Windows Server 2008 Inside Out- P16

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
60
lượt xem
8
download

Windows Server 2008 Inside Out- P16

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows server 2008 inside out- p16', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows Server 2008 Inside Out- P16

  1. Configuring TCP/IP Options 717 IPAddress is the IP address for the lease you want to remove, such as 192.168.1.8. To activate or deactivate a scope, type the following: netsh dhcp server ServerID scope NetworkID state StateVal where the following is true: ServerID is the UNC name or IP address of the DHCP server on which you want to create the scope, such as \\CORPSVR03 or \\192.168.1.1. NetworkID is the network ID of the scope, such as 192.168.1.0. StateVal is set to 0 to deactivate the scope and 1 to activate it. If you are using a switched network where multiple logical networks are hosted on a single physical network, use 2 to deactivate the scope and 3 to activate the scope. Configuring TCP/IP Options The messages clients and servers broadcast to each other allow you to set TCP/IP options that clients can obtain by default when they obtain a lease or can request if they need additional information. It is important to note, however, that the types of informa- tion you can add to DHCP messages is limited in several ways: DHCP messages are transmitted using User Datagram Protocol (UDP), and the entire DHCP message must fit into the UDP datagram. On Ethernet with 1500- byte datagrams, this leaves 1236 bytes for the body of the message (which con- tains the TCP/IP options). Chapter 22 BOOTP messages have a fi xed size of 300 bytes as set by the original BOOTP standard. Any clients using BOOTP are likely to have their TCP/IP options truncated. Although there are many options that you can set, clients understand only certain TCP/IP options. Thus, the set of options available to you is dependent upon the client’s implementation of DHCP. With that in mind, let’s look at the levels at which options can be assigned and the options that Windows clients understand. Levels of Options and Their Uses Each individual TCP/IP option such as a default gateway is configured separately. There are different scope options for IPv4 and IPv6. DHCP administrators can manage options at five levels within the DHCP server configuration: Predefined options Allow DHCP administrators to specify the way in which options are used and to create new option types for use on a server. In the DHCP console, you can view and set predefined options by right-clicking the IPv4 or IPv6 node in the console tree and selecting Set Predefined Options.
  2. 718 Chapter 22 Managing DHCP Server options Allow DHCP administrators to configure options that are assigned to all scopes created on the DHCP server. Think of server options as global options that would be assigned to all clients. Server options can be over- ridden by scope, class, and client-assigned options. In the DHCP console, you can view and set server options by expanding the entry for the server you want to work with, right-clicking Server Options, and then choosing Configure Options. Scope options Allow DHCP administrators to configure options that are assigned to all clients that use a particular scope. Scope options are assigned only to nor- mal scopes and can be overridden by class and client-assigned options. In the DHCP console, you can view and set scope options by expanding the scope you want to work with, right-clicking Scope Options, and then choosing Configure Options. Class options Allow DHCP administrators to configure options that are assigned to all clients of a particular class. Client classes can be user-defined or vendor- defined. Two classes included with the DHCP Server service are Windows 98, which is used to assign specific options to clients running Windows 98, and Windows 2000, which is used to assign specific options to clients running Windows 2000 or later. Class options can be overridden by client-assigned options. You define new user and vendor classes by right-clicking the IPv4 or IPv6 entry and selecting either Define User Classes or Define Vendor Classes as appropriate. When defined, class options can be configured on the Advanced tab of the Server Options, Scope Options, and Reservation Options dialog boxes. Reservation options Allow administrators to set options for an individual client that uses a reservation. Also referred to as client-specific options. After you create Chapter 22 a reservation for a client, you can configure reservation options by expanding the scope, expanding Reservations, right-clicking the reservation, and selecting Con- figure Options. Only TCP/IP options manually configured on a client can over- ride client-assigned options. Options Used by Windows Clients RFC 3442 defines many TCP/IP options that you can set in DHCP messages. Although you can set all of these options on a DHCP server, the set of options available is depen- dent upon the client’s implementation of DHCP. Table 22-1 shows the options that can be configured by administrators and used by Windows computers running the DHCP Client service. Each option has an associated option code, which is used to identify it in a DHCP message, and a data entry, which contains the value setting of the option. These options are requested by clients to set their TCP/IP configuration.
