Module 09: DHCP — Dynamic Host Configuration

How every device gets an IP without a human typing one — from DORA to HA failover.

What you'll learn

  • DHCP concept — why dynamic, why centralized
  • DORA exchange ★ — Discover · Offer · Request · Ack
  • Scopes + reservations — address ranges + per-client locks
  • Policies + failover — conditional leases + HA pairs
  • DDNS integration — DHCP teaching DNS who got which name
Where this fits: Block #9 — IP assignment. CTS1328C Objective #1. AZ-800 domain: Hybrid networking. The DORA exchange (★) is the four-step ritual every DHCP transaction follows.
Module 09 — your journey 1DHCP Concept 2DORA ★ 3Scopes 4Reservations 5Options 6Policies 7Failover 8DDNS Integration 9Troubleshooting → next: M10 — Group Policy

DHCP Architecture

DHCP is client-server. Right-side diagram shows the three roles (Client, Server, Relay Agent) — broadcast on UDP 67/68 connects them.

Key Components

  • DHCP Server - Maintains IP pools and configuration data
  • Scope - Range of IP addresses for a subnet
  • Lease - Temporary assignment of IP to client
  • Relay Agent - Forwards requests across subnets
Authorization Required: In Active Directory environments, DHCP servers must be authorized before they can respond to client requests. This prevents rogue DHCP servers.
DHCP components and their rolesClientdhclient / WindowsstackServerDHCP Server rolescope databaseRelay agentrouters w/ ip helpercross-subnet bridgeScope10.0.0.50 - 10.0.0.200Pooladdresses available to leaseReservationpinned by MAC, server-sideOptionsrouter, DNS, NTP, search domainServer speaks UDP 67/68 + 4011 (PXE)

The DORA Process

DHCP uses a four-step handshake (Discover, Offer, Request, Acknowledge) to assign an IP address. The right-side diagram shows all four messages between client and server.

Why it matters

  • Discover — Client broadcasts: any DHCP server out there?
  • Offer — Server replies with an available IP from its pool
  • Request — Client accepts that specific offer
  • Acknowledge — Server confirms + sends full config (gateway, DNS, search domain)
DORA: Discover, Offer, Request, AckClientPC01aa:bb:cc:dd:ee:ffServerDHCP011. Discoverbroadcast: any DHCP?2. Offer10.0.0.50, 8d lease3. RequestI will take it4. Ackconfirmed, here are optionsAfter D-O-R-A: client has IP, gateway, DNS, search domain

Scopes and Address Pools

A scope = range of IPs the server leases on one subnet. Components: address range, subnet mask, exclusions, lease duration. Best practice: exclude .1–.50 for infrastructure, 8-day lease for stable networks.

# Create a scope handing out .100-.250 with an 8-day lease PS C:\> Add-DhcpServerv4Scope -Name "Corporate LAN" ` -StartRange 192.168.1.100 -EndRange 192.168.1.250 ` -SubnetMask 255.255.255.0 -LeaseDuration 8.00:00:00 # Exclude .1-.50 for static infrastructure devices PS C:\> Add-DhcpServerv4ExclusionRange -ScopeId 192.168.1.0 ` -StartRange 192.168.1.1 -EndRange 192.168.1.50
A scope defines one subnet's address poolScope: Corp-WiFi (10.0.0.0/24).1.254excluded.1 - .49infra, routerpool of leases.50 - .200handed to clientsreservations.201 - .250printers, kiosksLease: 8 daysOption 3: router 10.0.0.1Option 6: DNS 10.0.0.10Add-DhcpServerv4Scope, Add-DhcpServerv4ExclusionRangeOne scope per subnet; multi-subnet servers run multiple scopes

DHCP Reservations

Reservations guarantee a specific IP for a device by MAC address. Use for printers, DHCP-only servers, IP-based ACLs, legacy devices.

