DHCP rogue servers

Only authorized servers can issue ip addresses to clients in AD, and only DCs and member servers can be authorized in an AD environment. But how can then DHCP rogue servers (Stand-alone servers that are running the DHCP server service) co-exist with authorized servers?

Prevent rogue DHCP servers on your network by authorizing DHCP servers in AD DS

"Although it is not recommended, you can use a stand-alone server as a DHCP server as long as it is not on a subnet with any authorized DHCP servers. When a stand-alone DHCP server detects an authorized server on the same subnet, it automatically stops leasing IP addresses to DHCP clients."

But what if a rogue server is installed on Subnet A, which has a DHCP relay agent, which means that it can relay DHCP messages between the DHCP server on Subnet A and DHCP clients on Subnet B.
Subnet B consists of an AD environment, with authorized DHCP servers.

So can the rogue server on Subnet A issue addresses to (AD) DHCP clients on Subnet B?
Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)


  • Options
    cruwlcruwl Member Posts: 341 ■■□□□□□□□□
    So your asking if subnet B had a Rogue DHCP Relay that relayed Requests to a rogue DHCP Server on Subnet A? Would a client on subnet B get a DHCP address from the rogue DHCP server on subnet A?

    Clients generally take the first response they get from a DHCP Request broadcast. If the Rogue relay and rogue DHCP server answer faster then they DHCP on the local subnet then yea I would think the client would use the rogue one.

    We had something like this happen that was a pain to track down. Randomly one day users started geting a 192.168 address, we used a 10. address. Ended up some one plugged in a linksys router and it started answering DHCP requests with 192.168 address. Had to track the wireless signal until we found the room it was in and turn it off.
  • Options
    ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    AD-authorized DHCP servers cannot independently prevent non-domain-joined servers from operating DHCP servers. Authorization only prevents rogue servers from being installed on domain-joined servers.

    If a rogue DHCP server is installed on a subnet that normally uses a relay agent, you can expect that most clients* will get a response from the rogue server faster. Protecting against it on a managed switch is the only method I'm aware of that can stop a rogue DHCP server.

    *That is, clients who are fewer switch hops away will likely receive an answer faster. Clients further away may still get assignments from the rogue server faster depending on the speed of the DHCP relay. Outside of relay, I would expect the server the closest in switch hops to generally "win" the IP assignment "battle."
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
Sign In or Register to comment.