Restricting Non Domain Computers From Obtaining Ip Addresses: Help

For a computer to successfully join a domain, it means it has a valid IP address. A system without a valid IP or no IP configuration cannot be joined into a domain. Thus, DHCP servers issue IP configuration to any system that sends an "IP configuration request" on the network segment where the server is located. Thus, you can't restrict which system receives an IP or not.

The only "un-realistic" approach is to create reservations for all the systems you want to have on your network and then take out unused IP. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems )

First of all, what is a valid IP address, an address request would be made if the network card of the system is configured to automatically obtain valid ip addresses.

I believe there is a way


Something close to that was considered but we have 200+ systems.

what we wanted to do was to get the MAC addresses of all the systems and put it into the mac address table for all the switches we have on the domain so the switches allow dhcp requests against the mac address table in the switch, this has to be done on like 5 switches as we do not VTP.

Please note we run MS active directory and the domain controller is the DHCP server so it has to be an active directory thing, hardware is out of it already,

What I meant by "valid IP address" is that the IP address on the system matches your network's scheme, and thus they can communicate. Check this, 192.168.1.0/24 could be considered invalid on a 192.168.2.0/24 network scheme.


Please, let us know when you find a way around this, if you find a way!

It is "technically the same thing if you create reservations on the DHCP server or you use the MAC Address Table on the switches approach. Bottom line is that YOU WILL NEED TO GET THE PHYSICAL (MAC) ADDRESSES OF ALL THE SYSTEMS.
Though not efficient, but if you feel comfortable with this approach, carry on. It would easier to maintain than the switches MAC address table approach.

It's only logical, follow these question/answers(you provide answers too) to see why it's not feasible(with current technology at least):
Q-Why does a system request an IP config?
A-It does not have configuration already set and It's set to AUTO config

Q-To join a domain,  the system MUST be able to contact the Domain Controller(DC). How does it do this?
A-It must have a valid IP to get to the DC.

Q-How does it pick up a valid IP?
A-Either manually configured or assigned by the DHCP server.

i'm assuming the arp server would have to be a member of the domain,

and sorry but am asking, i never knew there was an arp server, now that i know i'll check up on it,

my understanding of arp is that it is being handled by the router, on which you can check address resolutions,

anyways thanks, is there any software i can use.

Have you considered scripting?

An arp server is used to intercept and reply hosts on a physical network segment's request for other hosts MAC address mostly on ATM(Asynchronous Transfer Mode) networks. I t would still be irrelevant to your cause here because the arp server must already have the IP-to-MAC resolutions in its unit tables, plus your network is TCP/IP not ATM and we don't have any IP yet.

ARP server are used to to implement IP over ATM. Check this link out for a full description of the ARP server:
ARP Server Patents Description

I have been a Systems Administrator for about 2years now. I know the power of scripting. Obviously, you know it too but you seem not to understand what the poster needs here.
Tell me, o scripting lord:
- How would you query the AD to retrieve information about a system not yet on that domain
- How would you "methodically connect to a system without a valid IP assigned to it yet
- How would you retrieve MAC address without being able to reach the system via an IP address

Try this:
If you have a network, take one system out, clear it's IP config. Purge the ARP cache. Then use your CC Get Mac or write any script to retrieve the MAC address or System Name. Let me know when you succeed.



Excerpt from the link you gave:

"CC Get MAC Address is a handy tool for finding MAC address and computer name from IP address."

For your "CC Get MAC Address" software tool to work, the systems MUST already have an IP Address! The poster here does not want to assign IPs to unauthorized systems. How then would your tool/script work?

@Kpop-Ham
Okay, maybe I didn't state completely what I meant in that quote.

@poster
Yes, scripting would would work if all the systems currently on your network are those you want(those on your domain). You could retrieve their MAC addresses via scripts and then create reservations via scritps. Remove unused IPs afterwards.

if there is a script to do this can someone please send it to me,

How can i recover my cisco 3845 router having enabled NO PASSWORD RECOVERY MODE. . . ?

NOTE: The problem is the router is not accepting break-keys during booting process.