  3. Configuring TCP/IP Options 719 Table 22-1 Standard TCP/IP Options That Administrators Can Configure Option Option Name Code Description Router 003 Sets a list of IP addresses for the default gateways that should be used by the client. IP addresses are listed in order of preference. DNS Servers 006 Sets a list of IP addresses for the DNS servers that should be used by the client. IP addresses are listed in order of preference. DNS Domain Name 015 Sets the DNS domain name that clients should use when resolving host names using DNS. WINS/NBNS Servers 044 Sets a list of IP addresses for the WINS servers that should be used by the client. IP addresses are listed in order of preference. WINS/NBT Node Type 046 Sets the method to use when resolving NetBIOS names. The acceptable values are: 0x1 for B-node (broadcast), 0x2 for P-node (peer-to-peer), 0x4 for M-node (mixed), and 0x8 for H-node (hybrid). See “NetBIOS Node Types” on page 824. NetBIOS Scope ID 047 Sets the NetBIOS scope for the client. Using User-Specific and Vendor-Specific TCP/IP Options DHCP uses classes to determine which options are sent to clients. The user classes let you assign TCP/IP options according to the type of user the client represents on the Chapter 22 network. The default user classes include the following: Default User Class An all-inclusive class that includes clients that don’t fit into the other user classes, such as computers running Windows NT 4.0. Any computer running a version of the Windows operating system earlier than Windows 2000 is in this class. Default BOOTP Class Any computer running Windows 2000 or later has this user class if it is connected to the local network directly. This means Windows 2000, Windows XP, and Windows Server 2008 computers connected with a wired net- work interface have this class. Default Routing And Remote Access Class Any computer that connects to the network using RRAS has this class. Any settings applied to this class are used by dial-in and VPN users, which allows you to set different TCP/IP options for these users. Default Network Access Protection Class Any computer that connects to the net- work and is subject to Network Access Protection (NAP) policy has this class. Any settings applied to this class are used by restricted access clients, which allows you to set different TCP/IP options for these users.
  4. 720 Chapter 22 Managing DHCP Clients can be a member of multiple user classes, and you can view the user class memberships for each network interface by typing ipconfig /showclassid * at the com- mand prompt. (The asterisk tells the command that you want to see all the network interfaces.) The output you’ll see on a computer running Windows 2000 or later will be similar to the following: Windows IP Configuration DHCP Classes for Adapter "Local Area Connection": DHCP ClassID Name : Default Routing and Remote Access Class DHCP ClassID Description : User class for remote access clients DHCP ClassID Name : Default BOOTP Class DHCP ClassID Description : User class for BOOTP Clients Here, the client is a member of the Default Routing And Remote Access Class and the Default BOOTP Class. The client doesn’t, however, get its options from both classes. Rather, the class from which the client gets its options depends on its connection state. If the client is connected directly to the network, it uses the Default BOOTP Class. If the client is connected by Routing and Remote Access, it uses the Default Routing And Remote Access Class. Vendor classes work a bit differently because they define the set of options available to and used by the various user classes. The default vendor class, DHCP Standard Options, is used to set the standard TCP/IP options, and the various user classes all have access to these options so that they can be implemented in a user-specific way. Additional vendor classes beyond the default define extensions or additional options that can be implemented in a user-specific way. This means that the vendor class Chapter 22 defines the options and makes them available, while the user class settings determine which of these additional options (if any) are used by clients. The default vendor classes that provide additional (add-on) options are as follows: Microsoft Options Add-on options available to any client running any version of Windows Microsoft Windows 98 Options Add-on options available to any client running Windows 98 or later Microsoft Windows 2000 Options Add-on options available to any client running Windows 2000 or later When it comes to these classes, a client applies the options from the most specific add- on vendor class. Thus, a Windows 98 client would apply the Microsoft Windows 98 Options vendor class, and a Windows 2000 or later client would apply the Microsoft Windows 2000 Options vendor class. Again, these options are in addition to the stan- dard options provided through the DHCP Standard Options vendor class and can be
