
IPAddress is the IP address for the lease you want to remove, such as 192.168.1.8.
To activate or deactivate a scope, type the following:
netsh dhcp server ServerID scope NetworkID state StateVal
where the following is true:

ServerID is the UNC name or IP address of the DHCP server on which you want to
create the scope, such as \\CORPSVR03 or \\192.168.1.1.

NetworkID is the network ID of the scope, such as 192.168.1.0.

StateVal is set to 0 to deactivate the scope and 1 to activate it. If you are using a
switched network where multiple logical networks are hosted on a single physical
network, use 2 to deactivate the scope and 3 to activate the scope.
Confi guring TCP/IP Options
The messages clients and servers broadcast to each other allow you to set TCP/IP
options that clients can obtain by default when they obtain a lease or can request if they
need additional information. It is important to note, however, that the types of informa-
tion you can add to DHCP messages is limited in several ways:

DHCP messages are transmitted using User Datagram Protocol (UDP), and the
entire DHCP message must fi t into the UDP datagram. On Ethernet with 1500-
byte datagrams, this leaves 1236 bytes for the body of the message (which con-
tains the TCP/IP options).

BOOTP messages have a fi xed size of 300 bytes as set by the original BOOTP
standard. Any clients using BOOTP are likely to have their TCP/IP options
truncated.

Although there are many options that you can set, clients understand only certain
TCP/IP options. Thus, the set of options available to you is dependent upon the

client’s implementation of DHCP.
With that in mind, let’s look at the levels at which options can be assigned and the
options that Windows clients understand.
Levels of Options and Their Uses
Each individual TCP/IP option such as a default gateway is confi gured separately.
There are different scope options for IPv4 and IPv6. DHCP administrators can manage
options at fi ve levels within the DHCP server confi guration:

Predefi ned options
Allow DHCP administrators to specify the way in which
options are used and to create new option types for use on a server. In the DHCP
console, you can view and set predefi ned options by right-clicking the IPv4 or
IPv6 node in the console tree and selecting Set Predefi ned Options.
Configuring TCP/IP Options 717
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Server options
Allow DHCP administrators to confi gure options that are
assigned to all scopes created on the DHCP server. Think of server options as
global options that would be assigned to all clients. Server options can be over-
ridden by scope, class, and client-assigned options. In the DHCP console, you
can view and set server options by expanding the entry for the server you want to
work with, right-clicking Server Options, and then choosing Confi gure Options.

Scope options
Allow DHCP administrators to confi gure options that are assigned
to all clients that use a particular scope. Scope options are assigned only to nor-
mal scopes and can be overridden by class and client-assigned options. In the
DHCP console, you can view and set scope options by expanding the scope you

want to work with, right-clicking Scope Options, and then choosing Confi gure
Options.

Class options
Allow DHCP administrators to confi gure options that are assigned
to all clients of a particular class. Client classes can be user-defi ned or vendor-
defi ned. Two classes included with the DHCP Server service are Windows 98,
which is used to assign specifi c options to clients running Windows 98, and
Windows 2000, which is used to assign specifi c options to clients running
Windows 2000 or later. Class options can be overridden by client-assigned
options. You defi ne new user and vendor classes by right-clicking the IPv4 or
IPv6 entry and selecting either Defi ne User Classes or Defi ne Vendor Classes as
appropriate. When defi ned, class options can be confi gured on the Advanced tab
of the Server Options, Scope Options, and Reservation Options dialog boxes.

Reservation options
Allow administrators to set options for an individual client
that uses a reservation. Also referred to as client-specifi c options. After you create
a reservation for a client, you can confi gure reservation options by expanding the
scope, expanding Reservations, right-clicking the reservation, and selecting Con-
fi gure Options. Only TCP/IP options manually confi gured on a client can over-
ride client-assigned options.
Options Used by Windows Clients
RFC 3442 defi nes many TCP/IP options that you can set in DHCP messages. Although
you can set all of these options on a DHCP server, the set of options available is depen-
dent upon the client’s implementation of DHCP.
Table 22-1 shows the options that can be confi gured by administrators and used by
Windows computers running the DHCP Client service. Each option has an associated
option code, which is used to identify it in a DHCP message, and a data entry, which
contains the value setting of the option. These options are requested by clients to set

their TCP/IP confi guration.
Chapter 22
718 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Table 22-1 Standard TCP/IP Options That Administrators Can Confi gure