# Reserve 192.168.1.200 for the second floor printer by MAC PS C:\> Add-DhcpServerv4Reservation -ScopeId 192.168.1.0 ` -IPAddress 192.168.1.200 ` -ClientId "00-1A-2B-3C-4D-5E" ` -Name "HP-LaserJet-Floor2" ` -Description "Second floor printer"
# Show every reservation in the Corporate LAN scope PS C:\> Get-DhcpServerv4Reservation -ScopeId 192.168.1.0
Reservation: same IP, every renewalPrinter-01MAC aa:bb:cc:ddalways .220DHCP Serverlooks up MACin reservation table.220always# DHCP reservation tableAdd-DhcpServerv4Reservation -ScopeId 10.0.0.0 \-IPAddress 10.0.0.220 -ClientId aa-bb-cc-dd-ee-ff -Name "Printer-01"Best for: printers, scanners, kiosks, conference room PCsNo need to log into the device, IP is centrally managed

DHCP Options

Options provide additional configuration beyond IP addresses, such as DNS servers, gateways, and domain names.

Option Code Description
Router (Default Gateway) 003 IP of the default gateway
DNS Servers 006 List of DNS server IPs
DNS Domain Name 015 Domain suffix for clients
WINS Servers 044 NetBIOS name servers (legacy)
NTP Servers 042 Time synchronization servers
Options ride along with the lease003Router (default gateway)006DNS Servers015DNS Domain Suffix042NTP servers044WINS / NetBIOS servers051Lease time066TFTP server (PXE)067Bootfile name (PXE)Where they apply:Server levelall scopes inheritScope leveloverride per subnetReservation leveloverride per host (most specific wins)

Option Levels

  • Server Options - Apply to all scopes on the server
  • Scope Options - Apply to a specific scope
  • Reservation Options - Apply to a single reservation

Configure the essential scope options so clients get DNS, gateway, and domain suffix.

# Push DNS, gateway, and domain name to all clients in this scope PS C:\> Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 ` -DnsServer 192.168.1.10,192.168.1.11 ` -Router 192.168.1.1 ` -DnsDomain "hexworth.local"
Options ride along with the lease003Router (default gateway)006DNS Servers015DNS Domain Suffix042NTP servers044WINS / NetBIOS servers051Lease time066TFTP server (PXE)067Bootfile name (PXE)Where they apply:Server levelall scopes inheritScope leveloverride per subnetReservation leveloverride per host (most specific wins)

DHCP Policies

Policies conditionally assign options by MAC, vendor class, or user class. Use cases: VLAN per device type · VoIP phones (specific TFTP) · guest devices · BYOD vs corp.

# VoIP policy: match MAC prefix, push TFTP server option PS> Add-DhcpServerv4Policy -Name "VoIP" -ScopeId 192.168.1.0 -MacAddress "EQ","00:1E:BE:*" PS> Set-DhcpServerv4OptionValue -PolicyName "VoIP" -ScopeId 192.168.1.0 -OptionId 66 -Value "tftp.hexworth.local"

Order matters: first match wins, like firewall rules.

DHCP Policies: per-vendor / per-MAC rulesPolicy: PrinterFleetifVendorClass starts with "Lexmark"thengive lease from 10.0.0.220 - 10.0.0.240andset lease time to 30 days (printers do not move)andpush DNS option pointing at print-mgmt.corp.localConditions: VendorClass, UserClass, MAC address prefix, ClientIDActions: assign from sub-range, override options, set lease lengthUse cases: VoIP phones, IoT, BYOD vs corp laptopsAdd-DhcpServerv4Policy + Add-DhcpServerv4Condition

DHCP Failover

DHCP failover lets two servers share scope responsibility. Hot Standby = primary leads, secondary takes over on failure (branch/HQ). Load Balance = both serve 50/50 (same-site HA).

# Create a 50/50 load-balance failover relationship with DC2 PS C:\> Add-DhcpServerv4Failover -Name "DC1-DC2-Failover" ` -PartnerServer "DC2.hexworth.local" ` -ScopeId 192.168.1.0 ` -LoadBalancePercent 50 ` -SharedSecret "SecurePassword123" ` -MaxClientLeadTime 1:00:00

MCLT = how long a server can extend a lease past partner's knowledge. Default 1h. Longer = more resilient, slower failback.

