Server 2012 NPS NAP DHCP

Similar Messages

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.

• Server 2012 NPS Server not authenticating IKEv2 requests

  Hello Experts,I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to...
  This topic first appeared in the Spiceworks Community

  Indeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
  But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
  range in my entire subnet/scope to be assigned to non-compliant clients. 
  It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work. 
  On the other hand you have a valid point there Greg about DNS/DHCP flooding.
  Still hope to hear why this setup will not work and if it is supported or can work tough :-)

• Test question on NPS in Server 2012

  Hello!
  "There's a domain member server with NPS and DHCP. You need to log all DHCP clients that have their firewalls disabled.
  Which three actions and in what sequence should you perform?
  a) Create a connection request policy
  b) Create a network policy
  c) Create WSHV
  d) Create a server remediation group
  e) Create a health policy"
  Having read a number of MSDN documents on NPS I can't answer this question: to make an NPS server work an administrator must complete all the aforementioned tasks.
  Moreover, I don't know based on what should I choose that I must "Create a server remediation group" - why creating this group
  prior to creating a WSHV is correct but after is wrong?
  (The answer: d-b-c).
  Thank you in advance,
  Michael

  Hi,
  Based on my understanding, a remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into
  compliance with health policy. However, whether or not a client computer that is noncompliant with WSHV is ultimately noncompliant with NAP health policy. Maybe that is why you need to create a remediation server group before creating WSHV.
  More information:
  Network Access Protection in NPS
  http://technet.microsoft.com/en-us/library/cc754378.aspx
  Windows Security Health Validator
  http://technet.microsoft.com/en-us/library/cc731260.aspx
  Network Access Protection with DHCP Step-By-Step Guide
  http://esihere.wordpress.com/2011/04/18/network-access-protection-with-dhcp-step-by-step-guide/
  Best regards,
  Susie

• Server 2012 r2 essentials...urgent help needed...Two separate DHCP servers, one for lan and one for wifi...design picture attached

  hello
  S2012 R2 essentials is in office...Want to have functional 2012 dhcp, dns, ad, wds role for 1gbps wired lan and separate wi-fi for temporary visitors for internet access like gsm phones etc...Need functional anywhere access to office server and computers
  for administering...When worker with laptop go out of office must have have full functional wifi.
  here is picture what i have in my mind with all components in network.
  How to configure L3 switch, router and server? Many thanks

  Hi,
  Based on your description, I understand that you want to prepare network for the Windows Server 2012 R2 Essentials,
  then will run a DHCP Server on the Windows Server 2012 R2 Essentials and correctly configure router. Please refer to following article and check if can help you.
  Before You Install Windows Server 2012 Essentials
  For DHCP, please refer to following article.
  Running
  DHCP Server on Windows Server 2012 Essentials
  For router configuration, please refer to following article.
  Configure a Router - Windows Server Essentials
  If anything I misunderstand or any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• SNMP OID for DHCP on Server 2012

  We recently installed Server 2012 standard on one of our servers and were trying to keep a graph of DHCP lease use. Anyway the OIDs for DHCP in Server 2008 R2 started with "1.3.6.1.4.1.311.1.3.2.1.1". If I try to snmpwalk these same OIDs on the new Server
  2012 (We the DHCP server configured and active), I get:
  Error in packet.
  Reason: (genError) A general failure occured
  Failed object: SNMPv2-SMI::enterprises.311.1.3.2.1.1
  I'm using SNMPwalk and I've never had a problem with this before. Any idea what would cause this? Thanks!
  Thanks!

  I'm having the same issue. OIDs just don't work against a 2012 DHCP server. I can snmpwalk other OIDs, just not DHCP :(
  Firewall has been disabled (and there were already adequate snmp rules allowing the traffic). Since I can query other OIDs, I'm ruling out firewall.
  Has this info been removed in 2012?

• Step by step guide to setup NAP DHCP Enforcement on a separate DHCP server & NPServer?