Option Name
Option
Code Description
Router 003 Sets a list of IP addresses for the default gateways that
should be used by the client. IP addresses are listed in
order of preference.
DNS Servers 006 Sets a list of IP addresses for the DNS servers that
should be used by the client. IP addresses are listed in
order of preference.
DNS Domain Name 015 Sets the DNS domain name that clients should use
when resolving host names using DNS.
WINS/NBNS Servers 044 Sets a list of IP addresses for the WINS servers that
should be used by the client. IP addresses are listed in
order of preference.
WINS/NBT Node Type 046 Sets the method to use when resolving NetBIOS
names. The acceptable values are: 0x1 for B-node
(broadcast), 0x2 for P-node (peer-to-peer), 0x4 for
M-node (mixed), and 0x8 for H-node (hybrid). See
“NetBIOS Node Types” on page 824.
NetBIOS Scope ID 047 Sets the NetBIOS scope for the client.
Using User-Specifi c and Vendor-Specifi c TCP/IP Options
DHCP uses classes to determine which options are sent to clients. The user classes let
you assign TCP/IP options according to the type of user the client represents on the
network. The default user classes include the following:


Default User Class
An all-inclusive class that includes clients that don’t fi t into the
other user classes, such as computers running Windows NT 4.0. Any computer
running a version of the Windows operating system earlier than Windows 2000
is in this class.

Default BOOTP Class
Any computer running Windows 2000 or later has this user
class if it is connected to the local network directly. This means Windows 2000,
Windows XP, and Windows Server 2008 computers connected with a wired net-
work interface have this class.

Default Routing And Remote Access Class
Any computer that connects to the
network using RRAS has this class. Any settings applied to this class are used by
dial-in and VPN users, which allows you to set different TCP/IP options for these
users.

Default Network Access Protection Class
Any computer that connects to the net-
work and is subject to Network Access Protection (NAP) policy has this class. Any
settings applied to this class are used by restricted access clients, which allows
you to set different TCP/IP options for these users.
Configuring TCP/IP Options 719
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Clients can be a member of multiple user classes, and you can view the user class
memberships for each network interface by typing ipconfi g /showclassid * at the com-
mand prompt. (The asterisk tells the command that you want to see all the network

interfaces.) The output you’ll see on a computer running Windows 2000 or later will be
similar to the following:
Windows IP Confi guration
DHCP Classes for Adapter "Local Area Connection":
DHCP ClassID Name : Default Routing and Remote Access Class
DHCP ClassID Description : User class for remote access clients
DHCP ClassID Name : Default BOOTP Class
DHCP ClassID Description : User class for BOOTP Clients
Here, the client is a member of the Default Routing And Remote Access Class and the
Default BOOTP Class. The client doesn’t, however, get its options from both classes.
Rather, the class from which the client gets its options depends on its connection state.
If the client is connected directly to the network, it uses the Default BOOTP Class. If
the client is connected by Routing and Remote Access, it uses the Default Routing And
Remote Access Class.
Vendor classes work a bit differently because they defi ne the set of options available
to and used by the various user classes. The default vendor class, DHCP Standard
Options, is used to set the standard TCP/IP options, and the various user classes all
have access to these options so that they can be implemented in a user-specifi c way.
Additional vendor classes beyond the default defi ne extensions or additional options
that can be implemented in a user-specifi c way. This means that the vendor class
defi nes the options and makes them available, while the user class settings determine
which of these additional options (if any) are used by clients.
The default vendor classes that provide additional (add-on) options are as follows:

Microsoft Options
Add-on options available to any client running any version of
Windows

Microsoft Windows 98 Options
Add-on options available to any client running

Windows 98 or later

Microsoft Windows 2000 Options
Add-on options available to any client running
Windows 2000 or later
When it comes to these classes, a client applies the options from the most specifi c add-
on vendor class. Thus, a Windows 98 client would apply the Microsoft Windows 98
Options vendor class, and a Windows 2000 or later client would apply the Microsoft
Windows 2000 Options vendor class. Again, these options are in addition to the stan-
dard options provided through the DHCP Standard Options vendor class and can be
Chapter 22
720 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
implemented in a manner specifi c to a user class. This means you can have one set of
add-on options for directly connected clients (Default BOOTP Class) and one set for
remotely connected clients (Default Routing And Remote Access Class).
The add-on options that can be set for a client running Windows 2000 or later are listed
in Table 22-2.
Table 22-2 Additional TCP/IP Options That Administrators Can Confi gure
Option Name Option Code Description
Microsoft Disable NetBIOS
Option
001 Disables NetBIOS if selected as an option
with a value of 0x1.
Microsoft Release DHCP
Lease On Shutdown Option
002 Specifi es that a client should release its
DHCP lease on shutdown if selected as an
option with a value of 0x1.
Microsoft Default Router

Metric Base
003 Specifi es that the default router metric base
should be used if selected as an option with
a value of 0x1.
Settings Options for All Clients
On the DHCP server, you can set TCP/IP options at several levels. You can set options
for the following components:

All scopes on a server
In the DHCP console, expand the entry for the server and
IP protocol you want to work with, right-click Server Options, and then choose
Confi gure Options.

