Introduction to DHCP Server Authorisation on Windows Server 2019
DHCP Server Authorisation is an Active Directory feature that prevents rogue DHCP servers from operating in a domain environment. In a Windows domain, before a DHCP server will respond to client requests, it must verify that it is authorised in Active Directory. An unauthorised DHCP server — whether accidentally deployed or maliciously installed — can assign incorrect IP configurations, redirect traffic, and cause widespread network disruption. Authorisation is the primary defence against this threat. This guide covers the authorisation mechanism, how to authorise and unauthorise servers, troubleshooting authorisation failures, and workgroup server considerations.
How DHCP Authorisation Works
When the Windows DHCP Server service starts, it queries Active Directory to check whether its own IP address appears in the list of authorised DHCP servers stored in the AD configuration partition. If it finds itself authorised, it begins responding to client requests. If it is not authorised, it logs Event ID 1046 (“This server is not an authorized DHCP server”) and enters a passive state, not responding to any DHCP requests. The check is performed at service start and repeated periodically every few minutes.
The authorised DHCP server list is stored in AD at: CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com. Only members of the Enterprise Admins group can modify this list, which prevents domain administrators from accidentally authorising rogues by limiting the privilege to enterprise-level accounts.
Prerequisites
# Verify DHCP Server role is installed
Get-WindowsFeature -Name DHCP
# Check the current authorisation status
# Event ID 1046 = not authorised, 1063 = authorised
Get-WinEvent -LogName System |
Where-Object { $_.ProviderName -match "DhcpServer" -and ($_.Id -eq 1046 -or $_.Id -eq 1063) } |
Select-Object -First 5 TimeCreated, Id, Message | Format-ListAuthorise a DHCP Server in Active Directory
Authorisation requires Enterprise Admin credentials (or delegation of that specific right). You can authorise from the DHCP console or via PowerShell:
# Authorise a DHCP server by DNS name and IP address
# Must be run with Enterprise Admin credentials
Add-DhcpServerInDC -DnsName "dhcp1.corp.example.com" -IPAddress "192.168.1.10"
# Verify the server is authorised
Get-DhcpServerInDC
# Output example:
# IPAddress DnsName
# --------- -------
# 192.168.1.10 dhcp1.corp.example.com
# 192.168.1.11 dhcp2.corp.example.comAfter authorisation, restart the DHCP Server service on the target machine to trigger an immediate re-check:
# Restart DHCP service on the newly authorised server
Restart-Service -Name DHCPServer -ComputerName "dhcp1.corp.example.com"
# Check the DHCP service status
Get-Service -Name DHCPServer -ComputerName "dhcp1.corp.example.com"Unauthorise a DHCP Server
To decommission a DHCP server or remove a rogue server from the authorised list:
# Remove a DHCP server from the authorised list in AD
Remove-DhcpServerInDC -DnsName "rogue-dhcp.corp.example.com" -IPAddress "192.168.1.99"
# Confirm removal
Get-DhcpServerInDC
# Stop the DHCP service on the unauthorised server immediately
Stop-Service -Name DHCPServer -ComputerName "rogue-dhcp.corp.example.com" -ForceDelegate DHCP Authorisation Rights
By default, only Enterprise Admins can authorise DHCP servers. In large organisations, you may want to delegate this right to a specific AD group without granting full Enterprise Admin privileges. This delegation is done on the AD object that stores the authorised server list:
# Find the NetServices object in AD Configuration partition
$configNC = (Get-ADRootDSE).configurationNamingContext
$netServicesPath = "CN=NetServices,CN=Services,$configNC"
$netServices = Get-ADObject -Identity $netServicesPath
# View current ACL on the NetServices container
$acl = Get-Acl -Path "AD:$netServicesPath"
$acl.Access | Format-Table IdentityReference, ActiveDirectoryRights, AccessControlType
# Delegate write access to a specific group
$group = [System.Security.Principal.NTAccount]"corpDHCPAdmins"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$group,
[System.DirectoryServices.ActiveDirectoryRights]::WriteProperty,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($rule)
Set-Acl -Path "AD:$netServicesPath" -AclObject $aclWorkgroup DHCP Servers — Authorisation Bypass
Windows DHCP servers that are not domain members (workgroup servers) cannot query Active Directory for authorisation. Their behaviour depends on whether a domain controller is detectable on the network:
– If the workgroup DHCP server can detect a domain controller on the network, it will NOT respond to DHCP requests (it detects that it is in a domain but is not authorised).
– If the workgroup DHCP server cannot detect any domain controller, it will start responding (it assumes it is in a workgroup environment where authorisation doesn’t apply).
This means workgroup DHCP servers cannot be authorised in AD — they should only be used in isolated workgroup networks with no domain controllers present. If you need a DHCP server in a domain environment, it must be domain-joined.
# On a workgroup DHCP server, check service status
# If DCs are detectable, service stays in stopped/passive state
Get-Service -Name DHCPServer
Get-WinEvent -LogName System |
Where-Object { $_.ProviderName -match "DhcpServer" } |
Select-Object -First 10 TimeCreated, Id, MessageDetect Rogue DHCP Servers on the Network
Even with authorisation enforcement, it is good practice to actively scan for unauthorised DHCP servers on your network. A rogue DHCP server might be a domain-joined server that was accidentally configured, or a non-Windows device (wireless router, virtual machine) that is not subject to AD authorisation checks:
# Use the built-in DHCP rogue detection (checks AD authorisation list)
# Any DHCP server in AD that is no longer valid will generate events
# Actively discover DHCP servers using a network scan
# Install RSAT tools to use netsh
netsh dhcp server \. show server
# Alternatively, broadcast a DHCP discover and listen for responses
# (requires Wireshark or a custom script with raw sockets)
# Check Windows Security Event Log for rogue DHCP detection
Get-WinEvent -LogName System |
Where-Object { $_.ProviderName -match "DhcpServer" -and $_.Id -eq 1055 } |
Select-Object TimeCreated, Message | Format-ListPost-Authorisation DHCP Server Configuration Checklist
After authorising a new DHCP server, complete these steps before it goes into production:
# 1. Create and activate scopes
Get-DhcpServerv4Scope | Select-Object ScopeId, Name, State | Format-Table
# 2. Configure scope options (DNS servers, gateway, domain name)
Set-DhcpServerv4OptionValue -ScopeId "192.168.100.0" `
-DnsServer "192.168.1.10","192.168.1.11" `
-Router "192.168.100.1" `
-DnsDomain "corp.example.com"
# 3. Enable and configure audit logging
Set-DhcpServerAuditLog -Enable $true -Path "D:DHCPLogs"
# 4. Configure DNS dynamic updates
Set-DhcpServerv4DnsSetting -DynamicUpdates Always -DeleteDnsRROnLeaseExpiry $true
# 5. Configure failover (if applicable)
Get-DhcpServerv4Failover
# 6. Verify DHCP statistics
Get-DhcpServerv4Statistics | Format-ListSummary
DHCP Server Authorisation in Windows Server 2019 and Active Directory provides an important security control against rogue DHCP servers by requiring Enterprise Admin approval before any DHCP server can respond to client requests. The process involves registering the server’s IP and DNS name in the AD configuration partition via Add-DhcpServerInDC. Workgroup servers in domains cannot be authorised and are automatically suppressed when domain controllers are detectable. Delegating the authorisation right to a dedicated DHCP admin group reduces the need for Enterprise Admin involvement in day-to-day DHCP server management while maintaining the security boundary.