  Hi,
  Any one has a link or instructions on how to setup NAP DHCP Enforcement with a separate DHCP & NPS (Network Policy Server)?
  Regards,
  Mon

  Hi,
  Video in the web page will demonstrate how to setup a DHCP enforcement of NAP：
  Network Access Protection using DHCP in Windows Server 2008 R2
  http://social.technet.microsoft.com/wiki/contents/articles/network-access-protection-using-dhcp-in-windows-server-2008-r2.aspx
  you can also reference the link below：
  Checklist: Configure NAP Enforcement for DHCP
  http://technet.microsoft.com/en-us/library/cc772356(v=WS.10).aspx
  Best Regards,           
  Eve Wang

• DHCP Problems in Server 2012

  Hello everyone,
  Please Help or Point me in a good direction!!!
  I am working with server 2012 DHCP . Under DHCP i have an ip address not a server name. ip  is 169.254.99.88 and host server not showing up ( This IP is Not In My Subnet and server is set to static ip 176.16.x.x)
  i have removed the dhcp roll and when  i go back and add the roll  the info comes back including the  scope that i have setup. all is green but it will not work
  I have pic but can not post them until they are able to verify your account.
  Links of pics
  http://i297.photobucket.com/albums/mm207/Dooane/server2012dhcp_zps78bb0de4.png
  http://i297.photobucket.com/albums/mm207/Dooane/server2012_zps4ac8b222.png
  Thanks
  Duane

  I'm not clear on your explanations, but I will try to answer some things.
  "Under DHCP i have an ip address not a server name"  Not sure what you mean by this.
  "ip  is 169.254.99.88 and host server not showing up ( This IP is Not In My Subnet and server is set to static ip 176.16.x.x)"  Again, not sure what you mean.  I assume you are talking about a client machine that you want to receive
  an IP address.  The 169.254/16 address is what is known as an APIPA address.  It is an automatic assignment of a special range (169.254/16) for networks that do not have a DHCP available.  By default, all Windows NIC are initially configured
  for DHCP, and it they cannot find a DHCP server, they receive an APIPA address.  It allows two (or more) systems on the same network segment to communicate via IP without any additional configuration.  But, it is not something that you want to rely
  on in a managed network.  As for the fact that your server is set to 176.16/16, are you saying that is the address of the server you are trying to set up for DHCP, or the server that is showing the APIPA address is configured to have a 176.16/16 address?
  If you are saying that your DHCP server has a 176.16/16 address, and that is its only address, then you will have an issue with your DHCP configuration.  In your pictures, you show that you have defined your address pool for the 192.168.1/24 subnet. 
  The DHCP server needs to have a NIC on the subnet for which it is going to provide addresses.  If you want your host to be managed through the 176.16/16 address, you still need to have another NIC defined on the 192.168.1/24 subnet in order to be able
  to talk to machines requesting DHCP from that subnet.
  If I have misinterpretted your explanation, please correct me.
  tim

• Server 2012 R2 DHCP authentication error (1046-DHCP)

  Hello all, here is my story, hope someone can help me solve it.
  Goal :
  Getting the DHCP running on windows server 2012 R2
  Current situation :
  We have two different domains in one forest (domain-A & domain-B).
  Domain-A has several w2k8r2 servers. In Domain-A we have two server 2008 R2 domain controllers (serverA1 & serverA2). On both servers the DHCP rule is installed and running.
  Domain-B has several w2k8r2 servers. In Domain-B we have two server 2008 R2 domain controllers. Both servers don’t have DHCP server role !
  We installed 2 w2k12R2 servers (server-b1 & server-b2)  in domain-B and promoted to domain controller. We installed the DHCP server role on server-b1 & server-b2 configured the failover. The domain function lever is still w2k8r2.
  The change :
  In domain-A we unauthorized the DHCP server-A1 & server-A2 and deleted the DHCP server role.
  Restarted server–A1 & server-A2 and checked if the DHCP server role is removed.
  In domain-B we restarted server-B1 & server-B2. We authorized the DHCP on server-B1 & server-B2.
  The error :
  The DHCP didn’t go online, it gives the following error message in the event viewer (this is the only error message about the DHCP server)
  Eventid 1046, DHCP-Server
  The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain Domain-B, has determined that it is not authorized to start. 
  It has stopped servicing clients.  The following are some possible reasons for this:
  This machine is part of a directory service enterprise and is not authorized in the same domain. 
  (See help on the DHCP Service Management Tool for additional information).
  This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to
  a directory service enterprise on which the local machine is not authorized.
  Some unexpected network error occurred.
  Tried solutions :
  1) checked the local network settings, the dns server is the one in the old forest (domain-A) this is correct !
  2) Checked with adsiedit.msc if there was still an entry that was looking at server-A1 & server-A2. Nothing found. 3) I unauthorized the 2 new servers (server-b1 and server-b2) I installed a new w2k12R2 server in domain-A1, installed the dhcp server role
  only. Tried to authorizes the dhcp server but the exact same error.
  looking forward to all the ideas, and the solution
  J
  Design is the Technology

