locked
DHCP and NAP problems in build 6001 RRS feed

  • Question

  • Hello,

    I have set up a Longhorn Server build 6001 (february CTP) as a DC, and installed roles NPS and DHCP. I have configured SHV to require only firewall to be on, and two health policies (for compliant and non-compliant clients). Then, I have configured two network polices for compliant and non-compliant clients. In DHCP, I have configured the NAP DHCP Class options (entered different router and dns name, just for test) and enabled NAP on scope.
    Then, I've installed Vista client and join it to LH domain. In NAP Client console, I enabled DHCP enforcement client. The client get the IP address from server, and regular scope options. After that, I manually disabled firewall on the Vista computer. After that I looked for ipconfig, and the result was following : the client retains the same IP address and subnet mask, but with no gateway and no dns name. None of the options from DHCP NAP Class wasn't applied, and also I didn't get any kind of message that computer is not compliant.
    After I manually turn the firewall on, the system get the original IP config back. My questions are :
    Why don't I get the message on NAP client about incompliance of the machine after turning off firewall , and why the options from DHCP NAP Class are not applied?
    Thank you!

    Friday, March 16, 2007 10:02 PM

Answers

  • Can you tell us the exact build version of the OS ? Detailed Build version is available @ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx

    also make sure you don;t have any duplicate Static & CSR routes.

    Can you also send us the NETMON capture of DHCP Transactions and DHCP Server configurations  to ftdhcp@microsoft.com ?

    NETMON 3 is available at http://www.microsoft.com/downloads

    Thanks

    Sunday, March 18, 2007 6:48 AM

All replies

  • Hi Damir,

      DHCP enforcent of NAP policies works by preventing the DHCP client from accessing resources outside their subnet.  NO DHCP options will be sent to the client except for some "Classless Static Routes".  These route options enable the client to get to specific machines on other subnets so they may auto-remediate their health, access troubleshooting urls etc...   So the lack of a gateway and DNS option you see when you disable the firewall on your client is expected.  However, if you mean to say that "none of the options from the DHCP NAP Class WERE applied"...then this behavior isn't expected.  When you match the NAP policy the DHCP Server should use the DHCP NAP Class options.  After disabling the firewall again, can you send the output of  " ipconfig/all "?   Also, check the event logs on the client to see if there are any events indicating the client was quarantined.  Lastly, check the server side event logs and look for events from the NPS and ensure the client is hitting the desired nap policy.

    If the client is indeed hitting the correct policy, showing as being quarnantined, still not getting the DHCP Nap Class options or STILL not getting the napstat.exe popup...we'll have a closer look.

     

    Saturday, March 17, 2007 5:41 PM
  • Hello Richard,

    Thank you for your reply. I have configured NAP DHCP Class options to send a client few static routes and different domain name (just for test). However, disabling firewall doesn't apply these options, and NAP popup never shows up for a client. In previous versions of Longhorn (prior to 6001) this was working ok, with same settings.

    Saturday, March 17, 2007 11:47 PM
  • Can you tell us the exact build version of the OS ? Detailed Build version is available @ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx

    also make sure you don;t have any duplicate Static & CSR routes.

    Can you also send us the NETMON capture of DHCP Transactions and DHCP Server configurations  to ftdhcp@microsoft.com ?

    NETMON 3 is available at http://www.microsoft.com/downloads

    Thanks

    Sunday, March 18, 2007 6:48 AM