select No, just install and configure DNS on this computer, and then click Next. 7. Type Contoso.com next to Full DNS name for new domain, and then click Next. 8. Confirm that the Domain NetBIOS name shown is CONTOSO, and then click Next. 9. Accept the default Database Folder and Log Folder directories, and then click Next. 10. Accept the default folder location for Shared System Volume, and then click Next. 11. Verify that Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems is selected, and then click Next. 12. Leave the Restore Mode Password and Confirm Password text boxes blank, and then click Next. 13. View the summary information provided, and then click Next. 14. Wait while the wizard completes configuration of AD DS and DNS services, and then click Finish. 15. When prompted to restart the computer, click Restart Now. 16. After the computer is restarted, log on to the CONTOSO domain using the Administrator account. Create a user account in AD DS
Next, create a user account in AD DS. This account is used when logging in to DHCP Server 1. To create a user account in AD DS 1. Click Start, point to Administrative Tools, and then click AD DS Users and Computers. 2. In the console tree, double-click Contoso.com, right-click Users, point to New, and then click User. 3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name, type User1. 4. Click Next. 5. In the Password box, type the password that you want to use for this account, and in the Confirm password box, type the password again. 6. Clear the User must change password at next logon check box, and select the Password never expires check box. 7. Click Next, and then click Finish. 8. Leave the AD DS Users and Computers console open for the following procedure. Add user1 to the DHCP Administrators group Next, add the newly created user to the DHCP Administrators group and use it for all of the configuration activities. To add a user to the DHCP Administrators group 1. In the AD DS Users and Computers console tree, click Users. 2. In the details pane, double-click DHCP Administrators. 3. In the DHCP Administrators Properties dialog box, click the Members tab, and then click Add. 4. Under Enter the object names to select (examples), type User1, the user name that you created in the previous procedure, and then click OK two times. 5. Leave the AD DS Users and Computers console open for the following procedure.
Install the operating system. Configure TCP/IP. Join the computer to the domain. Install DHCP server roles.
Configure DHCP.
To open the DHCP console 1. Click Start, click Run, type dhcpmgmt.msc, and then press ENTER. 2. Leave this window open for all DHCP configuration tasks.
Install the operating system. Configure TCP/IP. Verify network connectivity. Join the computer to the domain and restart the computer.
3. When prompted for a computer name, type DHCP Client 1. 4. On the Select your computer's current location page, click Work. 5. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, check for DHCP Client 1 entry in DNS Records. Open the DNS console
Click Start, click Run, type dnsmgmt.msc, and then press ENTER. Leave this window open to view DNS records. Click the DNS node, select the DNS server, and then double-click the Forward Lookup Zones node. Click the Contoso.com domain. There should be one entry for DHCP Client 1. The FQDN should be enggmachine1.contoso.com in the Name column, Host (A) in the Type column, and the IPv4 address issued by the DHCP server in the Data column.
Install the operating system and configure the computers to be part of the domain. On each client computer, configure TCP/IP to obtain an IP Address automatically from DHCP Server 1 in the domain and also to obtain the DNS server IPv4 address automatically. Verify network connectivity. Join the DHCP clients to the domain, giving both the same FQDN of enggmachine2.contoso.com. Then, if required, restart the computer.
DHCP Client 3 tries to register with the same FQDN as DHCP Client 2, but cannot because there are already DNS records for both DHCP Client 1 and DHCP Client 2 available in the DNS server. Although it did obtain a DHCP address from DHCP Server 1, DHCP client 3 is unable to add an entry in DNS.
Appendix
This appendix helps you with troubleshooting techniques and the setting of optional features in Windows Server 2008 R2 and Windows 7.
1340 - EVENT_SERVER_DNSDHCID_FAIL The DNS registration for DHCPv4 Client IP address %1 , FQDN %2, and DHCID %3 is
denied as there is probably an existing client with same FQDN already registered with DNS.
1340 - EVENT_SERVER_DNSDHCID_FAIL The DNS registration for DHCPv6 Client IPv6 address %1 , FQDN %2, and DHCID %3 is denied as there is probably an existing client with same FQDN already registered with DNS.