How to verify Win DHCP Server is pushing Option 252

We have a Windows Server 2003 DHCP server with Option 252 set for multiple DHCP scopes.

 What I want to verify is that the DHCP server is actually pushing Option 252 to client computers (Windows XP SP2).

Was told that Win DHCP, by default, pushes all DHCP options to all PC's. Therefore, once we set Option 252 assumed it was being pushed to all computers. But we are finding that is not the case.

More details:
1. Multiple domain environment with multiple WPAD addresses, one per domain (yes thsi stinks, but that is the environment currently and we need to work with it.)
2. We are trying to push WPAD settings through DHCP (Unable to do this through GPO due to infrastructure configuration, otherwise we would.)
3. Have a PC which should be receiving Option 252 via DHCP but IE does not get the WPAD settings. (i.e. user cannot get to Internet with Automatically detect settings checked in IE. PC is getting lease from correct DHCP server)
4. IE should pick up WPAD setting from DNS after checking DHCP but it is not. PC's are in Domain2 and WPAD setting is in Domain1. Unfortunately WPAD settings exist in both domains, WPAD.Domain1.com and WPAD.Domain2.com.
5. Same PC has Firefox and that is getting the correct WPAD settings (i.e. user can get to the Internet using Automatically detect settings option)
6. Advised that Firefox does not use DHCP for WPAD and instead uses DNS, which makes sense as to why Firefox works but IE does not.
7. Not sure why Firefox resolves WPAD correctly via DNS but IE does not.
8. Best guess on the IE vs Firefox difference is that IE is appending the PC domain suffix to WPAD and thus goes to WPAD.Domain2.com, which is wrong. And Firefox is using the DNS suffix search list to append to WPAD and gets WPAD.Domain1.com because we have forced Domain1.com to be at the top of the DNS suffix list.
9. Used Wireshark to capture DHCP REQ and ACK packets. In the DHCP ACK it shows the options being pushed by DHCP server and no Option 252 shows up.

Thanks
lrnr94Asked:
Who is Participating?
 
lrnr94Connect With a Mentor Author Commented:
I think I have gotten an answer to my original question:

How to verify that DHCP Option 252 is being passed from the DHCP server to a client?
(Windows Server 2003 DHCP server and Windows XP client)

1. The request for DHCP Option 252 is initiated at the client when Internet Explorer is opened and proxy settings are set to "Automatically detect settings" under LAN setttings in IE. A DHCP release/renew will not request option 252.

2. The client sends a DHCP Inform packet via broadcast. In this packet you can see, via Wireshark, under the Bootstrap Protocol section of the packet, under  Option 55 (Parameter Request List), 252 = Private/Proxy autodiscovery

3. The DHCP server receives this DHCP Inform packet and sends back a DHCP ACK packet containing the Option 252 information. You can see this in the ACK packet under the Bootstrap Protocol section of the packet, under  Option (t=252, l=37) Private/Proxy autodiscovery = "http://wpad.domain.com/wpad.dat"

4. You can verify the wpad setting being cached on the client by checking the following reg entries:
DefaultConnectionSettings and SavedLegacySettings under HKCU\Software\Microsoft\CurrentVersion\Internet Settings\Connections per http://technet.microsoft.com/en-us/library/cc302643.aspx
If you double click the DefaultConnectionSettings entry you will see the wpad settings which IE is using when Automatically detect settings is checked. The other entry, SavedLegacySettings is the backup to the first entry. All of that is in the Technet article.

Thanks for all of the time and effort from everyone on this forum, all of your help was much appreciated.

Now that we know how it works we are moving on to why it is working and was not before!
0
 
Jason WatkinsIT Project LeaderCommented:
Have you seen this KB article? http://support.microsoft.com/kb/307502
0
 
ChiefITCommented:
There are some dos and don'ts on this article:
http://technet.microsoft.com/en-us/library/cc713344.aspx

One is using upper case letters to configure wpad.dat.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
lrnr94Author Commented:
Thanks for the responses.

I have seen both of those articles though.

We have it working on several other Win DHCP servers but this one is the problem child.

Besides using a packet sniffer I was looking for other ways to verify the option 252 either being received by the client or sent by the server.

Am going to check powershell to see if there are any commands to expose DHCP information.
0
 
ChiefITCommented:
You dont have a rogue DHCP server that is providing DHCP, without your 252 option, on the same scope and address pool, do you?
0
 
lrnr94Author Commented:
Good thought.

Computers not getting setting are getting DHCP from just one server and we have double checked DHCP server info per computer to make sure it is the correct DHCP server.

Unless there is a way that a rougue DHCP server would not show in a computers IPCONFIG /ALL listing.
0
 
ChiefITCommented:
You can use DHCPloc.exe to track down rogue DHCP servers.