  5. Configuring TCP/IP Options 721 implemented in a manner specific to a user class. This means you can have one set of add-on options for directly connected clients (Default BOOTP Class) and one set for remotely connected clients (Default Routing And Remote Access Class). The add-on options that can be set for a client running Windows 2000 or later are listed in Table 22-2. Table 22-2 Additional TCP/IP Options That Administrators Can Configure Option Name Option Code Description Microsoft Disable NetBIOS 001 Disables NetBIOS if selected as an option Option with a value of 0x1. Microsoft Release DHCP 002 Specifies that a client should release its Lease On Shutdown Option DHCP lease on shutdown if selected as an option with a value of 0x1. Microsoft Default Router 003 Specifies that the default router metric base Metric Base should be used if selected as an option with a value of 0x1. Settings Options for All Clients On the DHCP server, you can set TCP/IP options at several levels. You can set options for the following components: All scopes on a server In the DHCP console, expand the entry for the server and IP protocol you want to work with, right-click Server Options, and then choose Configure Options. Chapter 22 A specific scope In the DHCP console, expand the scope you want to work with, right-click Scope Options, and then choose Configure Options. A single reserved IP address In the DHCP console, expand the scope, expand Reservations, right-click the reservation you want to work with, and select Config- ure Options. Regardless of the level at which you are setting TCP/IP options, the dialog box dis- played has the exact same set of choices as that shown in Figure 22-21. You can now select each standard TCP/IP option you want to use in turn, such as Router, DNS Serv- ers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and config- ure the appropriate values. Click OK when you are fi nished.
  6. 722 Chapter 22 Managing DHCP Figure 22-21 Set class-specific options using the General tab. Settings Options for RRAS and NAP Clients On the DHCP server, you can set TCP/IP options for RRAS and NAP clients at several levels. You can set options for the following components: Chapter 22 All scopes on a server In the DHCP console, expand the entry for the server and IP protocol you want to work with, right-click Server Options, and then choose Configure Options. A specific scope In the DHCP console, expand the scope you want to work with, right-click Scope Options, and then choose Configure Options. A single reserved IP address In the DHCP console, expand the scope, expand Reservations, right-click the reservation you want to work with, and select Config- ure Options. Regardless of the level at which you are setting TCP/IP options, the dialog box dis- played has the exact same set of choices. You can now complete the following steps: 1. Click the Advanced tab, as shown in Figure 22-22. From the Vendor Class drop- down list, select DHCP Standard Options. As appropriate, from the User Class drop-down list, choose either Default Routing And Remote Access Class or Default Network Access Protection Class.
  7. Configuring TCP/IP Options 723 Figure 22-22 Set the DHCP Standard Options. 2. Select the check box for each standard TCP/IP option you want to use in turn, such as Router, DNS Servers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and configure the appropriate values. 3. Select each add-on TCP/IP option you want to use in turn, such as Microsoft Chapter 22 Disable NetBIOS Option and Microsoft Release DHCP Lease On Shutdown Option, and accept the default value (0x1) to turn on the option. 4. Click OK. Setting Add-On Options for Directly Connected Clients You can set add-on options for directly connected clients that are different from those of remote access clients. Access the TCP/IP Options dialog box at the appropriate level, and then click the Advanced tab. For Windows 2000 or later clients, select Microsoft Windows 2000 Options as the vendor class and Default BOOTP Class as the user class, as shown in Figure 22-23. Now select each add-on TCP/IP option you want to use in turn, such as Microsoft Disable NetBIOS Option and Microsoft Release DHCP Lease On Shutdown Option, and accept the default value (0x1) to turn on the option. Then click OK when you are finished.
