DHCP Superscope to solve the problem of dwindling IP addresses

If your organization is growing faster than you can supply IP addresses, you don't have to fear that you might soon be running on empty--a superscope can come to the rescue. A superscope is a versatile, cost-effective, and easy-to-use solution when you are running out of IP addresses on a network. This walk-through will show you how to set up a superscope and configure it to assign IP addresses. 

The growth of the young company you work for as network administrator has surpassed all expectations. Everyone--especially the bosses--has every reason to celebrate. But the IT crowd isn't in the same celebratory mood. The reason? They're running on empty (or, more precisely: the DHCP server is).
The problem is that the DHCP server is fast running out of IP addresses to dish out to all the new computers being added to serve your company's growing staff complement. There's an exclamation mark hanging like an ill omen over the DHCP server icon (Figure A), an indication that you're dangerously close to the end of the available address pool.
Figure A
The exclamation mark next to the DHCP server name is a warning that the IP addresses from the scope have nearly been depleted.

When the company started out as a small business with 50 PCs three years ago, the 254 IP addresses a Class C subnet offered seemed more than enough for a long time. But now it's a different story. There are just eight unassigned IP addresses left. As the responsible network admin, what are your options?
You could lobby for another physical LAN (and thus another subnet), but that would mean you'd have to convince the boss to buy a router (or another one if you already have more than one physical LAN) and (maybe) another DHCP server. But suppose there's really no need for a separate physical LAN, apart from your IP address problem?
Changing to another IP address class--maybe Class B, which will provide you with more addresses--is another possibility, but again not a very attractive one. This time you'll have to justify purchasing this address range from your ISP and then face the prospect of migrating from the existing address range (scope) to the new one.

Enter: Superscope

Thankfully, there's a much simpler solution--using a superscope. What's a superscope? A kind of mother of all scopes. It allows you to add more than one scope (called child scopes, or member scopes) under one umbrella.


Microsoft introduced the superscope feature with NT4 SP2.

Let's go ahead and create a superscope for the scenario described above. We'll assume DHCP is set up to use the scope We want to add another scope from the same class (Class C), so let's use But first we need to create a superscope. Here's how:
  1. Open DHCP.
  2. Right-click on the DHCP server.
  3. From the drop-down list, choose New Superscope (Figure B) to launch the New Superscope Wizard.
  4. The wizard prompts you to enter a name for the superscope. We'll just call it MySuperscope.
  5. On the next screen, you'll be asked to select a scope(s) to add to the superscope. You'll see the list of available scopes--in our example, just (Figure C) Select it and click Next.
Figure B
The first step in creating a superscope.
Figure C
Adding scopes to the superscope

The final screen of the wizard informs you that you have successfully completed the New Superscope wizard and gives you the details (Figure D). If you go back into DHCP, you'll see that the new superscope has been created.
Figure D
The last screen of the wizard showing the details of the new superscope.

Adopting another child

Now we're ready to create our brand new child scope that will be watched over by our superscope.
  1. Open DHCP.
  2. Right-click on the DHCP server.
  3. Select New scope (Figure E) to launch the New scope wizard.
  4. Choose a name and description for the new scope. As our first scope in this example was called Scope1, we'll just call this one Scope2.
  5. The wizard will prompt you to add an IP address range. We'll choose a range from the Class C range (We could also have chosen,, etc., but we'll stick to ... 1.0, as it follows logically on our first range). As for start and end address, we'll select all available addresses, starting with and ending with Note that the wizard will automatically complete the Length and Subnet Mask fields (Figure F).
  6. On the next screen, you can choose which range of addresses you want to exclude, if any.
  7. Now, you get to select the duration of IP address leases. The default is eight days.
  8. The wizard then gives you the opportunity to configure DHCP options. You can choose to do it now or wait until later. Note, however, that you have to configure the most common options (like DNS server address and default gateway) before clients can use the scope, so now is as good a time as ever to do it. Just use the same options as your existing scope.
  9. After configuring the DHCP options, you are asked whether you want to activate the scope now or later. Once activated, you're done.
Figure E
The New scope wizard will walk you through the steps of creating a scope.

