Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Business and personalized recommendations.Start Your Free Trial Now
- View Offline
- Deploying, troubleshooting, and understanding OS X 10.6 DNS server
- Understanding and configuring OS X and OS X Server-based firewalls
- Fixing server- and client-side firewalls
- Configuring and troubleshooting DHCP
- Setting up and troubleshooting a VPN server
Skill Level Intermediate
If you've been following along in this class from the beginning, you know by now that we went out and purchased a very inexpensive router to host our network. We left NAT on, but turned DHCP off. Now admittedly, this is a rare configuration option, because DHCP is on by default in just about every router for sale today. I say just about because nothing is 100%, but it's probably all of them. Anyway, if you have been doing this title up until now with DHCP on in your router, go ahead and turn it off now. Don't worry. I'll wait. Oh! If you have an AirPort Base Station, and you want to use that as your router, don't. Not for this chapter anyway.
You can't turn on NAT and turn off DHCP at the same time on those devices. So, for the purpose of this chapter, the Apple AirPort Extreme or Express Base Stations, though excellent products overall, just won't work here. Now that we have that out of the way, open Server Admin and go to Services. We have Server Admin right here in the dock and yes, we are actually getting onto this from the client, so all of this is happening remotely. We're going to go to Settings > Services > DHCP and we'll click Save and then come over and click on DHCP in the sidebar.
Configuring DHCP is pretty easy, but you have to know your IP ranges before you start the service. Otherwise, if you get it wrong, you'll just end up coming back in here and doing it all over again. In our planning, we decided that we would have a DHCP range from 192.168.12.64 to 192.168.12.127, and that that would be the range that would be handed out to computers using the DHCP service. Now, I know that I'm also going to be using a VPN later in this title and I want different ranges for those clients to be handed out by the VPN server.
My VPN range will be 192. 168.12.12 through 192.168.12.159. So, I can't interfere with those addresses here in the DHCP settings. Since our DHCP range is 192.168.12.64 through 192.168.12.127, but our router is at 192.168.12.1, our server is at 192.168. 12.2, and we want our DHCP clients to be able to see the entire 254 nodes subnet as a local network, we will not be using the CIDR notation that we used in the firewall to configure this.
We start by going into subnets. We click on the name of the default subnet and we delete it. We click Save and we click the Plus button. This gives us a brand-new one. Now this subnet name, I'm just going to call Internal DHCP. The starting IP address, as we said, is going to be 192.168.12.64. Our ending IP address, 192.168.12.127.
Now, this is where this becomes important. What I just said about the subnet mask, if we were using the CIDR notation from our firewall rule, we would be doing this. And that would be bad, because in this case, if we were to set that up, the only computers that any of our DHCP clients would be able to see would be computers between 64 and 127, which means they wouldn't be able to get to our router. The router is at 192.168.12.1.
That wouldn't work, because these systems wouldn't be able to see the router, because it's outside of the subnet. So, we have to make this the 255.255. 255.0 subnet. That would give us full access to that 254-node range. We also want to configure the correct Ethernet interface for the network that will be sending out that DHCP information. So, we're going to go with en0, and once again that we got this, we'll go 192.168.12.1. A lease time typically is actually close to 4 hours.
Once we have that in place, we can go over here to DNS. DNS is currently configured as the local loopback address. That clearly won't work for our clients though, because they're not hosting DNS servers. So, what we need to do is put in our DNS server as the DNS server that's handed out via DHCP. We can also take this opportunity to put in our network's search domain, which means that this will be handed out into the network settings, and this will be handed out into the network settings, and all of the clients will receive an IP address from 64-127, as they come on the network.
With that, we can click Save. Now with your DHCP range configured and assigned to the correct network interface, you can move on to configure the LDAP options that are available here, and you could also configure your WINS options available here. But there are two problems with this. First, as a security best practice, you generally don't want to let your client machines pick up LDAP information for authentication and contacts via DHCP, because they will do that on every network then connect with, potentially opening the client after being compromised by a rogue DHCP server.
A rogue DHCP server is one that is functioning on a network where it shouldn't exist. A malicious rogue DHCP server could be used to pass out LDAP information to clients to allow a hacker to log in to those client machines, because LDAP has the capability of sending that information out, and then the client system would use that information to look back at a directory of user accounts that are able to log into it. Because that would be a bad thing, generally, you probably want to turn off the ability to receive that kind of auto-configured LDAP information on all of your clients.
If you turn it off on all of your clients, it's off by defau on 10.6, then there is really no point in configuring it in OS X Server's DHCP settings. So, I would leave this blank. If you're on a network where WINS isn't used, you can add those settings to the WINS tab, and the Windows clients will pick up that autoconfiguration information as well, which will make it easier for them to find network services on your network. We don't have any network services here offered up in the WINS format. We don't in fact have any Windows clients right now, so that's not going to be configured either.
We're going to leave both LDAP and WINS blank. Configure General and DNS, both as we've shown already, and we've already clicked Save, so all we need to do now is click the Enable check box next to Internal DHCP. And that once saved will be an enabled DHCP range that will be served out over the en0 network interface. Before you start DHCP, it can be useful to go to Settings and turn your Log Levels up to High. That way you'll get full logs on everything that's going on with DHCP, which is being handled by the BOOTP service.
I click save there and I click Start DHCP. We're now handing out DHCP over that network interface. All we need to do now is open up a client and have it attached to the network. We can see if clients have attached to the network by clicking over here on the Clients interface and as people come on the network, we'll see the computer name, their Mac address, their client ID, their IP address that we've given them, and the lease time remaining on their DHCP lease.
So, we've opened up a laptop, and there we go! Excellent! We just click Refresh a few times and it's popped right up. So, we see the computer's name, we see its Mac address, we see the IP address that it's been handed, and how much lease time now remains. Now the nifty thing about this is that once we've got somebody that's received an IP address, this gives us an opportunity to create a static map. All we have to do is click the Create Static Map button and come up here and click Create Map, flip down the triangle, and here you've got all of the information that the client just received.
If we want to change any of that information, we click the Edit button, leave the Computer Name exactly what it is unless you want to mess with the client. Leave the Mac Address exactly as it is. But we can change this IP Address. We can say, I don't want this to receive the 64-address. I want this one to always receive the 127-address, and we just do that by coming out here to the end and giving it an IP address that's in the DHCP range. This is a really handy way of using DHCP, but still providing a device with the same address all the time.
It's sort of a mixture between this dynamic addressing and static addressing, making it easy to locate the device over and over again. This could be a really cool trick to use with printers, where they are configured to pick up a DHCP address, when new without any local configuration right out of the box. Once the device is in the table, just use that information to get into this interface to set the IP address information you want for that printer and bam! You're done! Click OK and that device will always get that same address every time. Click Save.
It will ask you if you want to restart DHCP, but that's no big deal, and you're done. DHCP is a solid technology that's been around for years, but there are still plenty of things that can go wrong with it. Let's look at ways to troubleshoot DHCP in the next movie.