  8. 724 Chapter 22 Managing DHCP Figure 22-23 Set the add-on options for directly connected clients. Defining Classes to Get Different Option Sets If you want a group of DHCP clients to use a set of options different than other comput- ers, you can use classes to do this. It is a two-part process. First, create your own user- Chapter 22 defined class on each DHCP server to which the clients might connect. Then configure the network interfaces on the clients to use the new class. Creating the Class In the DHCP console, you can define the new user class by right-clicking the IP protocol you want to work with and selecting Define User Classes. In the DHCP User Classes dialog box, shown in Figure 22-24, the existing classes are listed, except for the Default User Class because it is the base user class. Click Add to display the New Class dialog box shown in Figure 22-25. In the Display Name box, type the name of the class you are defining. The name is arbitrary and should be short but descriptive enough so that you know what that class is used for by seeing its name. You can also type a description in the Description box. Afterward, click in the empty area below the word ASCII. In this space, type the class identifier, which is used by DHCP to identify the class. The class identifier cannot have spaces. Click OK to close the New Class dialog box, and then click Close to return to the DHCP console.
  9. Configuring TCP/IP Options 725 Figure 22-24 User classes in addition to the base class. Chapter 22 Figure 22-25 Set the class name, description, and class ID. Next, you must configure the TCP/IP options that should be used by this class. In the DHCP console, expand the entry for the server you want to work with, right-click Server Options, and then choose Configure Options. In the Server Options dialog box, click the Advanced tab. Select DHCP Standard Options as the vendor class and the class you created as the user class. Select each standard TCP/IP option you want to use in turn, such as Router, DNS Servers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and configure the appropriate values. If you want to set Windows options, select Microsoft Windows 2000 Options as the vendor class. Don’t change the user class. Then select each add-on TCP/IP option you want to use in turn, such as Microsoft Disable Net- BIOS Option and Microsoft Release DHCP Lease On Shutdown Option, and accept the default value (0x1) to turn on the option. Click OK to complete the configuration of the new class.
  10. 726 Chapter 22 Managing DHCP Configuring Clients to Use the Class Now you must configure the network interfaces on the clients to use the new class. Assuming “Local Area Connection” is the name of the network interface on the client, you would type the following command to do this: ipconfig /setclassid "Local Area Connection" ClassID where ClassID is the ID of the user class to use. For example, if the class ID is Engineer- ing, you would type ipconfig /setclassid "Local Area Connection" Engineering In these examples, I use “Local Area Connection” as the network interface name because that is the default connection created by Windows. If a client has multiple net- work interfaces or a user has changed the name of the default network interface, you must use the name of the appropriate interface. You can get a list of all network inter- faces on a client by typing ipconfig /all at the command prompt. After you set the class ID, type ipconfig /renew at the command prompt. This tells the client to renew the lease and because the client has a new class ID it also forces the cli- ent to request new TCP/IP options. The output should be similar to the following: Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix : IP Address : 192.168.1.22 Subnet Mask : 255.255.255.0 Chapter 22 Default Gateway : 192.168.1.1 DHCP Class ID : Engineering That’s it. Because the class ID is persistent, you need to set it only once. So, if the client is restarted, the class ID will remain. To remove the class ID and use the defaults again, type the following command: ipconfig /setclassid "Local Area Connection" TROUBLESHOOTING Class ID problems Sometimes the network interface won’t report that it has the new class ID. If this hap- pens, try releasing the DHCP lease first by typing ipconfig /release and then obtaining a new lease by typing ipconfig /renew.