Figure F
The address details of the new scope, with a little help from the wizard.

Figure G shows our superscope and two child scopes. Notice the red downward pointing arrow to the right of the toolbar. Don't worry--it doesn't mean your superscope is down. You click on the arrow to deactivate a scope or superscope. Warning: Do not deactivate a superscope unless you want to get rid of all its member scopes!
Figure G
The new scope and the two child scopes.

One last step

You now have what is termed a multinet--multiple subnets on a single physical network. But you're not quite there yet. Yes, you have an additional scope; yes, you have a superscope. But your superscope won't assign IP addresses from the new scope. And even if you add a static address from the pool to a client machine, you'll notice that you can't browse the network.
You still need to add the route to your DHCP server's network adaptor, and if you have a router, you'll want to add the IP address to it as well. Here's how to add that new address to your NIC:
  1. Open your Local Area Connection and click on Properties.
  2. Highlight Internet Protocol (TCP/IP) and click on the Properties tab to open the properties screen shown in Figure H.
  3. Click on Advanced which will take you to Advanced TCP/IP settings.
  4. Select Add. A window will open where you have to add the new IP address (Figure I). Enter the address and click Add.
  5. The next window will show both your IP addresses. Click OK, OK again on the next screen, and Close and you're done.
Figure H
The TCP/IP properties screen.

Figure I
Here, you add the address of your new subnet.

Now, if you add an address from the new subnet as a static IP address to a client machine, you should be able to browse the network.
I won't go into the details of adding the new IP address range to a router's Ethernet interface, but if you're Cisco certified, you'll find it to be a simple procedure. (If you don't know your way around a router, though, steer clear.)
The commands to add an IP address to an interface look something like this (depending on the interface and address):
int e 0/0
ip address
But you're adding a second address to the same interface, so you have to add the keywordsecondary to the command. So to add the address range from our new child scope, the command would be:
int e 0/0
ip address secondary

Help for remote subnets

So far, we have assumed you have a single physical subnet. But what if you have another one (let's call it physical subnet B) and you're running out of IP addresses there? We're assuming that your DHCP server on subnet A supplies addresses to subnet B. A superscope will also come to your rescue in a scenario like this--with a little help from a relay agent.


A relay agent is a program that relays DHCP/BOOTP messages between clients and servers on different subnets.

Warning: Do not attempt to set up your DHCP server as a relay agent--it won't work as a DHCP server any longer. Instead, try to relay any DHCP requests from clients to "another" DHCP server.
To supply IP addresses from a DHCP server located on subnet A to clients on another physical network--subnet B--you'll set up a superscope on subnet A. To this superscope, you'll add one or more child scopes, which will supply IP addresses to clients on subnet B.
Because you're concerned only with creating additional scopes to support clients on subnet B, you don't need to include the scope for subnet A as part of the superscope.
As most--probably all--modern routers have DHCP/BOOTP relay agent support, as described in RFC 1542, you probably won't need to set up another server as a DHCP relay agent. So all you'll need to do is configure the router (or have it configured) with its relay agent set to point to the IP address of the DHCP server.


Although you could set up an NT server or workstation as a DHCP relay agent, you can do this only on a server with Windows 2000 server and Windows Server 2003 or Later.

Deploying Software Using Group Policy

Group Policy is a feature of the Microsoft Windows NT family of operating systems that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.
Remember : MSI files are application packages that come from manufacturers (or, you can also create them yourselves with 3rd party MSI repackaging tools.) Once you have the MSI file in hand, it's not a hard process to get it out there. Though, there is one pitfall, and I'll be sure to cover that here.

Part 1: Prepare and Share

The first step in deploying MSI files is in creating the share, and getting that package into the share. In Figure 1, I'm sharing a folder out. In the next step (not shown) I have copied my MSI and any supporting files into the share.

Figure 1: Share out a folder for your software deployment.