Go to the DC's command prompt to use it. DHCPloc.exe is a part of the 2003 server support tools. That utility will show you all DHCP servers responding to a DHCPREQ packet
0
 
ChiefITCommented:
By the way:

Most rogue DHCP servers are your router, or a Network accessible storage device that provides DHCP.
0
 
lrnr94Author Commented:
Verified DHCP server using wireshark. The DHCP REQ and ACK packets are going to and coming from the correct DHCP server, respectively.
0
 
Dan ArseneauCommented:
ISA is case sensitive.  Must be http://server:8080/wpad.dat not http://server:8080/Wpad.dat.
0
 
lrnr94Author Commented:
Verified that wpad settings are all lower case.
0
 
Dan ArseneauCommented:
I found the following...give it a try: (always do a Registry backup before trying anything in there)

Change the value of the entry "DhcpConnForceBroadcastFlag" under the
following registry key from 1 to 0 (default value is 1).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\Interfaces\{GUID of your NIC}
This key should already exist. If not create it as REG_DWORD (32 Bit)

Then delete the entry "DefaultConnectionSettings" from the following
registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections

Then reboot your computer
0
 
lrnr94Author Commented:
Thanks for the info.

Tried deleting the "DefaultConnectionSettings" entry, no luck.

Looked into the "DhcpConnForceBroadcastFlag" setting, but that appears to focus on routers and non-Microsoft DHCP servers. We are using a Microsoft DHCP server. So we did not change that reg setting.

0
 
giltjrCommented:
When you ran the wireshark capture, did you see DHCP option 252 flow?
0
 
Donald StewartNetwork AdministratorCommented:
0
 
Donald StewartNetwork AdministratorCommented:
0
 
lrnr94Author Commented:
Using Wireshark we did not see Option 252 listed in the ACK packet coming from the DHCP server.

Have gone through Troubleshooting Automatic Detection, no luck.

Looking into the KB911072 article to verify our set up does or does not match this.

Thanks.
0
 
giltjrCommented:
I just did a quick wireshark, and I did not see my XP machine requesting option 252.

Now, I may be wrong, but I thought that the DHCP client requested what options it wanted in the DHCP Request and the server responded with them in the DHCP ACK.

So I would assume you need to update all clients to ask for option 252:

     http://support.microsoft.com/kb/312468
0
 
lrnr94Author Commented:
From what we have been told and have experienced at other locations with similar configurations Microsoft DHCP servers, by default, push all options to all clients. If there is nothing configured for an option it obviously will not get pushed.

Going by this assumption we have configured the Option 252 settings at other locations on Microsoft DHCP servers and have had it automatically pushed to all clients. Unfortunately, at one site we have set Option 252 on the Microsoft DHCP server but do not see Option 252 show up in the ACK packet being sent to the clients.

If you put something in Option 252 or some other option, you should be able to see it getting passed in the ACK packet through Wireshark.

I did check KB312468, it applies to NT 4 & 2000, but I do appreciate the additional info and if we had to make a change to each client this will be useful. But, for now we do not intend to make any change to clients.

our clients: Windows XP SP2
Our DHCP server: Windows 2003 SP2

Thanks.
0
 
lrnr94Author Commented:
Some more information.
I looked at the REQ & ACK packets in Wireshark to compare the options listed in each.

I could be wrong where I am looking in wireshark for confirmation that Option 252 is being passed, please correct me if I am.

First the DHCP REQ packet.
I see 5 sections listed in the capture. I am looking under the last section of the packet, "Bootstrap Protocol" to see the DHCP options listed.
Each option shows up like this example of the first option in the list:
+ Option: (t=53, l=1) DHCP Message Type = DHCP Request
The full list of options in this REQ packet are as follows:
Option 53
Option 61
Option 12
Option 81
Option 60
Option 55 (Parameter Request list)
If I expand Option 55 I see a list of parameters, they are as follows:
1 = Subnet Mask
15 = Domain Name
3 = Router
6 = Domain Name Server
44 = NetBIOS over TCP/IP Name Server
46 = NetBIOS over TCP/IP Node Type
47 = NetBIOS over TCP/IP Scope
31 = Perform Router Discover
33 = Static Route
249 = Private/Classless Static Roue (Microsoft)
43 = Vendor-specific information

When I look at the ACK packet I see the following:
Again looking under the last section of the packet, "Bootstrap Protocol"
Option 53
Option 58
Option 59
Option 51
Option 54
Option 1
Option 81
Option 15
Option 3
Option 6
Option 44
Option 46

So, from this I see 4 options in the ACK packet which the REQ packet did not ask for, those are:
Option 58
Option 59
Option 51
Option 54

To me this would confirm that Microsoft DHCP servers do push options which are not requested.

Thanks.
0
 
giltjrCommented:
Well, don't go so quick on that.  Unfortunately "options" are not always optional,  I will have to check, but I beleive those options are not requested because they are required:

51 - Lease Time
54 - Server identifier
58 - Renewal Time
59 - Rebind Time


0
 
lrnr94Author Commented:
No problem. That is why I posted!

And to answer a previous question regarding http://technet.microsoft.com/en-us/library/cc302643.aspx, verified that this does not apply to our configuration.

Thanks.
0
 
giltjrCommented:
Um, well, if Windows is supposed to just send this option out, then I would say that there is either something wrong with your config that you are just missing (something I do quite often) or there is a bug with DHCP.

You mentioned that you have a few DHCP scopes.  Does the DHCP server have an IP address on each scope (assuming they are different IP subnets)?  If the scopes are different IP subnets and the DHCP server does not have an address on each subnet, what is doing the bootp forwarding?
0
 
lrnr94Author Commented:
Regarding the last question, we do have multiple subnets and the DHCP server is on a separate one from all of them. My understanding is that an IP helper address is configured on each switch for each subnet. I think that answers the question, I hope.
0
All Courses

From novice to tech pro — start learning today.