A specifi c scope
In the DHCP console, expand the scope you want to work with,
right-click Scope Options, and then choose Confi gure Options.

A single reserved IP address
In the DHCP console, expand the scope, expand
Reservations, right-click the reservation you want to work with, and select Confi g-
ure Options.
Regardless of the level at which you are setting TCP/IP options, the dialog box dis-
played has the exact same set of choices as that shown in Figure 22-21. You can now
select each standard TCP/IP option you want to use in turn, such as Router, DNS Serv-
ers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and confi g-
ure the appropriate values. Click OK when you are fi nished.
Configuring TCP/IP Options 721
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-21 Set class-specific options using the General tab.

Settings Options for RRAS and NAP Clients
On the DHCP server, you can set TCP/IP options for RRAS and NAP clients at several
levels. You can set options for the following components:

All scopes on a server
In the DHCP console, expand the entry for the server and
IP protocol you want to work with, right-click Server Options, and then choose
Confi gure Options.

A specifi c scope
In the DHCP console, expand the scope you want to work with,
right-click Scope Options, and then choose Confi gure Options.

A single reserved IP address
In the DHCP console, expand the scope, expand
Reservations, right-click the reservation you want to work with, and select Confi g-
ure Options.
Regardless of the level at which you are setting TCP/IP options, the dialog box dis-
played has the exact same set of choices. You can now complete the following steps:
1. Click the Advanced tab, as shown in Figure 22-22. From the Vendor Class drop-
down list, select DHCP Standard Options. As appropriate, from the User Class
drop-down list, choose either Default Routing And Remote Access Class or
Default Network Access Protection Class.
Chapter 22
722 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-22 Set the DHCP Standard Options.
2. Select the check box for each standard TCP/IP option you want to use in turn,
such as Router, DNS Servers, DNS Domain Name, WINS/NBNS Servers, and
WINS/NBT Node Type, and confi gure the appropriate values.

3. Select each add-on TCP/IP option you want to use in turn, such as Microsoft
Disable NetBIOS Option and Microsoft Release DHCP Lease On Shutdown
Option, and accept the default value (0x1) to turn on the option.
4. Click OK.
Setting Add-On Options for Directly Connected Clients
You can set add-on options for directly connected clients that are different from those
of remote access clients. Access the TCP/IP Options dialog box at the appropriate level,
and then click the Advanced tab. For Windows 2000 or later clients, select Microsoft
Windows 2000 Options as the vendor class and Default BOOTP Class as the user class,
as shown in Figure 22-23. Now select each add-on TCP/IP option you want to use in
turn, such as Microsoft Disable NetBIOS Option and Microsoft Release DHCP Lease On
Shutdown Option, and accept the default value (0x1) to turn on the option. Then click
OK when you are fi nished.
Configuring TCP/IP Options 723
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-23 Set the add-on options for directly connected clients.
Defi ning Classes to Get Different Option Sets
If you want a group of DHCP clients to use a set of options different than other comput-
ers, you can use classes to do this. It is a two-part process. First, create your own user-
defi ned class on each DHCP server to which the clients might connect. Then confi gure
the network interfaces on the clients to use the new class.
Creating the Class
In the DHCP console, you can defi ne the new user class by right-clicking the IP protocol
you want to work with and selecting Defi ne User Classes. In the DHCP User Classes
dialog box, shown in Figure 22-24, the existing classes are listed, except for the Default
User Class because it is the base user class.
Click Add to display the New Class dialog box shown in Figure 22-25. In the Display
Name box, type the name of the class you are defi ning. The name is arbitrary and
should be short but descriptive enough so that you know what that class is used for