  11. Advanced DHCP Configuration and Maintenance 727 Advanced DHCP Configuration and Maintenance When you install the DHCP Server service, many advanced features are configured for you automatically, including audit logging, network bindings, integration with DNS, integration with NAP, and DHCP database backups. All of these features can be fine- tuned to optimize performance, and many of these features, such as auditing, logging, and backups, should be periodically monitored. Configuring DHCP Audit Logging Auditing logging is enabled by default for the DHCP Server service and is used to track DHCP processes and requests in log files. Although you can enable and configure log- ging separately for IPv4 and IPv6, by default, the two protocols use the same log fi les. The DHCP logs are stored in the %SystemRoot%\System32\Dhcp folder by default. In this folder you’ll find a different log file for each day of the week. For example, the log file for Monday is named DhcpSrvLog-Mon.log. When you start the DHCP Server ser- vice or a new day arrives, a header message is written to the log file. As shown in Listing 22-1, the header provides a summary of DHCP events and their meanings. The header is followed by the actual events logged by the DHCP Server service. The event IDs and descriptions are entered because different versions of the DHCP Server service can have different events. Listing 22-1 DHCP Server Log File Microsoft DHCP Service Activity Log Event ID Meaning Chapter 22 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server 31 DNS update failed 32 DNS update successful 50+ Codes above 50 are used for Rogue Server Detection information. ID,Date,Time,Description,IP Address,Host Name,MAC Address 00,04/27/09,11:30:26,Started,,,, 55,04/27/09,11:30:27,Authorized(servicing),,cpandl.com,, 10,04/27/09,11:56:03,Assign,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
  12. 728 Chapter 22 Managing DHCP 12,04/27/09,11:56:32,Release,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8, 10,04/27/09,12:01:45,Assign,192.168.1.20,corpserver03.cpandl.com,2324AE67B4E8, 15,04/27/09,12:03:41,NACK,192.168.0.100,,2324AE67B4E8, 11,04/27/09,12:03:42,Renew,192.168.1.20,becka.,2324AE67B4E8, 24,04/27/09,12:30:30,Database Cleanup Begin,,,, 25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,, 25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,, 24,04/27/09,13:30:35,Database Cleanup Begin,,,, 25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,, 25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,, 01,04/27/09,14:10:23,Stopped,,,, 00,04/27/09,14:10:37,Started,,,, 55,04/27/09,14:10:37,Authorized(servicing),,cpandl.com,, 01,04/27t/09,20:15:50,Stopped,,,, The events in the audit logs can help you troubleshoot problems with a DHCP server. As you examine Listing 22-1, the first event entry with ID 00 tells you the DHCP Server service was started. The second event entry with ID 55 tells you the DHCP server is authorized to service the cpandl.com domain. Every hour that the service is running, it also performs cleanup operations. Database cleanup is used to check for expired leases and leases that no longer apply. The audit logs also serve as a record of all DHCP connection requests by clients on the network. Events related to lease assignment, renewal, and release are recorded accord- ing to the IP address assigned, the client’s FQDN, and the client’s MAC address. Declined leases are listed with the event ID 13 and the description of the event is Chapter 22 DECLINE. A DHCP client can decline a lease if it detects that the IP address is already in use. The primary reason this happens is that a system somewhere on the network is using a static IP address in the DHCP range or has leased it from another DHCP server during a network glitch. When the server receives the decline, it marks the address as bad in the DHCP database. See “Enabling Conflict Detection on DHCP Servers” on page 734 for details on how IP address conflicts can be avoided. Denied leases are listed with the event ID 15 and the description of the event is NACK. DHCP can deny a lease to a client that is requesting an address that cannot be pro- vided. This could happen if an administrator terminated the lease or if the client moved to a different subnet where the original IP address held is no longer valid. When a client receives a NACK, the client releases the denied IP address and requests a new one. As discussed previously, audit logging is enabled by default. If you want to check or change the logging setting, you can do this in the DHCP console. Expand the node for the server you want to work with, right-click IPv4 or IPv6 as appropriate for the type of binding you want to work with, and then select Properties. This displays the dialog box shown in Figure 22-26. On the General tab, select or clear the Enable DHCP Audit Logging check box as neces- sary. Afterward, select the Advanced tab. The Audit Log File Path box shows the current folder location for log files. Enter a new folder location or click Browse to find a new
  13. Advanced DHCP Configuration and Maintenance 729 location. Click OK. If you change the audit log location, Windows Server 2008 will need to restart the DHCP Server service. When prompted to confirm that this is OK, click Yes. Figure 22-26 Audit logging is enabled by default. Binding the DHCP Server Service to a Network Interface Chapter 22 The DHCP Server service should bind automatically to the fi rst NIC on the server. This means that the DHCP Server service should use the IP address and TCP/IP configu- ration of this network interface to communicate with clients. In some instances, the DHCP Server service might not bind to any available network interface or it might bind to a network interface that you don’t want it to use. To resolve this problem, you must bind the DHCP Server service to a specific network interface by following these steps: 1. In the DHCP console, expand the node for the server you want to work with, right-click IPv4 or IPv6 as appropriate for the type of binding you want to work with, and then select Properties. 2. On the Advanced tab of the IPv4 or IPv6 Properties dialog box, click Bindings to display the Bindings dialog box. This dialog box displays a list of available network connections for the DHCP server. 3. If you want the DHCP Server service to use a connection to service clients, select the option for the connection. If you don’t want the service to use a connection, clear the related option. 4. Click OK twice when you are finished.
