DHCP Server on Windows 2000

Hi all ..
I have two server with windows 2000 and active directory, the first with DHCP and Remote access for the dialup user and it is working ok . the secound one for the mail server and the proxy . and i am working with it to make VPN by routning and remote access .. but i face some problems  ..
1- how can i install the DHCP server and i want it to help the VPN only. when i instaled the dhcp all the vpn take ip from the dialup ip (from the first DHCP)
2- how can i give ip, subnet mask, gateway for the routing and access server only. there is no space to write a gate way for the client to on routing and remote acceess like DHCP ??

I need help

i know it is hard to understand my english ... but i need help

note .. i have dhcp installed on the first server .. how can i use one of the two scopes for the secound server
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

CyberStretchConnect With a Mentor Commented:
My suggestion, as well, included the information for Static Addressing. In fact, I even suggested using it if the user population was relatively small.

However, the reason DHCP was implemented (to prevent having to make static assignments to multiple systems) still holds its benefits in this scenario as well.

If the available IP pool is too small to assign an IP per person, and the intended usage patterns of the users will allow, DHCP can be used to effectively manage the IP allocations for the users based off a "first come, first served" model.

In addition, DHCP has the least amount of administrative overhead since if something changes, you change the DHCP configuration and *nothing* on all the clients (except perhaps the IP they dial into) nor the individual User Accounts.

Therefore, depending upon the size of the user population and available IP space, either method would be acceptable.
Setting up the DHCP and VPN servers on W2K will allow you to setup the DHCP scope (IP range) for VPN connections.


1) Right Click the Server Name (ie, VPNSERVER)
3) Click the IP tab

You can specify DHCP or Static Addressing and the scope. If your DCHP server is on a different system, make sure you have the DCHP Relay Agent installed and configured.

If you have a small number of people who need to dial in, you may want to use Static Addressing and the User Profile and the Dial In tab to set a static IP for each user. This way, you will know from your various logs which IP address is assigned to which person and it makes tracking their activity - and any potential hacking with that account - a lot easier from viewing your log files.

Also, make sure you choose an IP scope that will *not* be used for any other purposes. This will help to avoid IP conflicts.
Its been a while since I have set up RRAS on a Windows box, but can't you set up a pool of addresses directly on the RAS box without having to use DHCP?  Maybe you can't but I thought you could.  Seems like this would make more sense than setting up DHCP just for dialup.

As to your question about a gateway - a dialup client sends all of its traffic to its peer (the RAS server).  From there the traffic is sent like any other traffic from the RAS server, using its gateway etc.
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Scraig84 is correct. In Windows 2K, if you go into RRAS and right click on the server name and choose properties, click on the IP tab and then click on the assign from static pool radio button and input your IP address scheme. This is how it should be done when using a different scope than what is normally on the network in RRAS.
moty66Author Commented:
so what about the gate way, i want to assign a gate way to the VPN dial in users ..
i dont want to take it from the DHCP.
is it impossible to do it from RRAS ?
Like I said, a dialin client does not have the option for a gateway - it is only connected to one device.  Therefore, it has no option but to forward all of its traffic to its peer (the RAS server).  From the RAS server, it just uses the gateway of the server.  I believe there is a checkbox in the RAS server settings of whether or not to allow clients to use this.  If you you don't the clients will not be able to forward traffic off of the RAS server's segment.  Typically though, you want the client to behave as if it were sitting on the network, so you allow this use.
Cyberstretch - I think you are misunderstanding my point, unless I am misunderstanding yours.  My point is that you can still provide dynamic address assignment without setting up a DHCP server.  A RAS server has the ability to store its own local pool for the use of handing addresses to its clients.  This provides all of the benefits of DHCP without actually having to set up a DHCP server.

It could be possible that there is a misunderstanding.

However, I took the original post to mean that there already *is* a DHCP server on the network ("the first with DHCP and Remote access for the dialup user and it is working ok."). If there is an existing DHCP server that has an IP pool large enough to accomodate the RAS/VPN clients, I figure that it would be more beneficial to use the DHCP server than configuring RAS with an IP block out of the existing allocation to avoid any possible IP conflicts.

By having multiple IP blocks/allocations/scopes, etc, in multiple configurations (ie, DHCP, RRAS settings, etc) you increase the complexity and the potential for error when assigning IP addresses.

The main point I am trying to get across is that centralized IP management usually works out better than decentralizing it by allowing multiple sources to control blocks of IPs. It helps a heck of a lot when things go wrong too.

In the end, I think we are basically saying the same thing, just different methods of achieving the same result.
I have to disagree with that to a point. We assign Ip's via DHCP from the RRAS server rather than using the regular DHCP server. We give the dialin users a different scope as this makes it easier for us to figure out who is doing what from where whenever something happens. I know whether a dialin user is doing something or a regular joe blow from the lan. Centralized management may be beneficial in some cases, but not all.
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
All Courses

From novice to tech pro — start learning today.