DNS is used to resolve computer names in Active Directory domains and on the Internet. Thanks to the DNS dynamic update protocol, you don’t need to manually register DHCP clients in DNS. The protocol allows the client or the DHCP server to register the forward-lookup and reverse-lookup records in DNS as necessary. When configured by using the default setup for DHCP, current DHCP clients automatically update their own DNS records after receiving an IP address lease. You can modify this behavior globally for each DHCP server or on a per-scope basis.

Name protection is an additional feature in Windows Server 2012 R2. With name protection, the DHCP server registers records on behalf of the client only if no other client with this DNS information is already registered. You can configure name protection for IPv4 and IPv6 at the network adapter level or at the scope level. Name protection settings configured at the scope level take precedence over the settings at the IPv4 or IPv6 level.

Name protection is designed to prevent name squatting. Name squatting occurs when a computer not based on the Windows operating system registers a name in DNS that is already registered to a computer running a Windows operating system. By enabling name protection, you can prevent name squatting by computers not based on the Windows operating system. Although name squatting generally does not present a problem when you use Active Directory to reserve a name for a single user or computer, it usually is a good idea to enable name protection on all Windows networks.

Name protection is based on the Dynamic Host Configuration Identifier (DHCID) and support for the DHCID RR (resource record) in DNS. The DHCID is a resource record stored in DNS that maps names to prevent duplicate registration. DHCP uses the DHCID resource record to store an identifier for a computer along with related information for the name, such as the A and AAAA records of the computer. The DHCP server can request a DHCID record match and then refuse the registration of a computer with a different address attempting to register a name with an existing DHCID record.

You can view and change the global DNS integration settings by following these steps:

1. In the DHCP console, expand the node for the server with which you want to work, press and hold or right-click IPv4 or IPv6, and then tap or click Properties.

2. Tap or click the DNS tab. Figure 8–3 shows the default DNS integration settings for DHCP. Because these settings are configured by default, you usually don’t need to modify the configuration. However, if you only want host (A) records to be dynamically updated instead of both host (A) and pointer (PTR) records, select the Disable Dynamic Updates For DNS PTR Records check box.

IMPORTANT The default configuration, which registers and maintains both A and PTR records, assumes that you’ve configured reverse lookup zones for your organization. If you haven’t, attempts to register and update PTR records will fail. You can prevent repeated failed attempts to register and update PTR records by disabling dynamic updates for PTR records. If you disable this option in the IPv4 properties, you are disabling the option for all IPv4 scopes. Alternatively, you can use scope properties to disable the option on a per scope basis.

FIGURE 8–3 The DNS tab shows the default settings for DNS integration with DHCP.

3. Optionally, you can enable or disable the name protection feature. With name protection, the DHCP server registers records on behalf of the client only if no other client with this DNS information is already registered. To enable or disable name protection, tap or click Configure. In the Name Protection dialog box, select or clear Enable Name Protection, and then tap or click OK.

You can view and change the per-scope DNS integration settings by following these steps:

1. In the DHCP console, expand the node for the server with which you want to work, and then expand IPv4 or IPv6.

2. Press and hold or right-click the scope with which you want to work, and then tap or click Properties.

3. Tap or click the DNS tab. The options available are the same as those shown in Figure 8–3. Because these settings are configured by default, you usually don’t need to modify the configuration.

4. Optionally, you can enable or disable the name-protection feature. Tap or click Configure. In the Name Protection dialog box, select or clear Enable Name Protection, and then tap or click OK.

Network Access Protection (NAP) is designed to protect the network from clients that do not have the appropriate security measures in place. The easiest way to enable NAP with DHCP is to set up the DHCP server as a Network Policy Server. To do this, you need to install the Network Policy And Access Services role, configure a compliant policy for NAP and DHCP integration on the server, and then enable NAP for DHCP. This process enables NAP for network computers that use DHCP, but it does not fully configure NAP for use.

You can create a NAP and DHCP integration policy by following these steps:

1. On the server that you want to designate as the Network Policy Server, use the Add Roles And Features Wizard to install the Network Policy And Access Services role. You should install the Network Policy Server role service at a minimum.

2. In the Network Policy Server Console (Nps.msc), available from the Tools menu in Server Manager, select the NPS (Local) node in the console tree, and then tap or click Configure NAP in the main pane to start the Configure NAP Wizard.

3. In the Network Connection Method list, choose Dynamic Host Configuration Protocol (DHCP) as the connection method you want to deploy on your network for NAP-capable clients. As shown in Figure 8–4, the policy name is set to NAP DHCP by default. Tap or click Next.

FIGURE 8–4 Configure Network Access Protection policy for the local DHCP server.

4. On the Specify NAP Enforcement Servers Running DHCP Server page, you need to identify all remote DHCP servers on your network by doing the following:

■ Tap or click Add. In the New RADIUS Client dialog box, enter a friendly name for the remote server in the Friendly Name text box. Then enter the DNS name of the remote DHCP server in the Address text box. Tap or click Verify to ensure that the DNS name is valid.

■ In the Shared Secret panel, select Generate, and then tap or click the Generate button to create a long shared-secret keyphrase. You need to enter this keyphrase in the NAP DHCP policy on all remote DHCP servers. Be sure to write down this keyphrase, or copy it to Notepad and save it in a file stored in a secure location. Tap or click OK.

5. Tap or click Next. On the Specify DHCP Scopes page, you can identify the DHCP scopes to which this policy should apply. If you do not specify any scopes, the policy applies to all NAP-enabled scopes on the selected DHCP servers. Tap or click Next twice to skip the Configure Machine Groups page.

6. On the Specify A NAP Remediation Server Group And URL page, select a Remediation Server, or tap or click New Group to define a remediation group and specify servers to handle remediation. Remediation servers store software updates for NAP clients that need them. In the text box provided, enter a URL for a webpage that provides users with instructions on how to bring their computers into compliance with NAP health policy. Be sure that all DHCP clients can access this URL. Tap or click Next to continue.