Part II: Creating the GPO to perform the work

Next, you're going to create a GPO which performs the actual work. In Figure 2, you can see the GPO I've chosen for the task. Be sure to link it upon the users or computers you wish to deploy software to.
In my example, I'm linking a GPO over to my East Sales Users, which contains, as you might expect, user accounts.

Figure 2: Create the GPO and link it over to users or computers

Part III: Match up the correct 'side' of the GPO

In Part II, you created a GPO which was linked either to users or computers. In Figure 2 we linked the GPO to where User accounts are contained. Now, in Figure 3, we need to choose the correct 'side' to implement our instructions.
Since we are deploying to users, that means we should create the directive on the USER side. If we were trying to deploy to Computers, you would choose the Computer side within the GPO.
In Figure 3, you can see both sides contain the Software Settings node, so be sure to put your directives in the right place.

Figure 3: Software Installation settings are on both User and Computer sides

Part IV: Deploy the Software

To deploy the software, right-click on Software Installation then select New | Package as seen in Figure 4. Then select your package and click Advanced (as seen in Figure 5.)

Figure 4: Select New | Package to start your deployment

Figure 5: Choose Advanced when deploying software to see your options.
When deploying your package you have several options available to you as seen in Figure 6. The most important ones are Published / Assigned and Basic/Maximum. Here's what they mean:
  • Published / Assigned:''
    • Published means that the application appears in Add/Remove Programs applet.
    • Assigned means that the application appears on the start menu.
  • Basic/Maximum:''
    • Basic means that the user will see few / no screens when the application installs.
    • Maximum means that the user will have full interaction when the application installs.

Figure 6: Advanced Deployment options in GPSI

Part V: Seeing the software install
Windows cannot install the software while the user is already logged on.
If you log off and log back in, only then will you see the applications' icons , as seen in Figure 7.

Figure 7: The deployed application's icons.
Then, selecting the software's icons will perform the actual install, as seen in Figure 8.

Figure 8: The actual install of the software occurs when users select the application.

How to Create Multiple Users in Server 2008 with PowerShell

Creating users through the AD Users and Computers snap-in is a very easy process, but you’ll frequently face the situation where you need to create accounts for a whole group of people at once. There’s no need for this to be a time consuming process for you though, and we’ve done all the heavy lifting so you don’t have to.
Step 1 : Create an Excel Sheet with Required Names to whom you want create user accounts.
Step 2 : save the file as a .csv, and to do that, we click on the Office Button and select Save As.
Step 3 : Next we’ll create a new text document on the server where we’ll be doing the user creation.
We’ll then copy the following into our new text document:
$dataSource=import-csv “users.csv”
foreach($dataRecord in $datasource) {
$cn=$dataRecord.FirstName + ” ” + $dataRecord.LastName
$sAMAccountName=$dataRecord.FirstName + “.” + $dataRecord.LastName
$displayName=$sn + “, ” + $givenName
$userPrincipalName=$sAMAccountName + “@techsupportnew.com”
In the first line, make sure that you enter the correct information for your domain and the OU where you are creating the users.

Step 4 : We then want to save the file as a PowerShell script, so we change the Save as type: to All Files (*), and name it PSusersScript.ps1.

Step 5 : Now we need to prep PowerShell to run scripts. You can launch PowerShell by clicking on the shortcut in the taskbar, or by typing PowerShell in the quick search box.

We need to change the Execution Policy to allow scripts to be run remotely, so we type
set-executionpolicy remotesigned
When prompted, type Y and then hit enter to execute.
Step 5: Now that we’ve allowed the script to be run, we need to place both the users.csv and thePSusersScript.ps1 files in our folder for execution. Since the PowerShell prompt naturally comes up to the root user folder, and we are logged on as Administrator, we are going to place them in the C:UsersAdministrator folder. When both files are in the folder, we right-click on thePSusersScript.ps1 file and choose Run with PowerShell.
If we take a look in AD Users and Computers, you will now see all those new users you just created.
The new users will be created in the lastname.firstname format, but the script could easily be altered to your need. Now that you’ve already created the script, all you have to do in the future is to place your list of users in the C:UsersAdministrator folder and run the PowerShell script. Easy!