  Hi,
  According to your description, when we installed a new windows server 2012 r2 in the domain A and only installed the DHCP role, the authorization was still not success. So please check if the unauthorized and authorized process was success. To verify if
  the DHCP servers have been authorized, please try to run netsh dhcp show server
  command, then we can see the DHCP server which was authorized. And you mentioned that you have checked with ADSIEdit to see if there was an entry. Yes, we can make full use of ADSIEdit. If a DHCP server was authorized successfully, there must be an
  entry about the DHCP server in the ADSIEdit. So please check if there are some entries in the ADSIEdit of all your DCs in the domain. Ensure that only one entry about this new windows server 2012 r2 in the ADSIEdit.
  If there are different in the several DCs, please try to use AD replication to make the data consistent.
  And we must log on the server as an administrator to complete this operation.
  To check the entry, please follow steps below,
  1. Start adsiedit.msc.
  2. Open the Configuration container.
  3. Expand Services.
  4. Expand Net Services.
  Best Regards,
  Tina

• Unable to boot Windows Server 2012 after adding features (AD, DNS, DHCP)

  Hi,
  I'm installing a VM server 2012 and it installs without any problems. Able to boot it and login, I change the name of the server and restart it. Still no problem.
  Now when I want to add some features, Active Directory, DHCP and DNS, promoting to Domain Controller. Create a new forest and so on. When this is configured and installed the server wants to restart. It restarts but boots into a loop and ends up in System
  Recovery/Troublshoot. I have tried repairing the boot with bcdedit in cmd-prompt but not able to fix it. Same Issue in VMware and hyper-v manager on different hosts. Im thinking that the image is at fault, but its strange that everything works at the beginning. 
  Am I missing something? The image I'm using is from MSDN, Server 2012 debug checked with updates.  I'll try another image today, but why shouldnt that one work? 

  Hi Presaro,
  I’m glad to hear that everything is OK. Thank you for posting here.
  Best Regards,
  Tina

• Cannot create Failover Relationship between to Server 2012 DHCP Servers

  Hello all!
  I am trying to create failover relationships for several scopes on a Server 2012 DHCP server.  This all worked in my test environment, but the production environment keeps giving me errors saying that the scope cannot be added on the target server.
  Does anyone know what Error: 20010 in this case means?
  Thanks.

  Hope this helps
  http://blog.rolpdog.com/2012/11/dhcp-failover-breaks-with-custom-options.html
  http://popravak.wordpress.com/2014/05/31/windows-server-2012-dhcp-failover-with-or-without-custom-dhcp-attributes/
  Rgds
  Milos
  PS: List of errors
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa363378(v=vs.85).aspx

• Windows Server 2012 R2 NIC Teaming and DHCP Issue

  Came across a weird issue today during a server deployment. I was doing a physical server deployment and got Windows installed and was getting ready to connect it to our network. Before connecting the Ethernet cables to the network adapters, I created a
  NIC Team using Windows Server 2012 R2 built-in software with a static IP address (we'll say its 192.168.1.56). Once I plugged in the Ethernet cables, I got network access but was unable to join our domain. At this time, I deleted the NIC team and the two network
  adapters got their own IP addresses issued from DHCP (192.168.1.57 and 192.168.1.58) and at this point I was able to join our domain. I recreated the NIC team and set a new static IP (192.168.1.57) and everything was working great as intended.
  My issue is when I went into DHCP I noticed a random entry that was using the IP address I used for the first NIC teaming attempt (192.168.1.56), before I joined it to the domain. I call this a random entry because it is using the last 8 characters of the
  MAC address as the hostname instead of the servers hostname.
  It seems when I deleted the first NIC team I created (192.168.1.56), a random MAC address Server 2012 R2 generated for the team has remained embedded in the system. The IP address is still pingable even though an ipconfig /all shows the current NIC team
  with the IP 192.168.1.57. There is no IP address of 192.168.1.56 configured on the current server and I have static IPs set yet it is still pingable and registering with DHCP.
  I know this is slightly confusing but I am hoping someone else has encountered this issue and may be able to tell me how to fix this. Simply deleting the DHCP entry does not do the trick, it comes back.

