
IPAddress is the IP address for the lease you want to remove, such as 192.168.1.8.
To activate or deactivate a scope, type the following:
netsh dhcp server ServerID scope NetworkID state StateVal
where the following is true:

ServerID is the UNC name or IP address of the DHCP server on which you want to
create the scope, such as \\CORPSVR03 or \\192.168.1.1.

NetworkID is the network ID of the scope, such as 192.168.1.0.

StateVal is set to 0 to deactivate the scope and 1 to activate it. If you are using a
switched network where multiple logical networks are hosted on a single physical
network, use 2 to deactivate the scope and 3 to activate the scope.
Confi guring TCP/IP Options
The messages clients and servers broadcast to each other allow you to set TCP/IP
options that clients can obtain by default when they obtain a lease or can request if they
need additional information. It is important to note, however, that the types of informa-
tion you can add to DHCP messages is limited in several ways:

DHCP messages are transmitted using User Datagram Protocol (UDP), and the
entire DHCP message must fi t into the UDP datagram. On Ethernet with 1500-
byte datagrams, this leaves 1236 bytes for the body of the message (which con-
tains the TCP/IP options).

BOOTP messages have a fi xed size of 300 bytes as set by the original BOOTP
standard. Any clients using BOOTP are likely to have their TCP/IP options
truncated.

Although there are many options that you can set, clients understand only certain
TCP/IP options. Thus, the set of options available to you is dependent upon the

want to work with, right-clicking Scope Options, and then choosing Confi gure
Options.

Class options
Allow DHCP administrators to confi gure options that are assigned
to all clients of a particular class. Client classes can be user-defi ned or vendor-
defi ned. Two classes included with the DHCP Server service are Windows 98,
which is used to assign specifi c options to clients running Windows 98, and
Windows 2000, which is used to assign specifi c options to clients running
Windows 2000 or later. Class options can be overridden by client-assigned
options. You defi ne new user and vendor classes by right-clicking the IPv4 or
IPv6 entry and selecting either Defi ne User Classes or Defi ne Vendor Classes as
appropriate. When defi ned, class options can be confi gured on the Advanced tab
of the Server Options, Scope Options, and Reservation Options dialog boxes.

Reservation options
Allow administrators to set options for an individual client
that uses a reservation. Also referred to as client-specifi c options. After you create
a reservation for a client, you can confi gure reservation options by expanding the
scope, expanding Reservations, right-clicking the reservation, and selecting Con-
fi gure Options. Only TCP/IP options manually confi gured on a client can over-
ride client-assigned options.
Options Used by Windows Clients
RFC 3442 defi nes many TCP/IP options that you can set in DHCP messages. Although
you can set all of these options on a DHCP server, the set of options available is depen-
dent upon the client’s implementation of DHCP.
Table 22-1 shows the options that can be confi gured by administrators and used by
Windows computers running the DHCP Client service. Each option has an associated
option code, which is used to identify it in a DHCP message, and a data entry, which
contains the value setting of the option. These options are requested by clients to set


Default User Class
An all-inclusive class that includes clients that don’t fi t into the
other user classes, such as computers running Windows NT 4.0. Any computer
running a version of the Windows operating system earlier than Windows 2000
is in this class.

Default BOOTP Class
Any computer running Windows 2000 or later has this user
class if it is connected to the local network directly. This means Windows 2000,
Windows XP, and Windows Server 2008 computers connected with a wired net-
work interface have this class.

Default Routing And Remote Access Class
Any computer that connects to the
network using RRAS has this class. Any settings applied to this class are used by
dial-in and VPN users, which allows you to set different TCP/IP options for these
users.

Default Network Access Protection Class
Any computer that connects to the net-
work and is subject to Network Access Protection (NAP) policy has this class. Any
settings applied to this class are used by restricted access clients, which allows
you to set different TCP/IP options for these users.
Configuring TCP/IP Options 719
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Clients can be a member of multiple user classes, and you can view the user class
memberships for each network interface by typing ipconfi g /showclassid * at the com-
mand prompt. (The asterisk tells the command that you want to see all the network

