Table of Contents
Advertisement
client.example.com" to find the IP address (or enter "client1.example.com" into the web
browser or FTP or elsewhere). If "example.com" is in the DNS search suffix, just the
shortname "client1" would be enough. But once "client1" is moved to "dhcp.example.
com", the lookup needs to be performed using the longer full name "client1.dhcp.exam-
ple.com" or else the search suffix needs to be changed.
Authorizing a DHCP server for Active Directory
Microsoft DHCP for Windows 2003 has a feature that the DHCP Service will query the
LDAP data store (that is, Active Directory) to see if it has been authorized. It will fail to
start if it is not authorized. The purpose of this is to prevent "rogue" DHCP servers. Any
network user who has a Windows CD-ROM can install a DHCP server with a few mouse
clicks, even by accident, and that server could hand out IP addresses that conflict with
the real DHCP server or with static IP addresses. But only an administrator with the
proper permissions can authorize a DHCP server in the LDAP database. Therefore, un-
authorized Windows 2003 DHCP servers will not start and become rogue servers. (The
mechanism is a little different for MS-DHCP servers which are only in a Workgroup not
part of a domain, but still some protection from rogue servers is provided.)
Alcatel-Lucent DHCP has no need to be authorized in LDAP because it never accesses
LDAP. Alcatel-Lucent DHCP is designed to be configured and managed by VitalQIP, and
is not designed to be a stand-alone DHCP server. VitalQIP ensures that DHCP servers
with overlapping scopes will not be deployed in the network. VitalQIP, however, does
create the authorization record in Active Directory when it performs a DHCP Generation
to a Remote server that is running MS-DHCP.
Overview of Solutions
To see how VitalQIP can be integrated with Windows 2003 networking and Active Di-
rectory, we will look at two different cases. Solution 1 examines the case of an existing,
typical VitalQIP installation which already has Alcatel-Lucent DNS and Alcatel-Lucent
DHCP but which now needs to support Windows 2003 Domain Controllers, Active
Directory, and other Microsoft networking functionality. Solution 2 examines the case
of a typical "Microsoft shop" which is committed to using MS-DNS, MS-DHCP, and all
the deployment options recommended by Microsoft, but which wants to add VitalQIP to
make the management of these resources easier. Each solution contains a discussion of
the design goals, the configuration options being used, some design considerations, and
a brief overview of the procedures for implementing it. Your own organization may not
match either of these situations exactly and may need a solution that has elements of
both. The second solution, especially, is intended as an example rather than as an exact
design for a production system.
Solution 3 comprises a small modification of Solution 2 that uses Alcatel-Lucent DNS
rather than MS-DNS, but still uses MS-DHCP and GSS-TSIG secure updates. Like
Solution 2, it is intended for an organization that is new to VitalQIP but is already using
Microsoft networking.
The above solutions assume the use of VitalQIP 6.1SP1, although some minor changes
may be necessary to support an earlier or later version of VitalQIP. This paper also
briefly presents Solution 4, which is similar to Solution 2 but incorporates some new
functionality that is included in VitalQIP 6.2.
4
Alcatel-Lucent | Integration of VitalQIP® with Microsoft Windows 2003 Networking/Active Directory
Advertisement
Table of Contents
