DHCP Enforcement Design
Updated: February 29, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
Using DHCP enforcement, you can enforce health policy when a computer attempts to lease or renew an Internet Protocol version 4 (IPv4) address. The DHCP server limits the client's network access to the restricted network by providing a limited IPv4 address configuration. If client computers are configured with a static IP address, DHCP enforcement is not effective.
The following are the benefits of the DHCP enforcement design.
Simple to implement: Does not require that you configure additional hardware on your network and is the easiest to implement of all the NAP enforcement methods in a small deployment scenario.
Uses existing network design: If you have already deployed Microsoft DHCP servers on your network, these servers can be upgraded to support NAP with DHCP enforcement.
NAP with DHCP enforcement requires that the following components are deployed on your network:
A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.
A NAP DHCP enforcement server running Windows Server 2008 R2 or Windows Server 2008 with the DHCP service and NPS role service installed.
DHCP NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.
All of the server components can be installed on the same computer. Depending on the needs of your organization, additional servers might also be required. For more information, see Appendix B: Reviewing Key NAP Concepts.
The following diagram shows a typical NAP with DHCP deployment design:
A NAP-enabled DHCP server provides NAP client computers with an IPv4 configuration that limits their access if they are noncompliant with network health requirements