Windows 98 or later

Microsoft Windows 2000 Options
Add-on options available to any client running
Windows 2000 or later
When it comes to these classes, a client applies the options from the most specifi c add-
on vendor class. Thus, a Windows 98 client would apply the Microsoft Windows 98
Options vendor class, and a Windows 2000 or later client would apply the Microsoft
Windows 2000 Options vendor class. Again, these options are in addition to the stan-
dard options provided through the DHCP Standard Options vendor class and can be
Chapter 22
720 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
implemented in a manner specifi c to a user class. This means you can have one set of
add-on options for directly connected clients (Default BOOTP Class) and one set for
remotely connected clients (Default Routing And Remote Access Class).
The add-on options that can be set for a client running Windows 2000 or later are listed
in Table 22-2.
Table 22-2 Additional TCP/IP Options That Administrators Can Confi gure
Option Name Option Code Description
Microsoft Disable NetBIOS
Option
001 Disables NetBIOS if selected as an option
with a value of 0x1.
Microsoft Release DHCP
Lease On Shutdown Option
002 Specifi es that a client should release its
DHCP lease on shutdown if selected as an
option with a value of 0x1.
Microsoft Default Router

Settings Options for RRAS and NAP Clients
On the DHCP server, you can set TCP/IP options for RRAS and NAP clients at several
levels. You can set options for the following components:

All scopes on a server
In the DHCP console, expand the entry for the server and
IP protocol you want to work with, right-click Server Options, and then choose
Confi gure Options.

A specifi c scope
In the DHCP console, expand the scope you want to work with,
right-click Scope Options, and then choose Confi gure Options.

A single reserved IP address
In the DHCP console, expand the scope, expand
Reservations, right-click the reservation you want to work with, and select Confi g-
ure Options.
Regardless of the level at which you are setting TCP/IP options, the dialog box dis-
played has the exact same set of choices. You can now complete the following steps:
1. Click the Advanced tab, as shown in Figure 22-22. From the Vendor Class drop-
down list, select DHCP Standard Options. As appropriate, from the User Class
drop-down list, choose either Default Routing And Remote Access Class or
Default Network Access Protection Class.
Chapter 22
722 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-22 Set the DHCP Standard Options.
2. Select the check box for each standard TCP/IP option you want to use in turn,
such as Router, DNS Servers, DNS Domain Name, WINS/NBNS Servers, and
WINS/NBT Node Type, and confi gure the appropriate values.

by seeing its name. You can also type a description in the Description box. Afterward,
click in the empty area below the word ASCII. In this space, type the class identifi er,
which is used by DHCP to identify the class. The class identifi er cannot have spaces.
Click OK to close the New Class dialog box, and then click Close to return to the DHCP
console.
Chapter 22
724 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-24 User classes in addition to the base class.
Figure 22-25 Set the class name, description, and class ID.
Next, you must confi gure the TCP/IP options that should be used by this class. In
the DHCP console, expand the entry for the server you want to work with, right-click
Server Options, and then choose Confi gure Options. In the Server Options dialog box,
click the Advanced tab. Select DHCP Standard Options as the vendor class and the
class you created as the user class.
Select each standard TCP/IP option you want to use in turn, such as Router, DNS
Servers, DNS Domain Name, WINS/NBNS Servers, and WINS/NBT Node Type, and
confi gure the appropriate values. If you want to set Windows options, select Microsoft
Windows 2000 Options as the vendor class. Don’t change the user class. Then select
each add-on TCP/IP option you want to use in turn, such as Microsoft Disable Net-
BIOS Option and Microsoft Release DHCP Lease On Shutdown Option, and accept the
default value (0x1) to turn on the option. Click OK to complete the confi guration of the
new class.
Configuring TCP/IP Options 725
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Confi guring Clients to Use the Class
Now you must confi gure the network interfaces on the clients to use the new class.
Assuming “Local Area Connection” is the name of the network interface on the client,
you would type the following command to do this:

726 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Advanced DHCP Confi guration and Maintenance
When you install the DHCP Server service, many advanced features are confi gured for
you automatically, including audit logging, network bindings, integration with DNS,
integration with NAP, and DHCP database backups. All of these features can be fi ne-
tuned to optimize performance, and many of these features, such as auditing, logging,
and backups, should be periodically monitored.
Confi guring DHCP Audit Logging
Auditing logging is enabled by default for the DHCP Server service and is used to track
DHCP processes and requests in log fi les. Although you can enable and confi gure log-
ging separately for IPv4 and IPv6, by default, the two protocols use the same log fi les.
The DHCP logs are stored in the %SystemRoot%\System32\Dhcp folder by default. In
this folder you’ll fi nd a different log fi le for each day of the week. For example, the log
fi le for Monday is named DhcpSrvLog-Mon.log. When you start the DHCP Server ser-
vice or a new day arrives, a header message is written to the log fi le. As shown in Listing
22-1, the header provides a summary of DHCP events and their meanings. The header
is followed by the actual events logged by the DHCP Server service. The event IDs and
descriptions are entered because different versions of the DHCP Server service can have
different events.
Listing 22-1 DHCP Server Log File
Microsoft DHCP Service Activity Log
Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.