Two servers share one scope's leasesDHCP01 (primary)52% of leasesDHCP02 (partner)48% of leaseslease syncTwo modes:Load balanceboth serve, weighted (default 50/50)Hot standbyprimary leads, partner kicks inAdd-DhcpServerv4Failover-Name "Corp" -ScopeId 10.0.0.0 -PartnerServer dhcp02 -SharedSecret ***No need for the scope to live on a cluster

DHCP and DNS Integration

DHCP can register client A + PTR records in DNS automatically. Modes: client-only (A), server-only (PTR), or Always (both).

# Enable full DNS registration and auto-cleanup on lease expiry PS C:\> Set-DhcpServerv4DnsSetting -ScopeId 192.168.1.0 ` -DynamicUpdates "Always" ` -DeleteDnsRROnLeaseExpiry $true
# Check what DNS update behavior is configured for this scope PS C:\> Get-DhcpServerv4DnsSetting -ScopeId 192.168.1.0

Credential: use a dedicated service account for DDNS to avoid orphans on DHCP server change.

DHCP can register client records in DNSPC01requests leaseDHCP Serverassigns 10.0.0.78DNSPC01 A 10.0.0.78Who registers the records?A record (forward): client OR serverPTR record (reverse): serverDnsCredential = service accountDHCP impersonates this account when calling DDNSCritical for secure dynamic updates in AD zonesSet-DhcpServerv4DnsSetting -DynamicUpdates Always

Troubleshooting DHCP

Common DHCP issues: APIPA (169.254.x.x), scope exhaustion, rogue server, wrong options, lease conflicts.

Diagnostic tools: ipconfig /all · /release + /renew · Event Viewer DHCP logs · DHCP audit logs · Wireshark DORA capture.

DDNS update modes from DHCPNever✗ A record✗ PTR recordmanual DNS onlyFor: closed labsdeliberateIf requestedif asked: A recordalways: PTRclient opts inFor: mixed clientshonors client wishAlways✓ A record✓ PTR recordDHCP enforcesFor: AD domainsconsistent recordsModes set per scope, default for AD environments is Always

Troubleshooting DHCP, Configuration

Check scope utilization, list active leases, search by MAC.

# Pool stats: free, in-use, reserved PS C:\> Get-DhcpServerv4ScopeStatistics -ScopeId 192.168.1.0 # All active leases in this scope PS C:\> Get-DhcpServerv4Lease -ScopeId 192.168.1.0 # Search by partial MAC PS C:\> Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object { $_.ClientId -like "*1A-2B-3C*" }
DDNS update modes from DHCPNever✗ A record✗ PTR recordmanual DNS onlyFor: closed labsdeliberateIf requestedif asked: A recordalways: PTRclient opts inFor: mixed clientshonors client wishAlways✓ A record✓ PTR recordDHCP enforcesFor: AD domainsconsistent recordsModes set per scope, default for AD environments is Always

Advanced: Superscopes & Multicast

Superscope: groups scopes sharing one physical network (multi-subnet segment, gradual IP expansion, migrations).

PS> Add-DhcpServerv4Superscope -SuperscopeName "Corp" -ScopeId 192.168.1.0,192.168.2.0

Multicast Scopes (MADCAP): assigns multicast addresses (224.0.0.0–239.255.255.255) for streaming, conferencing, WDS deployment.

Troubleshoot DHCP from client + serverclient side first, then server sidePS> ipconfig /release ; ipconfig /renew drop the lease, start DORA againPS> ipconfig /all shows lease times, DHCP server, DNS, gatewayPS> Get-DhcpServerv4Lease -ScopeId 10.0.0.0 list active leases (server side)PS> Get-DhcpServerv4ScopeStatistics -ScopeId 10.0.0.0 pool utilization, free, in-use, availablePS> Get-WinEvent -LogName "Microsoft-Windows-DHCP-Server/Operational"

Lab Preview: DHCP Management

Practice via GUI Lab (scopes, reservations, failover) + PowerShell Lab (cmdlet scope mgmt, lease queries, options).

Start GUI Lab Start PowerShell Lab
Module 9 takeawaysDORA4-step handshakeScopeone per subnetReservationpinned by MACOptionsrouter, DNS, NTPPoliciesVendorClass rulesFailoverload balance + hot standbyDDNSDHCP registers in DNSReady for DHCP labs and quiz