by seeing its name. You can also type a description in the Description box. Afterward,
click in the empty area below the word ASCII. In this space, type the class identifi er,
which is used by DHCP to identify the class. The class identifi er cannot have spaces.
Click OK to close the New Class dialog box, and then click Close to return to the DHCP
console.
Chapter 22
724 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-24 User classes in addition to the base class.
Figure 22-25 Set the class name, description, and class ID.
Next, you must confi gure the TCP/IP options that should be used by this class. In
the DHCP console, expand the entry for the server you want to work with, right-click
Server Options, and then choose Confi gure Options. In the Server Options dialog box,
click the Advanced tab. Select DHCP Standard Options as the vendor class and the
class you created as the user class.
Select each standard TCP/IP option you want to use in turn, such as Router, DNS
Servers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and
confi gure the appropriate values. If you want to set Windows options, select Microsoft
Windows 2000 Options as the vendor class. Don’t change the user class. Then select
each add-on TCP/IP option you want to use in turn, such as Microsoft Disable Net-
BIOS Option and Microsoft Release DHCP Lease On Shutdown Option, and accept the
default value (0x1) to turn on the option. Click OK to complete the confi guration of the
new class.
Configuring TCP/IP Options 725
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Confi guring Clients to Use the Class
Now you must confi gure the network interfaces on the clients to use the new class.
Assuming “Local Area Connection” is the name of the network interface on the client,
you would type the following command to do this:

ipconfi g /setclassid "Local Area Connection" ClassID
where ClassID is the ID of the user class to use. For example, if the class ID is Engineer-
ing, you would type
ipconfi g /setclassid "Local Area Connection" Engineering
In these examples, I use “Local Area Connection” as the network interface name
because that is the default connection created by Windows. If a client has multiple net-
work interfaces or a user has changed the name of the default network interface, you
must use the name of the appropriate interface. You can get a list of all network inter-
faces on a client by typing ipconfi g /all at the command prompt.
After you set the class ID, type ipconfi g /renew at the command prompt. This tells the
client to renew the lease and because the client has a new class ID it also forces the cli-
ent to request new TCP/IP options. The output should be similar to the following:
Windows IP Confi guration
Ethernet adapter Local Area Connection:
Connection-specifi c DNS Suffi x :
IP Address : 192.168.1.22
Subnet Mask : 255.255.255.0
Default Gateway : 192.168.1.1
DHCP Class ID : Engineering
That’s it. Because the class ID is persistent, you need to set it only once. So, if the client
is restarted, the class ID will remain. To remove the class ID and use the defaults again,
type the following command:
ipconfi g /setclassid "Local Area Connection"
TROUBLESHOOTING
Class ID problems
Sometimes the network interface won’t report that it has the new class ID. If this hap-
pens, try releasing the DHCP lease fi rst by typing ipconfi g /release and then obtaining a
new lease by typing ipconfi g /renew.
TROUBLESHOOTING
Chapter 22

726 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Advanced DHCP Confi guration and Maintenance
When you install the DHCP Server service, many advanced features are confi gured for
you automatically, including audit logging, network bindings, integration with DNS,
integration with NAP, and DHCP database backups. All of these features can be fi ne-
tuned to optimize performance, and many of these features, such as auditing, logging,
and backups, should be periodically monitored.
Confi guring DHCP Audit Logging
Auditing logging is enabled by default for the DHCP Server service and is used to track
DHCP processes and requests in log fi les. Although you can enable and confi gure log-
ging separately for IPv4 and IPv6, by default, the two protocols use the same log fi les.
The DHCP logs are stored in the %SystemRoot%\System32\Dhcp folder by default. In
this folder you’ll fi nd a different log fi le for each day of the week. For example, the log
fi le for Monday is named DhcpSrvLog-Mon.log. When you start the DHCP Server ser-
vice or a new day arrives, a header message is written to the log fi le. As shown in Listing
22-1, the header provides a summary of DHCP events and their meanings. The header
is followed by the actual events logged by the DHCP Server service. The event IDs and
descriptions are entered because different versions of the DHCP Server service can have
different events.
Listing 22-1 DHCP Server Log File
Microsoft DHCP Service Activity Log
Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.

14 A lease request could not be satisfi ed because the scope's
address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.
ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,04/27/09,11:30:26,Started,,,,
55,04/27/09,11:30:27,Authorized(servicing),,cpandl.com,,
10,04/27/09,11:56:03,Assign,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
Microsoft DHCP Service Activity Log
Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfi ed because the scope's
address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
24 IP address cleanup operation has began.