  14. 730 Chapter 22 Managing DHCP Integrating DHCP and DNS Using the DNS Dynamic Update protocol, DHCP clients running Windows 2000 or later can automatically update their forward (A) and reverse lookup (PTR) records in DNS or request that the DHCP server do this for them. Clients running versions of the Windows operating system earlier than Windows 2000 can’t dynamically update any of their records, so DHCP must do this for them. In either case, when the DHCP server is required to update DNS records, this requires integration between DHCP and DNS. In the default configuration of DHCP, a DHCP server will update DNS records for cli- ents only if requested but will not update records for clients running versions of the Windows operating system earlier than Windows 2000. You can modify this behavior globally for each DHCP server or on a per scope basis. To change the global DNS integration settings, start the DHCP console, expand the node for the server you want to work with, right-click IPv4, and then select Properties. Click the DNS tab, as shown in Figure 22-27, and then select the Dynamically Update DNS A And PTR Records For DHCP Clients That Do Not Request Updates check box. Don’t change the other settings. These settings are configured by default, and you don’t need to modify the configuration in most cases. Chapter 22 Figure 22-27 DHCP and DNS integration. To change scope-specific settings, expand the node for the server you want to work with and then expand IPv4. Right-click the scope you want to work with and then select Properties. Click the DNS tab. The options available are the same as those shown in Figure 22-27. Because these settings are configured by default, you usually don’t need to modify the configuration.
  15. Advanced DHCP Configuration and Maintenance 731 Integrating DHCP and NAP Network Access Protection (NAP) is designed to protect the network from clients that do not have the appropriate security measures in place. The easiest way to enable NAP with DHCP is to set up the DHCP server as a Network Policy Server. To do this, you’ll need to install the Network Policy console, configure a compliant policy for NAP and DHCP integration on the server, and then enable NAP for DHCP. This process enables NAP for network computers that use DHCP; it does not fully configure NAP for use. You can create an NAP and DHCP integration policy by completing the following steps: 1. On the server that you want to act as the Network Policy Server, install the Network Policy console as an additional remote server administration tool using the Add Features Wizard. 2. In the Network Policy console, select the NPS (Local) node in the console tree and then click Configure NAP in the main pane. This starts the Configure NAP wizard. 3. In the Network Connection Method list, choose Dynamic Host Configuration Protocol (DHCP) as the connection method that you want to deploy on your network for NAP-capable clients. As shown in Figure 22-28, the policy name is set to NAP DHCP by default. Click Next. Figure 22-28 Configure Network Access Protection policy for the local DHCP server. Chapter 22 4. On the Specify NAP Enforcement Servers Running DHCP Server page, you need to identify all remote DHCP servers on your network by doing the following and then click Next: Click Add. In the Add RADIUS Client dialog box, type a friendly name for the remote server in the Friendly Name text box. Then type the DNS name
  16. 732 Chapter 22 Managing DHCP or IP address of the remote DHCP server in the Address text box. Click Verify to ensure that the address is valid. In the Shared Secret panel, select Generate and then click Generate to create a long shared secret keyphrase. You’ll need to enter this keyphrase in the NAP DHCP policy on all remote DHCP servers. Be sure to write down this keyphrase. Alternatively, copy the keyphrase to Notepad and then save it in a file stored in a secure location. Click OK. 5. On the Specify DHCP Scopes page, you can identify the DHCP scopes to which this policy should apply. If you do not specify any scopes, the policy applies to all NAP-enabled scopes on the selected DHCP servers. Click Next twice to skip the Configure Groups page. 6. On the Specify A NAP Remediation Server Group And URL page, select a Remediation Server or click New Group to define a remediation group and specify servers to handle remediation. Remediation servers store software updates for NAP clients that need them. In the text box provided, type a URL to a Web page that provides users with instructions on how to bring their computers into compliance with NAP health policy. Ensure that all DHCP clients can access this URL. Click Next. 7. On the Define NAP Health Policy page, use the options provided to determine how NAP health policy works. In most cases, the default settings work fi ne. With the default settings, NAP ineligible clients are denied access to the network; NAP- capable clients are checked for compliance and automatically remediated, which allows them to get needed software updates that you’ve made available. Click Next and then click Finish. Chapter 22 You can modify NAP settings globally for each DHCP server or on a per-scope basis. To view or change the global NAP settings, complete the following steps: 1. In the DHCP console, expand the node for the server you want to work with, right-click IPv4, and then select Properties. 