Failure when restoring Microsoft Windows 7 from the Recovery DVD or installing Windows 7


Failure when restoring Microsoft Windows 7 from the Recovery DVD or installing Windows 7


When the USB 3.0 mode is enabled in the ThinkPad Setup, failure will occur when restoring Microsoft Windows 7 from the Recovery DVD or installing Windows 7.






USB 3.0 mode in the ThinkPad Setup set to Enable (default)


Microsoft Windows 7


Microsoft Windows 7 does not have the Inbox USB 3.0 driver in it.  The USB
3.0 mode in the ThinkPad Setup has to be disabled while you are restoring or installing Microsoft Windows 7 via the USB optical drive.


The user should disable the USB 3.0 mode in the ThinkPad Setup while restoring or installing Microsoft Windows 7.

Follow the following instructions to disable the USB 3.0 mode:

      1.  Turn off the system.
      2.  Turn on the system.
      3.  While the "To interrupt normal startup, press Enter" message is
           displayed at the lower-left area or lower-center of the screen, press
           the F1 key.  The ThinkPad Setup menu will be displayed.  If a
           password prompt appears, type the correct password.
      4.  Select “Config” and then select USB.
      5.  Set the USB 3.0 Mode to Disable.
      6.  Press the F10 key to save configuration and exit.
      7.  Select Yes.
      8.  The system will be restarted automatically.

NOTE:  The user should be able to enable the USB 3.0 mode again in Step 5.

Configuring DirectAccess on Windows Server 2012 R2

Configuring DirectAccess on Windows Server 2012 R2
My Setup is as Follows: Direct Access Server has 2 Network Card, One goes to the internet and one for Internal LAN.
The following ports are needed for DirectAccess to work:
                    Protocol 41
                    UDP 3544 Inbound and Outbound
                    TCP 443 Inbound and Outbound
This is running on my Windows Server 2012 R2 Hyper-V host! (Will get to this one later).
Here we Go!!

Go On and Add / Remove Role

Select Remote Access Click Next

Select DirectAccess and VPN (RAS)

Click on Install

Watch the Install Process..

Once Finished, Click on Open the Getting Started Wizard

Click on Deploy Direct Access Only


Wizard Checks a Few Things before starting..


As mentioned my DA Server is on Edge with 2 NICs (technically it’s behind TMG, but I have a few exceptions myself)
Input the Public name or IPv4 address.

Click Finish, we will configure the rest in a bit..

It updates and creates configurations as well as 2 Group Policy, namely; DirectAccess Client Settings

and DirectAcess Server Settings


Here’s the Dashboard after it has finished configuration and deployment.


Click on DirectAccess and VPN. As you can see here, there are several possibilities here.
Step 1: Allowing Client Access, Which Groups and For whom as well as the DA Connection Name.
Step 2: Is where you select Network Cards and also certificate, and authentication type. (You will see it below)
Step 3: Is a bit like NAP, i.e where you say where your remediation servers are
Step 4: End to End Application
Click Edit on Step 1.


Here we will select DA for Client and Remote Management.


Here enter a support email and the DA Connection name and allow DA Clients to use Local Name Resolution.
Click Finish.

Here is what Pop’s up and it will go edit the GPO. Isn’t that Super Cool !!

Now next step before we check if our clients can connect, we must make sure that we run a gpupdate against the client and make sure they pull the policies.

As you can see in the Picture below, which is basically a VM at my house, with an internet connection and the DA Policy. (I have a VPN connection to the server so that it pulls the update, and the vm is joined to the domain).

So there, it says connected!.
That’s it!! You have DA working :)
 Coming back to my DA Server config, here’s what it looks like.

The 2 NIC, one Internet and 1 LAN (IPV6) and the certificate.

That’s the authentication :)