25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.
ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,04/27/09,11:30:26,Started,,,,
55,04/27/09,11:30:27,Authorized(servicing),,cpandl.com,,
10,04/27/09,11:56:03,Assign,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
Advanced DHCP Configuration and Maintenance 727
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12,04/27/09,11:56:32,Release,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
10,04/27/09,12:01:45,Assign,192.168.1.20,corpserver03.cpandl.com,2324AE67B4E8,
15,04/27/09,12:03:41,NACK,192.168.0.100,,2324AE67B4E8,
11,04/27/09,12:03:42,Renew,192.168.1.20,becka.,2324AE67B4E8,
24,04/27/09,12:30:30,Database Cleanup Begin,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
24,04/27/09,13:30:35,Database Cleanup Begin,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
01,04/27/09,14:10:23,Stopped,,,,
00,04/27/09,14:10:37,Started,,,,
55,04/27/09,14:10:37,Authorized(servicing),,cpandl.com,,
01,04/27t/09,20:15:50,Stopped,,,,
The events in the audit logs can help you troubleshoot problems with a DHCP server.
As you examine Listing 22-1, the fi rst event entry with ID 00 tells you the DHCP Server
service was started. The second event entry with ID 55 tells you the DHCP server is
authorized to service the cpandl.com domain. Every hour that the service is running, it

also performs cleanup operations. Database cleanup is used to check for expired leases
and leases that no longer apply.
The audit logs also serve as a record of all DHCP connection requests by clients on the
network. Events related to lease assignment, renewal, and release are recorded accord-
ing to the IP address assigned, the client’s FQDN, and the client’s MAC address.
Declined leases are listed with the event ID 13 and the description of the event is
DECLINE. A DHCP client can decline a lease if it detects that the IP address is already
in use. The primary reason this happens is that a system somewhere on the network is
using a static IP address in the DHCP range or has leased it from another DHCP server
during a network glitch. When the server receives the decline, it marks the address as
bad in the DHCP database. See “Enabling Confl ict Detection on DHCP Servers” on page
734 for details on how IP address confl icts can be avoided.
Denied leases are listed with the event ID 15 and the description of the event is NACK.
DHCP can deny a lease to a client that is requesting an address that cannot be pro-
vided. This could happen if an administrator terminated the lease or if the client moved
to a different subnet where the original IP address held is no longer valid. When a client
receives a NACK, the client releases the denied IP address and requests a new one.
As discussed previously, audit logging is enabled by default. If you want to check or
change the logging setting, you can do this in the DHCP console. Expand the node for
the server you want to work with, right-click IPv4 or IPv6 as appropriate for the type of
binding you want to work with, and then select Properties. This displays the dialog box
shown in Figure 22-26.
On the General tab, select or clear the Enable DHCP Audit Logging check box as neces-
sary. Afterward, select the Advanced tab. The Audit Log File Path box shows the current
folder location for log fi les. Enter a new folder location or click Browse to fi nd a new
12,04/27/09,11:56:32,Release,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
10,04/27/09,12:01:45,Assign,192.168.1.20,corpserver03.cpandl.com,2324AE67B4E8,
15,04/27/09,12:03:41,NACK,192.168.0.100,,2324AE67B4E8,
11,04/27/09,12:03:42,Renew,192.168.1.20,becka.,2324AE67B4E8,
24,04/27/09,12:30:30,Database Cleanup Begin,,,,

25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
24,04/27/09,13:30:35,Database Cleanup Begin,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
01,04/27/09,14:10:23,Stopped,,,,
00,04/27/09,14:10:37,Started,,,,
55,04/27/09,14:10:37,Authorized(servicing),,cpandl.com,,
01,04/27t/09,20:15:50,Stopped,,,,
Chapter 22
728 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
location. Click OK. If you change the audit log location, Windows Server 2008 will
need to restart the DHCP Server service. When prompted to confi rm that this is OK,
click Yes.
Figure 22-26 Audit logging is enabled by default.
Binding the DHCP Server Service to a Network Interface
The DHCP Server service should bind automatically to the fi rst NIC on the server. This
means that the DHCP Server service should use the IP address and TCP/IP confi gu-
ration of this network interface to communicate with clients. In some instances, the
DHCP Server service might not bind to any available network interface or it might bind
to a network interface that you don’t want it to use. To resolve this problem, you must
bind the DHCP Server service to a specifi c network interface by following these steps:
1. In the DHCP console, expand the node for the server you want to work with,
right-click IPv4 or IPv6 as appropriate for the type of binding you want to work
with, and then select Properties.
2. On the Advanced tab of the IPv4 or IPv6 Properties dialog box, click Bindings
to display the Bindings dialog box. This dialog box displays a list of available
network connections for the DHCP server.
3. If you want the DHCP Server service to use a connection to service clients, select