25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.
ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,04/27/09,11:30:26,Started,,,,
55,04/27/09,11:30:27,Authorized(servicing),,cpandl.com,,
10,04/27/09,11:56:03,Assign,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
Advanced DHCP Configuration and Maintenance 727
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
12,04/27/09,11:56:32,Release,192.168.1.1,corpserver03.cpandl.com,2324AE67B4E8,
10,04/27/09,12:01:45,Assign,192.168.1.20,corpserver03.cpandl.com,2324AE67B4E8,
15,04/27/09,12:03:41,NACK,192.168.0.100,,2324AE67B4E8,
11,04/27/09,12:03:42,Renew,192.168.1.20,becka.,2324AE67B4E8,
24,04/27/09,12:30:30,Database Cleanup Begin,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
24,04/27/09,13:30:35,Database Cleanup Begin,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
01,04/27/09,14:10:23,Stopped,,,,
00,04/27/09,14:10:37,Started,,,,
55,04/27/09,14:10:37,Authorized(servicing),,cpandl.com,,
01,04/27t/09,20:15:50,Stopped,,,,
The events in the audit logs can help you troubleshoot problems with a DHCP server.
As you examine Listing 22-1, the fi rst event entry with ID 00 tells you the DHCP Server
service was started. The second event entry with ID 55 tells you the DHCP server is
authorized to service the cpandl.com domain. Every hour that the service is running, it

25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
25,04/27/09,12:30:30,0 leases expired and 0 leases deleted,,,,
24,04/27/09,13:30:35,Database Cleanup Begin,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
25,04/27/09,13:30:35,0 leases expired and 0 leases deleted,,,,
01,04/27/09,14:10:23,Stopped,,,,
00,04/27/09,14:10:37,Started,,,,
55,04/27/09,14:10:37,Authorized(servicing),,cpandl.com,,
01,04/27t/09,20:15:50,Stopped,,,,
Chapter 22
728 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
location. Click OK. If you change the audit log location, Windows Server 2008 will
need to restart the DHCP Server service. When prompted to confi rm that this is OK,
click Yes.
Figure 22-26 Audit logging is enabled by default.
Binding the DHCP Server Service to a Network Interface
The DHCP Server service should bind automatically to the fi rst NIC on the server. This
means that the DHCP Server service should use the IP address and TCP/IP confi gu-
ration of this network interface to communicate with clients. In some instances, the
DHCP Server service might not bind to any available network interface or it might bind
to a network interface that you don’t want it to use. To resolve this problem, you must
bind the DHCP Server service to a specifi c network interface by following these steps:
1. In the DHCP console, expand the node for the server you want to work with,
right-click IPv4 or IPv6 as appropriate for the type of binding you want to work
with, and then select Properties.
2. On the Advanced tab of the IPv4 or IPv6 Properties dialog box, click Bindings
to display the Bindings dialog box. This dialog box displays a list of available
network connections for the DHCP server.
3. If you want the DHCP Server service to use a connection to service clients, select

730 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Integrating DHCP and NAP
Network Access Protection (NAP) is designed to protect the network from clients that
do not have the appropriate security measures in place. The easiest way to enable NAP
with DHCP is to set up the DHCP server as a Network Policy Server. To do this, you’ll
need to install the Network Policy console, confi gure a compliant policy for NAP and
DHCP integration on the server, and then enable NAP for DHCP. This process enables
NAP for network computers that use DHCP; it does not fully confi gure NAP for use.
You can create an NAP and DHCP integration policy by completing the following steps:
1. On the server that you want to act as the Network Policy Server, install the
Network Policy console as an additional remote server administration tool using
the Add Features Wizard.
2. In the Network Policy console, select the NPS (Local) node in the console tree
and then click Confi gure NAP in the main pane. This starts the Confi gure NAP
wizard.
3. In the Network Connection Method list, choose Dynamic Host Confi guration
Protocol (DHCP) as the connection method that you want to deploy on your
network for NAP-capable clients. As shown in Figure 22-28, the policy name is set
to NAP DHCP by default. Click Next.
Figure 22-28 Configure Network Access Protection policy for the local DHCP server.
4. On the Specify NAP Enforcement Servers Running DHCP Server page, you need
to identify all remote DHCP servers on your network by doing the following and
then click Next:

