In This Topic

Configuring DHCP Options

The booting client and the server communicate using Dynamic Host Control Protocol (DHCP) packets. The Windows Deployment Services solution for booting over the network works well in many configurations. It works well when Windows Deployment Services is located on the same physical computer or on a different physical computer from the DHCP server. However, the default installation is that Windows Deployment Services and a DCHP server (Microsoft or non-Microsoft) are located on different physical computers. In this scenario, no additional configuration steps are required for interoperability between Windows Deployment Services and the DHCP server.

However, if you are running Windows Deployment Services and DHCP on the same computer, in addition to configuring the server to not listen on port 67, you will need to use your DHCP tools to add Option 60 to their DHCP scopes. This allows booting clients to learn about the Windows Deployment Services PXE server from the DHCP response that is generated by the DHCP server. Setting DHCP option tag 60 has one side-effect: clients booting from the network are always notified that the PXE server is available, even if the server is not operational or has stopped. For instructions on configuring these options, see the "DHCP section" in How to Manage Your Server.


There are some scenarios (particularly those that require running a DHCP server) that do not support adding custom DHCP option 60 on the same physical computer as the Windows Deployment Services server. In these circumstances, it is possible to configure the server to bind to UDP Port 67 in nonexclusive mode by passing the SO_REUSEADDR option. For more information, see Using SO_REUSEADDR and SO_EXCLUSIVEADDRUSE (

If DHCP is installed on a server that is located in a different subnet, you will need to do one of the following: configure your IP Helper tables (recommended) or add DHCP options 66 and 67. For more information about these settings, see Managing Network Boot Programs.

Enabling DHCP Authorization

By default, the PXE server for Windows Deployment Services does not need to be authorized to service client computers. However, you can enable DHCP authorization (which is also known as rogue detection). You may want to enable this authorization for the following reasons:

  • To help prevent an improperly configured PXE server on the network. You can do this by requiring that only those servers that you authorize can service clients. This is not a security protection mechanism, but it can help ensure that a PXE server that is not approved does not service clients. Furthermore, DHCP authorization applies only to computers that are joined to the Active Directory Domain Services (AD DS) structure of the corporate network. For example, if a corporation had a forest, a malicious user could plug a computer into the corporate network, install Windows Server® 2008, run Dcpromo, create a forest, install Windows Deployment Services, and then authorize it.

  • Your IT department has a policy that only authorized servers should be both PXE servers and DHCP listeners.

Authorization checks occur only if authorization checking is enabled and the PXE server is configured to listen on port 67. This means that authorization checks take place only in scenarios where Windows Deployment Services is running on a computer without DHCP. If Windows Deployment Services and DHCP are running on the same physical computer, then the DHCP server is listening on port 67, and it is responsible for making sure that it is authorized properly. Note that the PXE server will not perform any additional checks. You can enable this authorization using the following methods:

  • Using the Windows Deployment Services MMC snap-in. To do this, right click the server, click Properties and on the Advanced tab, select Yes, Windows Deployment Server should be authorized in DHCP before servicing clients.

  • Using WDSUTIL by running WDSUTIL /Set-Server /RogueDetection:Yes.

  • Using the DHCP MMC snap-in. To do this, on the DHCP server, click Start, point to Administrative Tools, and then click DHCP.

Authorizing a Server

You can authorize a Windows Deployment Services server using the Advanced tab of the server’s properties. However, you must be a domain administrator in the root domain of the forest or be an enterprise administrator. Alternatively, you may delegate permissions by using the following procedure.

To delegate permissions to authorize the server
  1. Open the Active Directory Sites and Services MMC snap-in.

  2. On the View menu, click Show Services Node.

  3. Click Services.

  4. Right-click NetServices, and then click Properties.

  5. On the Security tab, assign the following permissions to the users or groups for which you want to authorize these servers: Read, Write, and Create all child objects.

  6. Click Advanced. Click the user or group you just added, and then click Edit.

  7. In the Apply to box, click This object and all descendant objects.

The environment that the Windows Deployment Services server is in influences the authorization behavior:

  • NT4 domain. If the PXE server is part of an NT4 domain, no authorization is performed and the PXE server will service requests. This mode is supported only if the PXE server is running with a custom non-Microsoft PXE provider. Windows Deployment Services requires AD DS; therefore, it cannot operate if joined only to an NT4 domain.

  • Windows Server 2000 or later domain. If the PXE server is part of a Windows Server 2000 or later domain (meaning that AD DS is present), it queries AD DS to determine its authorization state.

  • Workgroup. If the PXE server is part of a workgroup, it can service client requests as long as other DHCP servers on the same subnet are not part of a domain. If a DHCP server that is part of a domain comes online, the PXE server will stop servicing requests.

  • Windows Small Business Server 2003. If the PXE server is part of a Small Business Server 2003 domain, it must be the only DHCP server on the network. If another DHCP server exists or comes online, the PXE server stops servicing requests.