the option for the connection. If you don’t want the service to use a connection,
clear the related option.
4. Click OK twice when you are fi nished.
Advanced DHCP Configuration and Maintenance 729
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Integrating DHCP and DNS
Using the DNS Dynamic Update protocol, DHCP clients running Windows 2000 or
later can automatically update their forward (A) and reverse lookup (PTR) records in
DNS or request that the DHCP server do this for them. Clients running versions of the
Windows operating system earlier than Windows 2000 can’t dynamically update any
of their records, so DHCP must do this for them. In either case, when the DHCP server
is required to update DNS records, this requires integration between DHCP and DNS.
In the default confi guration of DHCP, a DHCP server will update DNS records for cli-
ents only if requested but will not update records for clients running versions of the
Windows operating system earlier than Windows 2000. You can modify this behavior
globally for each DHCP server or on a per scope basis.
To change the global DNS integration settings, start the DHCP console, expand the
node for the server you want to work with, right-click IPv4, and then select Properties.
Click the DNS tab, as shown in Figure 22-27, and then select the Dynamically Update
DNS A And PTR Records For DHCP Clients That Do Not Request Updates check box.
Don’t change the other settings. These settings are confi gured by default, and you don’t
need to modify the confi guration in most cases.
Figure 22-27 DHCP and DNS integration.
To change scope-specifi c settings, expand the node for the server you want to work
with and then expand IPv4. Right-click the scope you want to work with and then
select Properties. Click the DNS tab. The options available are the same as those shown
in Figure 22-27. Because these settings are confi gured by default, you usually don’t need
to modify the confi guration.
Chapter 22

730 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Integrating DHCP and NAP
Network Access Protection (NAP) is designed to protect the network from clients that
do not have the appropriate security measures in place. The easiest way to enable NAP
with DHCP is to set up the DHCP server as a Network Policy Server. To do this, you’ll
need to install the Network Policy console, confi gure a compliant policy for NAP and
DHCP integration on the server, and then enable NAP for DHCP. This process enables
NAP for network computers that use DHCP; it does not fully confi gure NAP for use.
You can create an NAP and DHCP integration policy by completing the following steps:
1. On the server that you want to act as the Network Policy Server, install the
Network Policy console as an additional remote server administration tool using
the Add Features Wizard.
2. In the Network Policy console, select the NPS (Local) node in the console tree
and then click Confi gure NAP in the main pane. This starts the Confi gure NAP
wizard.
3. In the Network Connection Method list, choose Dynamic Host Confi guration
Protocol (DHCP) as the connection method that you want to deploy on your
network for NAP-capable clients. As shown in Figure 22-28, the policy name is set
to NAP DHCP by default. Click Next.
Figure 22-28 Configure Network Access Protection policy for the local DHCP server.
4. On the Specify NAP Enforcement Servers Running DHCP Server page, you need
to identify all remote DHCP servers on your network by doing the following and
then click Next:

Click Add. In the Add RADIUS Client dialog box, type a friendly name for
the remote server in the Friendly Name text box. Then type the DNS name
Advanced DHCP Configuration and Maintenance 731
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

or IP address of the remote DHCP server in the Address text box. Click
Verify to ensure that the address is valid.

In the Shared Secret panel, select Generate and then click Generate to create
a long shared secret keyphrase. You’ll need to enter this keyphrase in the
NAP DHCP policy on all remote DHCP servers. Be sure to write down this
keyphrase. Alternatively, copy the keyphrase to Notepad and then save it in
a fi le stored in a secure location. Click OK.
5. On the Specify DHCP Scopes page, you can identify the DHCP scopes to which
this policy should apply. If you do not specify any scopes, the policy applies to all
NAP-enabled scopes on the selected DHCP servers. Click Next twice to skip the
Confi gure Groups page.
6. On the Specify A NAP Remediation Server Group And URL page, select a
Remediation Server or click New Group to defi ne a remediation group and specify
servers to handle remediation. Remediation servers store software updates for
NAP clients that need them. In the text box provided, type a URL to a Web
page that provides users with instructions on how to bring their computers into
compliance with NAP health policy. Ensure that all DHCP clients can access this
URL. Click Next.
7. On the Defi ne NAP Health Policy page, use the options provided to determine
how NAP health policy works. In most cases, the default settings work fi ne. With
the default settings, NAP ineligible clients are denied access to the network; NAP-
capable clients are checked for compliance and automatically remediated, which
allows them to get needed software updates that you’ve made available. Click
Next and then click Finish.
You can modify NAP settings globally for each DHCP server or on a per-scope basis. To
view or change the global NAP settings, complete the following steps:
1. In the DHCP console, expand the node for the server you want to work with,
right-click IPv4, and then select Properties.
2. On the Network Access Protection tab, shown in Figure 22-29, click Enable On

