Is there any security issues with having short leasing times on a WINS/DHCP server, i.e. 1 day or even shorter? The default is 3 days (I think) but this value causes some issues for us and we are planning to lower this value to 1 day. Well this will cause more network traffic and DHCP communication but is there other issues this change can cause?
June 21st, 2006, 09:30 PM
Nope, no security issues but what business need would make you shorten your lease time? Limited IPs in your scope?
June 21st, 2006, 09:36 PM
No, but when a user moves from a "office connection" to a VPN connection their computername is still pointing on the previous ip which is renewed/released 50% of the lease time. This causes issues with some applications since the data is sent to the "old" address registered in WINS and not their newly given VPN address. We suspect that the issue is the lease time and will change it but need to investigate if a shorter lease time can cause any problems.
June 21st, 2006, 09:42 PM
Windows hosts will use the last DHCP address pulled as long as it's available. It's odd to me that you're seeing a 50% turnover unless I'm totally missing the story here. When you see windows hosts turning over DHCP addresses frequently it's a sign that the scope is limited and a bunch of hosts are using it.
Anyway, what VPN solution are you using?
June 21st, 2006, 09:55 PM
The issue is when a user leaves office and connects a couple of hours later to the network via VPN and recieves a new IP-address, WINS still thinks that the users host name have the IP that was given earlier and not the newly given. This causes issues with some applications and can be solved by forcing a release of the registered address in WINS/DHCP.
With "50%" I meant that a "client renew address request" is sent after 50% of the lease time, i.e if the lease time is set to 72 hours a new request will be usually sent after 36 hours. We are using Check Point VPN.
Basically I'm wondering if a shorter lease time can cause issues in a point of security or other perspectives which seemes not to be the case. So, thanks for your answer and if a increase of the network traffic is the only result then a try shouldn't cause any harm. ;)
June 21st, 2006, 11:26 PM
Do you have any DNS servers on your domain? This shouldn't really happen. You may have a more deep rooted problem somewhere?
When the user leaves the office, is he turning his machine off or just logging off / locking the work station?
When someone connects via VPN are they using the same DHCP server or one on a firewall/router etc?
June 22nd, 2006, 06:14 AM
This behavior is quite normal, but its not DHCP causing your problem its WINS. Windows clients that recieve an IP address from a DHCP offer, can also recieve a WINS server address from the DHCP server. WINS works much like DDNS, in that once the client gets its IP it will then attempt to register its (NetBIOS) name with its WINS server. The WINS server maintains a database like DNS and then resolves names to IPs Machines shutdown cleanly will actually 'release' their names, but if its a laptop, the user often just suspends and disconnects from the network. This will leave the name registered. The default period for it to hold the name (the 'release interval') is 6 days. So once the host appears elsewhere on the network, WINS will still resolve to the old location. The new name may be refused by the WINS server (the host will retry every 10 minutes), of course the name may also be accepted by another WINS server on the network but then you get WINS replication playing havoc (Some have the new address, some dont) and all sorts of silliness. Basically, you need to reconfigure the 'release interval' for WINS on the WINS server(s), under intervals in the WINS admin snap.
June 22nd, 2006, 07:06 AM
I'm with Maestr0 on this one ... Seems to me to be more a WINS/DNS related problem.
How is your VPN configured, does your VPN server/Box have a DHCP relay, does it have the same settings as the inside DHCP (except for the gateway) ... Or are you using other setting on the VPN server/box itself ?
Like TH13 said ...even if you reboot your computer and it "asks" for an IP-address, it will normally get the same as before the reboot (aslong as it's available). So shortening the lease will not fix that problem.
Automatic scavenging of the WINS database takes place at defined intervals, this between the Renewal and the Extinct intervals you defined ... So maybe you need to check those intervals ??
Basically again ... I'm with Maestr0 on this one, and I'm not telling anything new or anything my fellow AO'ers mentioned.
June 22nd, 2006, 07:34 AM
Thanks for the answer and Maestr0 is right the issue lies within the WINS release time which we will look over. Again thanks for the answers.