2. On the Network Access Protection tab, shown in Figure 22-29, click Enable On All Scopes or Disable On All Scopes to enable or disable NAP for all scopes on the server. Note When the local DHCP server is also a Network Policy Server, the Network Policy Server should always be reachable. If you haven’t configured the server as a Network Policy Server or the DHCP server is unable to contact the designated Network Policy Server, you’ll see an error stating this on the Network Access Protection tab.
  17. Advanced DHCP Configuration and Maintenance 733 Figure 22-29 The Network Access Protection tab controls the protection options for DHCP. 3. Choose one of the following options to specify how the DHCP server behaves if the Network Policy Server is unreachable, and then click OK to save your settings: Full Access Gives DHCP clients full (unrestricted) access to the network. This means clients can perform any permitted actions. Chapter 22 Restricted Access Gives DHCP clients restricted access to the network. This means clients can work with resources only on the server to which they are connected. Drop Client Packet Blocks client requests and prevents the clients from accessing the network. This means clients have no access to resources on the network. You can view and change the NAP settings for individual scopes by completing the fol- lowing steps: 1. In the DHCP console, expand the node for the server you want to work with and then expand IPv4. 2. Right-click the scope you want to work with and then select Properties. 3. On the Network Access Protection tab, click Enable For This Scope or Disable For This Scope to enable or disable NAP for this scope. 4. If you’re enabling NAP and want to use an NAP profi le other than the default, click Use Custom Profile and then type the name of the profile, such as Alternate NAP DHCP. 5. Click OK to save your settings.
  18. 734 Chapter 22 Managing DHCP Enabling Conflict Detection on DHCP Servers No two computers on the network can have the same unicast IP address. If a computer is assigned the same unicast IP address as another, one or both of the computers might become disconnected from the network. To prevent this from happening, DHCP has built-in conflict detection that enables clients to check the IP address they’ve been assigned by pinging the address on the network. If a client detects that an IP address it has been assigned is in use, it sends the DHCP server a Decline message telling the server that it is declining the lease because the IP address is in use. When this hap- pens, the server marks the IP address as bad in the DHCP database, and then the cli- ent requests a new lease. This process works fairly well but requires additional time because the client is responsible for checking the IP address, declining a lease, and requesting a new one. To speed up the process, you can configure DHCP servers to check for confl icts before assigning an IP address to a client. When conflict detection is enabled, the process works in much the same way as before, except the server checks the IP address to see if it is in use and, if so, marks it as bad without interaction with the client. You can config- ure conflict detection on a DHCP server by specifying the number of conflict detection attempts that the DHCP server will make before it leases an IP address to a client. The DHCP server checks IP addresses by sending a ping request over the network. You can configure confl ict detection in the DHCP console by expanding the node for the server you want to work with, right-clicking IPv4, and then selecting Properties. On the Advanced tab, set Conflict Detection Attempts to a value other than zero. At the command line, type the following command: Chapter 22 netsh dhcp server ServerID set detectconflictretry Attempts where ServerID is the name or IP address of the DHCP server and Attempts is the num- ber of conflict detection attempts the server should use. You can confirm the setting by typing the following: netsh dhcp server ServerID show detectconflictretry Saving and Restoring the DHCP Configuration After you finish configuring a DHCP server, you should save the configuration settings so that you can easily restore the server to a known state or use the same settings on another server. To do this, type the following command at the command prompt: netsh dhcp server dump ServerID > SaveFile where ServerID is the name or IP address of the DHCP server and SaveFile is the name of the file in which you want to store the configuration settings. When you are logged on locally, you can omit the server name or IP address, as shown in the following example: netsh dhcp server dump > dhcpconfig.dmp