All Scopes or Disable On All Scopes to enable or disable NAP for all scopes on the
server.
Note
When the local DHCP server is also a Network Policy Server, the Network Policy Server
should always be reachable. If you haven’t confi gured the server as a Network Policy
Server or the DHCP server is unable to contact the designated Network Policy Server,
you’ll see an error stating this on the Network Access Protection tab.
Note
When the local DHCP server is also a Network Policy Server, the Network Policy Server
should always be reachable. If you haven’t confi gured the server as a Network Policy
Server or the DHCP server is unable to contact the designated Network Policy Server,
you’ll see an error stating this on the Network Access Protection tab.
Chapter 22
732 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-29 The Network Access Protection tab controls the protection options for DHCP.
3. Choose one of the following options to specify how the DHCP server behaves if
the Network Policy Server is unreachable, and then click OK to save your settings:

Full Access
Gives DHCP clients full (unrestricted) access to the network.
This means clients can perform any permitted actions.

Restricted Access
Gives DHCP clients restricted access to the network. This
means clients can work with resources only on the server to which they are
connected.

Drop Client Packet
Blocks client requests and prevents the clients from

accessing the network. This means clients have no access to resources on
the network.
You can view and change the NAP settings for individual scopes by completing the fol-
lowing steps:
1. In the DHCP console, expand the node for the server you want to work with and
then expand IPv4.
2. Right-click the scope you want to work with and then select Properties.
3. On the Network Access Protection tab, click Enable For This Scope or Disable For
This Scope to enable or disable NAP for this scope.
4. If you’re enabling NAP and want to use an NAP profi le other than the default,
click Use Custom Profi le and then type the name of the profi le, such as Alternate
NAP DHCP.
5. Click OK to save your settings.
Advanced DHCP Configuration and Maintenance 733
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Enabling Confl ict Detection on DHCP Servers
No two computers on the network can have the same unicast IP address. If a computer
is assigned the same unicast IP address as another, one or both of the computers might
become disconnected from the network. To prevent this from happening, DHCP has
built-in confl ict detection that enables clients to check the IP address they’ve been
assigned by pinging the address on the network. If a client detects that an IP address
it has been assigned is in use, it sends the DHCP server a Decline message telling the
server that it is declining the lease because the IP address is in use. When this hap-
pens, the server marks the IP address as bad in the DHCP database, and then the cli-
ent requests a new lease. This process works fairly well but requires additional time
because the client is responsible for checking the IP address, declining a lease, and
requesting a new one.
To speed up the process, you can confi gure DHCP servers to check for confl icts before
assigning an IP address to a client. When confl ict detection is enabled, the process

works in much the same way as before, except the server checks the IP address to see if
it is in use and, if so, marks it as bad without interaction with the client. You can confi g-
ure confl ict detection on a DHCP server by specifying the number of confl ict detection
attempts that the DHCP server will make before it leases an IP address to a client. The
DHCP server checks IP addresses by sending a ping request over the network.
You can confi gure confl ict detection in the DHCP console by expanding the node for
the server you want to work with, right-clicking IPv4, and then selecting Properties.
On the Advanced tab, set Confl ict Detection Attempts to a value other than zero. At the
command line, type the following command:
netsh dhcp server ServerID set detectconfl ictretry Attempts
where ServerID is the name or IP address of the DHCP server and Attempts is the num-
ber of confl ict detection attempts the server should use. You can confi rm the setting by
typing the following:
netsh dhcp server ServerID show detectconfl ictretry
Saving and Restoring the DHCP Confi guration
After you fi nish confi guring a DHCP server, you should save the confi guration settings
so that you can easily restore the server to a known state or use the same settings on
another server. To do this, type the following command at the command prompt:
netsh dhcp server dump ServerID > SaveFile
where ServerID is the name or IP address of the DHCP server and SaveFile is the name of
the fi le in which you want to store the confi guration settings. When you are logged on
locally, you can omit the server name or IP address, as shown in the following example:
netsh dhcp server dump > dhcpconfi g.dmp
Chapter 22
734 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
If you examine the fi le Netsh creates, you’ll fi nd that it is a Netsh confi guration script.
To restore the confi guration, run the script by typing the following command:
netsh exec SaveFile
where SaveFile is the name of the fi le in which you stored the confi guration settings.

