Use PowerShell Functions to Authorize DHCP Servers

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using functions from Windows 8 and Windows Server 2012 to authorize DHCP servers in AD DS.

Microsoft Scripting Guy, Ed Wilson, is here. Well, today it is sunny and about 70 degrees in Charlotte, North Carolina. This is a good thing because I head to Redmond, Washington, next week for a series of meetings, and I do not believe it will be sunny and warm there. In fact, according to my Get-InternationalWeather function I wrote a couple of years ago, it is 37.0 degrees F (2.0 degrees C) in Seattle right now—but at least it is not raining.

Yesterday, I talked about using Windows PowerShell to query Active Directory Domain Services (AD DS) for authorized DHCP servers. I used the Get-ADObject cmdlet from the ActiveDirectory module that is available from the Remote Server Admin Tools (RSAT)—this can be the Windows 7 RSAT or the Windows 8 RSAT. Today, I want to look at using a few cmdlets from the DHCPServer module that is in the RSAT for Windows 8 and Windows Server 2012.

Note   Today’s post is a continuation of the Use PowerShell to Query AD DS for DHCP Servers post. As such, you should probably read that article before getting into today’s article. If you do not, you miss part of the plot.

One problem with querying from ADSI

When I began to query for DHCP servers by using the Get-DhcpServerInDC function, the output appeared to be a bit strange.

(Yesterday, I obtained the name of the DHCP server from AD DS through the ADSI Edit utility, and therefore, I queried using DNS.)

I did not recognize both IP addresses that it returned. When I used the Resolve-DNSName cmdlet, for the DHCP server, I found the following IP addresses registered in DNS.

PS C:\> Resolve-DnsName wds1

Name                                           Type   TTL   Section    IPAddress

—-                                           —-   —   ——-    ———                               A      1200  Answer                               A      1200  Answer

However, when I navigated to the Configuration / Services / NetServices node in ADSI Edit, I found the DHCPServers attribute on the server. I opened up the string editor for it in ADSI Edit and found that the attribute contained two IP addresses. These addresses are seen here.

Image of Multi-valued String Editor dialog box

Hmm, this is strange because these are not the IP addresses used on my network. Next, I open the Manage Authorized Servers tool in the DHCP management console, and sure enough, the WDS1 server appears twice with two different addresses. This appears in the following image.

Image of Manage Authorized Servers dialog box

I, once again, returned to the Get-DhcpServerInDC function and typed the command again. The output was still the same (I had done nothing to change it). The output is shown here.

Image of command output

Next, I attempted to use the Test-WSMan cmdlet to check for connectivity to the remote machines. I did this because at times Ping is blocked via the Windows Firewall, but the DHCP server functions all use CIM, and that relies upon the WinRM protocol. As shown here, neither of the IP addresses listed in ADSI Edit accept connections.

Image of command output

Finally, I decided to use Test-WSMan to make the connection via DNS name resolution. The response came immediately back. As appears here, the connection was successful.

Image of command output

Therefore, I decided to unauthorized the server. I ran the Remove-DhcpServerInDC function twice, and I specified the IPAddress parameter both times. This is because, if I run the command with only the DNSName parameter filled out, DNS name resolution is used to resolve the name, and all IP addresses are filled in. But because I had bogus IP addresses registered, I felt the need to specify the IP address. Nothing returns from these commands.

Remove-DhcpServerInDC -DnsName -IPAddress

Remove-DhcpServerInDC -DnsName -IPAddress

Now I need to add the correct server so it will register in Active Directory. To register the DHCP server in AD DS, I use the Add-DhcpServerInDC function, as shown here.

Add-DhcpServerInDC -DnsName -IPAddress

I check it by using the Get-DhcpServerInDC function. This is shown here.

PS C:\> Get-DhcpServerInDC

IPAddress            DnsName

———            ——-

If I run the Add-DhcpServerInDC function a second time for a server that is already authorized in AD DS, a warning message appears—but the command also kicks off an authorization check. The command and its output are shown here.

16:03 C:\> Add-DhcpServerInDC -DnsName -IPAddress

WARNING: The DHCP server with IP address is already

authorized in Active Directory. The authorization check on the DHCP server has been initiated.

Keep in mind, when viewing the action in the DHCP tool, things move really slow, and it can take several minutes before the arrows change from red (unauthorized) to green. Also, it may take running the Add-DhcpServerInDC a second time—to kick off the second authorization check (at least that was my experience). Of course, first do this in a test environment before you get too carried away on a live network.

Join me tomorrow when I will talk about cool Windows PowerShell stuff.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

Comments (2)

  1. Anonymous says:

    Thanks… great info.

Skip to main content