  19. Advanced DHCP Configuration and Maintenance 735 If you examine the file Netsh creates, you’ll find that it is a Netsh configuration script. To restore the configuration, run the script by typing the following command: netsh exec SaveFile where SaveFile is the name of the file in which you stored the configuration settings. Here is an example: netsh exec dhcpconfig.dmp Copy to a New DHCP Server You can run the script on a different DHCP server to configure it the same as the original DHCP server whose configuration you saved. Copy the configuration script to a folder on the destination computer, and then run it. The DHCP server will be configured like the original server. Managing and Maintaining the DHCP Database Information about leases and reservations used by clients is stored in database fi les on the DHCP server. Like any other data set, the DHCP database has properties that you can set and techniques you can use to maintain it. Setting DHCP Database Properties Chapter 22 In the default configuration, these files are stored in the %SystemRoot%\System32\ Dhcp folder, and automatically created backups of the files are stored in %System- Root%\System32\Dhcp\Backup. The DHCP Server service performs two routine actions to maintain the database: Database cleanup during which the DHCP Server service checks for expired leases and leases that no longer apply Database backup during which the DHCP Server service backs up the database files By default, both maintenance tasks are performed every 60 minutes, and you can con- firm this as well as the current DHCP folders being used by typing the following com- mand at the command prompt: netsh dhcp server ServerID show dbproperties where ServerID is the name or IP address of the DHCP server, such as netsh dhcp server 192.168.1.50 show dbproperties
  20. 736 Chapter 22 Managing DHCP The output of this command shows you the current database properties for the DHCP server: Server Database Properties: DatabaseName = dhcp.mdb DatabasePath = C:\WINDOWS\System32\dhcp DatabaseBackupPath = C:\WINDOWS\System32\dhcp\backup DatabaseBackupInterval = 60 mins. DatabaseLoggingFlag = 1 DatabaseRestoreFlag = 0 DatabaseCleanupInterval = 60 mins. Note the DatabaseLoggingFlag and DatabaseRestoreFlag properties. DatabaseLogging- Flag tracks whether audit logging is enabled. If the flag is set to 0, audit logging is dis- abled. If the flag is set to 1, audit logging is enabled. DatabaseRestoreFlag is a special flag that tracks whether the DHCP Server service should restore the DHCP database from backup the next time it starts. If the flag is set to 0, the main database is used. If the flag is set to 1, the DHCP Server service restores the database from backup, over- writing the existing database. You can use the following commands to set these properties: Netsh dhcp server ServerID set databasename NewFileName—Sets the new file name for the database, such as Dhcp1.mdb. Netsh dhcp server ServerID set databasepath NewPath—Sets the new path for the database files, such as C:\Dhcp\Dbfiles. Chapter 22 Netsh dhcp server ServerID set databasebackupinterval NewIntervalMinutes— Sets the database backup interval in minutes, such as 120. Netsh dhcp server ServerID set databasebackuppathname NewPath—Sets the new path for the database backup fi les, such as C:\Dhcp\Dbbackup. Netsh dhcp server ServerID set databaseloggingflag FlagValue—Enables or dis- ables audit logging. Set to 0 to disable or 1 to enable. Netsh dhcp server ServerID set databaserestoreflag FlagValue—Forces DHCP to restore the database from backup when it is started. Set to 1 to restore. Netsh dhcp server ServerID set databasecleanupinterval NewIntervalMinutes— Sets the database backup interval in minutes, such as 120. Note If you change the database name or folder locations, you must stop the DHCP server and then start it again for the changes to take effect. To do this, type net stop "dhcp server" to stop the server and then type net start "dhcp server" to start the server again.
Đồng bộ tài khoản