Here is an example:
netsh exec dhcpconfi g.dmp
Copy to a New DHCP Server
You can run the script on a different DHCP server to confi gure it the same as the original
DHCP server whose confi guration you saved. Copy the confi guration script to a folder on
the destination computer, and then run it. The DHCP server will be confi gured like the
original server.
Managing and Maintaining the DHCP Database
Information about leases and reservations used by clients is stored in database fi les on
the DHCP server. Like any other data set, the DHCP database has properties that you
can set and techniques you can use to maintain it.
Setting DHCP Database Properties
In the default confi guration, these fi les are stored in the %SystemRoot%\System32\
Dhcp folder, and automatically created backups of the fi les are stored in %System-
Root%\System32\Dhcp\Backup. The DHCP Server service performs two routine
actions to maintain the database:

Database cleanup during which the DHCP Server service checks for expired
leases and leases that no longer apply

Database backup during which the DHCP Server service backs up the database
fi les
By default, both maintenance tasks are performed every 60 minutes, and you can con-
fi rm this as well as the current DHCP folders being used by typing the following com-
mand at the command prompt:
netsh dhcp server ServerID show dbproperties
where ServerID is the name or IP address of the DHCP server, such as
netsh dhcp server 192.168.1.50 show dbproperties
Copy to a New DHCP Server
You can run the script on a different DHCP server to confi gure it the same as the original

DHCP server whose confi guration you saved. Copy the confi guration script to a folder on
the destination computer, and then run it. The DHCP server will be confi gured like the
original server.
Advanced DHCP Configuration and Maintenance 735
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The output of this command shows you the current database properties for the DHCP
server:
Server Database Properties:
DatabaseName = dhcp.mdb
DatabasePath = C:\WINDOWS\System32\dhcp
DatabaseBackupPath = C:\WINDOWS\System32\dhcp\backup
DatabaseBackupInterval = 60 mins.
DatabaseLoggingFlag = 1
DatabaseRestoreFlag = 0
DatabaseCleanupInterval = 60 mins.
Note the DatabaseLoggingFlag and DatabaseRestoreFlag properties. DatabaseLogging-
Flag tracks whether audit logging is enabled. If the fl ag is set to 0, audit logging is dis-
abled. If the fl ag is set to 1, audit logging is enabled. DatabaseRestoreFlag is a special
fl ag that tracks whether the DHCP Server service should restore the DHCP database
from backup the next time it starts. If the fl ag is set to 0, the main database is used. If
the fl ag is set to 1, the DHCP Server service restores the database from backup, over-
writing the existing database.
You can use the following commands to set these properties:

Netsh dhcp server ServerID set databasename NewFileName—Sets the new fi le
name for the database, such as Dhcp1.mdb.

Netsh dhcp server ServerID set databasepath NewPath—Sets the new path for
the database fi les, such as C:\Dhcp\Dbfi les.


Netsh dhcp server ServerID set databasebackupinterval NewIntervalMinutes—
Sets the database backup interval in minutes, such as 120.

Netsh dhcp server ServerID set databasebackuppathname NewPath—Sets the
new path for the database backup fi les, such as C:\Dhcp\Dbbackup.

Netsh dhcp server ServerID set databaseloggingfl ag FlagValue—Enables or dis-
ables audit logging. Set to 0 to disable or 1 to enable.

Netsh dhcp server ServerID set databaserestorefl ag FlagValue—Forces DHCP to
restore the database from backup when it is started. Set to 1 to restore.

Netsh dhcp server ServerID set databasecleanupinterval NewIntervalMinutes—
Sets the database backup interval in minutes, such as 120.
Note
If you change the database name or folder locations, you must stop the DHCP server and
then start it again for the changes to take effect. To do this, type net stop "dhcp server"
to stop the server and then type net start "dhcp server" to start the server again.
Note
If you change the database name or folder locations, you must stop the DHCP server and
then start it again for the changes to take effect. To do this, type net stop "dhcp server"
to stop the server and then type net start "dhcp server" to start the server again.
Chapter 22
736 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.