Click Add. In the Add RADIUS Client dialog box, type a friendly name for
the remote server in the Friendly Name text box. Then type the DNS name
Advanced DHCP Configuration and Maintenance 731
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

All Scopes or Disable On All Scopes to enable or disable NAP for all scopes on the
server.
Note
When the local DHCP server is also a Network Policy Server, the Network Policy Server
should always be reachable. If you haven’t confi gured the server as a Network Policy
Server or the DHCP server is unable to contact the designated Network Policy Server,
you’ll see an error stating this on the Network Access Protection tab.
Note
When the local DHCP server is also a Network Policy Server, the Network Policy Server
should always be reachable. If you haven’t confi gured the server as a Network Policy
Server or the DHCP server is unable to contact the designated Network Policy Server,
you’ll see an error stating this on the Network Access Protection tab.
Chapter 22
732 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 22-29 The Network Access Protection tab controls the protection options for DHCP.
3. Choose one of the following options to specify how the DHCP server behaves if
the Network Policy Server is unreachable, and then click OK to save your settings:

Full Access
Gives DHCP clients full (unrestricted) access to the network.
This means clients can perform any permitted actions.

Restricted Access
Gives DHCP clients restricted access to the network. This
means clients can work with resources only on the server to which they are
connected.

Drop Client Packet
Blocks client requests and prevents the clients from

works in much the same way as before, except the server checks the IP address to see if
it is in use and, if so, marks it as bad without interaction with the client. You can confi g-
ure confl ict detection on a DHCP server by specifying the number of confl ict detection
attempts that the DHCP server will make before it leases an IP address to a client. The
DHCP server checks IP addresses by sending a ping request over the network.
You can confi gure confl ict detection in the DHCP console by expanding the node for
the server you want to work with, right-clicking IPv4, and then selecting Properties.
On the Advanced tab, set Confl ict Detection Attempts to a value other than zero. At the
command line, type the following command:
netsh dhcp server ServerID set detectconfl ictretry Attempts
where ServerID is the name or IP address of the DHCP server and Attempts is the num-
ber of confl ict detection attempts the server should use. You can confi rm the setting by
typing the following:
netsh dhcp server ServerID show detectconfl ictretry
Saving and Restoring the DHCP Confi guration
After you fi nish confi guring a DHCP server, you should save the confi guration settings
so that you can easily restore the server to a known state or use the same settings on
another server. To do this, type the following command at the command prompt:
netsh dhcp server dump ServerID > SaveFile
where ServerID is the name or IP address of the DHCP server and SaveFile is the name of
the fi le in which you want to store the confi guration settings. When you are logged on
locally, you can omit the server name or IP address, as shown in the following example:
netsh dhcp server dump > dhcpconfi g.dmp
Chapter 22
734 Chapter 22 Managing DHCP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
If you examine the fi le Netsh creates, you’ll fi nd that it is a Netsh confi guration script.
To restore the confi guration, run the script by typing the following command:
netsh exec SaveFile
where SaveFile is the name of the fi le in which you stored the confi guration settings.

DHCP server whose confi guration you saved. Copy the confi guration script to a folder on
the destination computer, and then run it. The DHCP server will be confi gured like the
original server.
Advanced DHCP Configuration and Maintenance 735
Chapter 22
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The output of this command shows you the current database properties for the DHCP
server:
Server Database Properties:
DatabaseName = dhcp.mdb
DatabasePath = C:\WINDOWS\System32\dhcp
DatabaseBackupPath = C:\WINDOWS\System32\dhcp\backup
DatabaseBackupInterval = 60 mins.
DatabaseLoggingFlag = 1
DatabaseRestoreFlag = 0
DatabaseCleanupInterval = 60 mins.
Note the DatabaseLoggingFlag and DatabaseRestoreFlag properties. DatabaseLogging-
Flag tracks whether audit logging is enabled. If the fl ag is set to 0, audit logging is dis-
abled. If the fl ag is set to 1, audit logging is enabled. DatabaseRestoreFlag is a special
fl ag that tracks whether the DHCP Server service should restore the DHCP database
from backup the next time it starts. If the fl ag is set to 0, the main database is used. If
the fl ag is set to 1, the DHCP Server service restores the database from backup, over-
writing the existing database.
You can use the following commands to set these properties:

Netsh dhcp server ServerID set databasename NewFileName—Sets the new fi le
name for the database, such as Dhcp1.mdb.

Netsh dhcp server ServerID set databasepath NewPath—Sets the new path for
the database fi les, such as C:\Dhcp\Dbfi les.