  Hi,
  Please confirm you have choose the right NIC team type, If you’ve previously configured NIC teaming, you’re aware NIC teams usually require the assistance of network-side
  protocols. Prior to Windows 2012, using a NIC team on a server also meant enabling protocols like EtherChannel or LACP (also known as 802.1ax or 802.3ad) on network ports.
  More information:
  NIC teaming configure in Server 2012
  http://technet.microsoft.com/en-us/magazine/jj149029.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Windows Server 2012 DHCP Event ID: 20291

  Hi,
  We have a DHCP failover set up with the default settings.
  We have always noticed numerous Event ID: 20291 errors in the Event Log. After following the instructions installing patches KB2919355 and KB2955135, deleting the failover relationship, and recreating it, we're still getting numerous errors with different
  scopes, and the error repeats repeatedly for the same IP. Sometimes users would get duplicate IP address error.
  When we click on "Display Statistics" on various scopes for each partner, they show different numbers as far as how many IPs are leased by each.
  Any ideas on what this could mean? We're ready to just remove the failover relationship completely and go back to split scope.
  http://blogs.technet.com/b/teamdhcp/archive/2014/02/26/dhcp-failover-patch-to-address-a-reservation-issue-and-another-issue-related-to-failover-partner-not-accepting-state-transition-from-bad-address-gt-active-has-been-released.aspx?pi47623=2
  http://support.microsoft.com/en-us/kb/2955135
  Source: Microsoft-Windows-DHCP-Server
  Date: date/time
  Event ID: 20291
  Task Category: DHCP Failover
  Level: Error
  User: NETWORK SERVICE
  Computer: DHCP-NODE
  Description: A BINDING-ACK message with transaction id: Transaction_Number was sent for IP address: IP_Address with reject reason: (Reject Reason Unknown) to partner server: DHCP_Partner_Server for failover relationship: DHCP_Failover_Relationship_Name.

  Hi,
  According to your description, my understanding is that DHCP failover with load sharing mode, Event Log displays numerous Event ID: 20291, and the error repeats repeatedly for the same IP.
  As KB 2955135 mentioned that Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. If both servers are Windows Server 2012 R2, please install KB3000850(November 2014 update rollup
  for Windows Server 2012 R2), download link:
  http://www.microsoft.com/en-us/download/details.aspx?id=44975
  Note:
  Before you install this update, you have to first remove the failover relationship, install the update to both DHCP nodes and restart them, and then reestablish the failover relationship.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Migration DHCP from server 2012 R2 to 2012

  Hi,
  how to do DHCP role transfer from windows server 2012  R2 server to 2012 server. tried to export and import db ,while importing db getting an error "TLS configured but not supported"
  Thanks,
  Shamal 

  Hi,
  In addition, you can install Windows Server Migration Tools on the destination and source servers and then use Windows PowerShell cmdlets to perform migration. For more detailed information, please refer to the links below:
  DHCP Server Migration: Preparing to Migrate
  Install, Use, and Remove Windows Server Migration Tools
  DHCP Server Migration: Migrating the DHCP Server Role
  Best regards,
  Susie

• Static [Public] IP vs. DHCP Assigned IP [Router IP Allocation] on Server 2012 R2 Setup

  I am deploying a new server specifically for creating and managing VM's with Hyper-V. My testing environment includes a Dell T620 server with 3 each 1 Tb drives configured for Raid 5. My server has 2 Nics. I am installing Server 2012 R2 along with AD
  & Hyper-V Roles. I have a block of public IP's from my provider. My first question is related to how I configure a Nic to use a public IP. One option is to use DHCP to have an internal IP assigned and then once the IP is assigned, I log into my router
  and configure IP Address Allocation to assign the public IP network details to the DHCP assigned IP. I have used this method on a T610 testing server that uses the VMware ESXi Hypervisor with success. Option 2 is to actually input the public IP network details.
  I also have to ask the same question as to which method is better when it comes to the Switch. If any of the experienced engineers want to throw in additional advice or tips, that would be appreciated. My initial deployment has gone well but I feel like I
  can make it easier and more secure. Thanks in advance for the support.
  Gregory Woodruff
  St. Louis, Missouri
  LuckyWoody.com

  1. For servers static IP addresses are used.
  2. It is a good habit to use one nic for communication and one for management.
  3. DC should be single home server (otherwise you may have problems)
  4. Use split brain configuration for DNS if you really need it. Otherwise private subnet is used.
  5. Use firewall to prevent bad guys to enter your infrastructure.
  6. Use DHCP server for client computers only.
  7. DHCP on router is not used for AD clients, because these clients needs information on resouce records (to find DC).
  HTH
  Milos