7. On the Define NAP Health Policy page, use the options provided to determine how NAP health policy works. In many cases, the default settings work fine, though you may want to use the Allow option while you fine-tune policy. With the default settings, NAP-ineligible clients are denied access to the network, and NAP-capable clients are checked for compliance and automatically remediated, which allows them to get needed software updates that you’ve made available. Tap or click Next, and then tap or click Finish.

You can modify NAP settings globally for each DHCP server or on a per-scope basis. To view or change the global NAP settings, follow these steps:

1. In the DHCP console, expand the node for the server with which you want to work, press and hold or right-click IPv4, and then tap or click Properties.

2. On the Network Access Protection tab, shown in Figure 8–5, tap or click Enable On All Scopes or Disable On All Scopes to enable or disable NAP for all scopes on the server.

NOTE When the local DHCP server is also a Network Policy Server, the Network Policy Server should always be reachable. If you haven’t configured the server as a Network Policy Server or the DhCP server is unable to contact the designated Network Policy Server, you’ll get an error stating this on the Network Access Protection tab.

FIGURE 8–5 The Network Access Protection tab controls the protection options for DHCP.

3. Choose one of the following options to specify how the DHCP server behaves if the Network Policy Server is unreachable, and then tap or click OK to save your settings:

■ Full Access Gives DHCP clients full (unrestricted) access to the network. This means clients can perform any permitted actions.

■ Restricted Access Gives DHCP clients restricted access to the network. This means clients can work only with the server to which they are connected.

■ Drop Client Packet Blocks client requests, and prevents the clients from accessing the network. This means clients have no access to resources on the network.

You can view and change the NAP settings for individual scopes by following these steps:

1. In the DHCP console, expand the node for the server with which you want to work, and then expand IPv4.

2. Press and hold or right-click the scope with which you want to work, and then tap or click Properties.

3. On the Network Access Protection tab, tap or click Enable For This Scope or Disable For This Scope to enable or disable NAP for this scope.

4. If you’re enabling NAP and want to use a NAP profile other than the default, tap or click Use Custom Profile on the Network Access Protection tab, and then enter the name of the profile, such as Alternate NAP DHCP .

5. Tap or click OK to save your settings.

IPv4 address conflicts are a common cause of problems with DHCP. No two computers on the network can have the same unicast IP address. If a computer is assigned the same unicast IPv4 address as another, one or both of the computers might become disconnected from the network. More specifically, the computer already using the IPv4 address can continue using the address and any other computer that tries to use that IPv4 address is blocked from using it.

To better detect and avoid potential conflicts, you can enable IPv4 address conflict detection by following these steps:

1. In the DHCP console, expand the node for the server with which you want to work, press and hold or right-click IPv4, and then tap or click Properties.

2. On the Advanced tab, set Conflict Detection Attempts to a value other than 0. The value you enter determines the number of times the DHCP server checks an IP address before leasing it to a client. The DHCP server checks IP addresses by sending a ping request over the network.

REAL WORLD A unicast IPv4 address is a standard IP address for class A, B, and C networks. When a DHCP client requests a lease, a DHCP server checks its pool of available addresses and assigns the client a lease on an available IPv4 address. By default, the server checks only the list of current leases to determine whether an address is available. It doesn’t actually query the network to determine whether an address is in use. Unfortunately, in a busy network environment, an administrator might have assigned this IPv4 address to another computer or an offline computer might have been brought online with a lease that it believes hasn’t expired, even though the DHCP server believes the lease has expired. Either way, you have an address conflict that will cause problems on the network. To reduce these types of conflicts, set the conflict detection to a value greater than 0.

After you configure all the necessary DHCP settings, you might want to save the DHCP configuration so that you can restore it on the DHCP server. To save the configuration, enter the following command at the command prompt:

netsh dump DHCP › dhcpconfig.dmp

In this example, dhcpconfig.dmp is the name of the configuration script you want to create. By default, the script is created in the current working directory. Alternatively, you can specify the full file path in which to save the script. After you create this script, you can restore the configuration by executing the script. If you saved the script in the current working directory, you can enter the following command at the command prompt:

netsh exec dhcpconfig.dmp

If you saved the script in another directory, you can specify the full path to the script, such as:

netsh exec d: \dhcp\scripts\dhcpconfig.dmp

TIP You can also use this technique to set up another DHCP server with the same configuration. Just copy the configuration script to a folder on the destination computer, and then execute it.

You can save or restore the DHCP configuration by using the DHCP console as well. To save the configuration, press and hold or right-click the DHCP server entry, tap or click Backup, use the dialog box provided to select the folder for the backup, and then tap or click OK. To restore the configuration, press and hold or right-click the DHCP server entry, tap or click Restore, use the dialog box provided to select the backup folder, and then tap or click OK. When prompted to confirm, tap or click Yes.

At an elevated Windows PowerShell prompt, you use Export-DhcpServer to save the configuration settings. The basic syntax is:

Export-DhcpServer -ComputerName ServerID -File SavePath

Here, ServerID is the DNS name or IP address of the DHCP server, and SavePath is the path and name of the file in which you want to store the configuration settings. If you omit the name of the server to work with, the local server is used. If you don’t specify a save path along with the file name, the configuration file is created in the current working directory. In the following example, you store the configuration settings in the d: \dhcp\scripts directory with the name dhcpconfig.dmp: