Share via


Automatic syncing of scope configuration changes between 2 DHCP failover servers

DHCP Failover is a new feature in Windows Server 2012 which provides for high availability of DHCP service.  Two DHCP servers in a failover relationship synchronize the IP address lease information on a continual basis there by keeping their respective databases up-to-date with client information and in sync with each other. However, if the user makes any changes in any property/configuration (e.g. add/remove option values, reservation) of a failover scope, he/she needs to ensure that it is replicated to the failover server. Windows Server 2012 provides functionality for performing this replication using DHCP MMC as well as PowerShell. But these require initiation by the user. This requirement for explicitly initiating replication of scope configuration can be avoided by using a tool which automates this task of replicating configuration changes on the DHCP failover server. DHCP Failover Auto Config Sync is a PowerShell based tool which automates the synchronization of configuration changes. You can download the tool and usage guide from this post on TechNet Script Center.

Please let us know your feedback on this tool!

Comments

  • Anonymous
    January 01, 2003
    Thanks for the quick reply...so to be on the safe side, besides monitoringit will be ok to change the MCLT to lets say 8 hours, and enable proper monitorfor the relationship "Get-DhcpServerv4Failover | select state" so...while its on COMMUNICATION INTERRUPTED statewe are ok for 8 hours and will give the admins proper time to check issues, but if they stop talking to each other for longer than 8 hours, it will go into PARTNER DOWN and at least the DHCP service on any of the 2 boxes should be DISABLED, to avoid conflicts with IP assignments ?

  • Anonymous
    January 01, 2003
    Hi DHCPTeamif im using the ps tool to do the sync between Server 1 and Server 2Server 1 being the one the tool where it runs fromwhat happens if the 2 boxes stop talking to each other ? but the clients still see the DHCP service ?meaning the sync between each other will break, but the clients will still see the DHCP servers as availableim guessing they will go as partner down after 1 hour, so they will try to take over each other's IP pool ?reading this KB http://technet.microsoft.com/en-us/library/dn338983.aspx, it says "If two DHCP servers configured as failover partners are unable to communicate, precautions are taken to avoid the same IP address lease being issued to two different DHCP clients." but im not sure how we can prevent or detect this besides adding proper monitoring ?ThanksMartin

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi Philg, yes - you can use Invoke-DhcpServerv4FailoverReplication cmdlet to sync scope configuration instead of the automatic sync script tool. In fact, the automatic sync script uses the same cmdlet to syn scopr configuration whenever there is a scope configuration change.

  • Anonymous
    January 01, 2003
    Error id 5 is ERROR_ACCESS_DENIED. The script needs to run as a user who has admin permissions.

  • Anonymous
    January 01, 2003
    Yes, the tool should sync reservations as well. Can you send the log output of the script to teamdhcp@hotmail.com

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi Emmnauel, the error you mentioned is an outcome of the PowerShell cmdlet: Invoke-DhcpServerv4FailoverReplication. This error seems to have occurred when periodic sync was called for one of the failover relationships on the server. We verified that this cmdlet works for the super scope. We will add more loggint to the tool and publish a new one which will help understand the root cause of the failure. In the interim, could you send details on the superscope configuration that you have - for example number of scopes in the superscope, any disabled scopes etc. Can you please send the same to teamdhcp_at_hotmail.com

  • Anonymous
    January 01, 2003
    Martin, can you bring down the first server and see if second server goes into partner down (after communication interrupted). BTW, in our tests, we block 647 using the windows firewall on the server - it should not make any difference though.

  • Anonymous
    January 01, 2003
    Based on feedback received from customers, the tool provided on TechNet Script Center (link is in the blog above) has been updated on 20 Jun 2013 to include a fix for periodic synchronization of scope configurations. Also while running, in its default mode, it can now automatically include any failover relationships that were created after it was started. A restart of the tool, for including new relationships, is required only if the user is running the tool in selective replication mode.

  • Anonymous
    January 01, 2003
    You can also use IPAM in Windows Server 2012 R2 for DHCP Failover management which will perform any configuration changes including reservations on both the DHCP failover servers.

  • Anonymous
    January 01, 2003
    Tamas, the script can be run on only one of the DHCP failover servers and sync changes made on that server to the other DHCP failover server. So, the configuration changes (option values, reservations) need to be made on only one of the servers - where you are running the script. Currently the script does not support two way synchronization of configuration changes. Thanks for the feedback, we will consider revising the script to support two way sync.

  • Anonymous
    January 01, 2003
    Is automatic state switchover enabled on both the DHCP servers. A server will continue to stay in COMMUNICATION INTERRUPTED state if automatic state switchover is not enabled.

  • Anonymous
    January 01, 2003
    Hi Val,

    Lets say you have created the failover relationship from server 1 to server 2 and now want to decommission server 1. You can do so by deleting the failover relationship from server 2. This will remove the scopes from server 1 and retain the same on server 2. You can later create new failover relationship for the scopes from server 2 to the newly commissioned server.

  • Anonymous
    January 01, 2003
    Hi Lee, can you please clarify under what user account you are running the script.

  • Anonymous
    January 01, 2003
    We tried this again (its anyway a part of our tests), blocking TCP port 647. This caused both servers to move into Communication Interrupted and on expiry of state switchover interval, to PARTNER DOWN state. What you have observed is not the expected behavior. How are you blocking port 647 - we do this using firewall.Also, if you bring down the first server, does the second server go into communication interrupted and then to partner down ?

  • Anonymous
    January 01, 2003
    Saket, I am not sure I understand the question. Can you please elaborate. If primary server is down, secondary will be able to sync the leases to primary after the primary comes up. Was your question related to the auto sync script ?

  • Anonymous
    January 01, 2003
    Hi Philg, the server running in partner down will take over the entire IP address pool but the pool statistics are not reflecting to indicate that change. This is only related to display and does not affect the "failover" behavior of the server.

  • Anonymous
    January 01, 2003
    Hi Martin,When the 2 DHCP servers stop talking to each other, they will both transition to COMMUNICATION INTERRUPTED state. Its fine for 2 DHCP failover servers to run in COMMUNICATION INTERRUPTED state since they will be giving new leases from their ownership of the free IP pool. If you have enabled "automatic state switchover", they will automatically transition from COMMUNICATION INTERRUPTED state to PARTNER DOWN state after expiry of state switchover interval (default 1 hour). An admin needs to avoid having both servers operating in PARTNER DOWN state since a server in PARTNER DOWN state will take over the entire free IP pool assuming the other server is down. This takeover of free IP pool occurs after a period of MCLT since moving into PARTNER DOWN.If you have enabled automatic state switchover in DHCP failover, you should monitor events on the DHCP server which indicate PARTNER DOWN state transition and take appropriate action.

  • Anonymous
    January 01, 2003
    That would be appropriate. The DHCP server logs failover state change events in the DHCP server admins channel - you can use those events to monitor.

  • Anonymous
    January 01, 2003
    IP reservation does not follow the same sync method as the leases. Once you create an IP reservation on one of the servers, you need to sync it to the other DHCP server using MMC or PowerShell cmdlet. 3300 scopes on two servers with load balancing is not a problem. You can use the script shared at the below location to achieve automatic sync of reservations and other configuration changes- gallery.technet.microsoft.com/.../Auto-syncing-of-configurati-6eb54fb0

  • Anonymous
    January 01, 2003
    Andy, Any time the state of an IP address on a DHCP failover server changes i.e.

  • an IP address is leased to a client,
  • the existing lease on an IP address is renewed
  • an IP address lease is released or expired the updated IP address record post this state changes is almost immediate communicated to the partner DHCP server using a lease synchronization message (called BINDING UPDATE). This happens almost instantaneously any time the state of any IP address in a DHCP scope changes. The only delay is what may be introduced by the underlying network between the 2 DHCP failover servers.
  • Anonymous
    January 01, 2003
    Hi Lee, this is not the expected behavior unless there are configuration changes happening that quickly. Is that the case ? We will look into this and get back.

  • Anonymous
    January 01, 2003
    That's great - thanks for the heads up!

  • Anonymous
    January 01, 2003
    I have been using this tool for sometime now and its been working perfectly until recently I began to see these errors in the log file, Any ideas on how to fix this? 'VFGHGBVMDHCPW2P' is the hostname of my secondary DHCP Server 'Periodic Sync TimeOut Happened: Syncing Relation:VFGHDHCPCLUSTER01 Error: Failed to get superscope information on DHCP server VFGHGBVMDHCPW2P. -------------------------------------------------------------------------------------------------- Scope not synced.Please sync it manually. If it does not belong to any relation please create a failover relation for it to ensure safety.' --------------------------------------------------------------------------------------------------

  • Anonymous
    July 09, 2013
    you mentioned: "Two DHCP servers in a failover relationship synchronize the IP address lease information on a continual basis " - can you provide me with further Infos about the time-interval, they are communicating? As an MCT - would be great to hear from you! Andy

  • Anonymous
    August 19, 2013
    @TeamDHCP We find that new and changed ip-reservations tend to take a little while to replicate from one server to the other, Can you confirm this to done differently than leases? Usually we have to manually click replicate to get it on the partner server in time when a tech is standing there waiting for it.

  • Anonymous
    August 19, 2013
    @TeamDHCP Will an IP-Reservation follow the same sync method when created on server one and then automatically replicating to server two instantaneously? In reality we find that we need to do a manual replication via the gui or powershell to get the new reservations copied immediately. If left to its own, there replication will occur at some point, but its nowhere instant. Also, could 3300 scopes on two servers with 50/50 load balancing be the problem?

  • Anonymous
    January 17, 2014
    The comment has been removed

  • Anonymous
    January 22, 2014
    The comment has been removed

  • Anonymous
    March 21, 2014
    Hi folks,

    I've setup DHCP failover between 2 servers in my environment following this article:
    http://technet.microsoft.com/en-us/library/hh831385.aspx

    However, I need to decommission the initial the initial server from which the scope was initially replicated. How do I go about breaking the synch relationship between them? I'm afraid that if I just unauthorize the server, and take it offline that there will be replication objects left in the background.

    Any ideas?

  • Anonymous
    May 13, 2014
    Is the log file supposed to post entries 3 to 4 times per second ? Causing large expansion of the log file. Entries coninutously are : Sync process complete at Will automatically sync again when new configuration changes are made. These repeat at least 3 to 4 times per second

  • Anonymous
    May 16, 2014
    Hi, I have two dhcp 2012 r2 servers with loadbalance 50/50, state switchover 60minutes, MCLT 60minutes. When I shutdown the server1, the server 2 shows then partner down, but the ip pool doesn't change from 50% to 100%?
    Why doesn't this change?

  • Anonymous
    May 16, 2014
    Hi, I have two dhcp 2012 r2 servers with loadbalance 50/50, state switchover 60minutes, MCLT 60minutes. When I shutdown the server1, the server 2 shows then partner down, but the ip pool doesn't change from 50% to 100%?
    Why doesn't this change?

  • Anonymous
    May 16, 2014
    Hi, ok thanks for your quick response. For scope replications, it's also possible to start twice a day the "Invoke-DhcpServerv4FailoverReplication -Force" command instead of the your tool? What do you mean?

  • Anonymous
    May 23, 2014
    Can someone please explain to me the logic employed for requiring manual syncronization of DHCP reservations and then providing a tool that effectively makes a scheduled task to maintain syncronization? Could you imagine the havoc that would ensue if Active Directory worked the same way? I just lost a few dozen reservations because my DHCP failed over and I had no idea that reservations weren't synchronized.

  • Anonymous
    June 04, 2014
    Hi,

    If primary server is down, and secondary doesn't sync with primary. what could be the issue.

  • Anonymous
    September 03, 2014
    The comment has been removed

  • Anonymous
    September 05, 2014
    Hi TeamDHCP,

    Thanks for your reply.
    I think it would be really appreciated if you could implement the two way sync into your script.
    It's a really helpful stuff now but it could be more powerfull with these changes! :)

    Thanks.
    Tamas

  • Anonymous
    September 19, 2014
    hi, am getting this error when I try running the DFACS

    - Get-DhcpServerv4Failover : Failed to enumerate failover relationships on DHCP server OJTDHCP01.
    At C:DhcpFailoverAutoConfigSyncToolDhcpFailoverAutoConfigSyncTool.ps1:165 char:35
    + $script:includeRelations=(Get-DhcpServerv4Failover).Name
    + ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (PS_DhcpServerv4Failover:root/Microsoft/...erverv4Failover) [Get-DhcpS
    erverv4Failover], CimException
    + FullyQualifiedErrorId : WIN32 5,Get-DhcpServerv4Failover

  • Anonymous
    June 17, 2015
    Great article. Thank you!

  • Anonymous
    June 17, 2015
    Great article. Thank you!

  • Anonymous
    June 25, 2015
    We got configuration with Clustered DHCP's. For propper relationship replication I've added serverName (clustered) to scipt parameters and all powershell dhcp commands. Because we want multimaster synhronization I've added event filtering by event source account. This allow not sync back deactivate scope changes made by "Invoke" command. Script need also change for verification of replication partner if synchronization is running. I did not change it because of firewall rules in our environment verification is unsuccessuf so all is working. That why script need more improvement. If this kind of functionality could be usefull please contact me any1 from dhcp team for verification changes made by me in script and make rest improvement.

  • Anonymous
    September 19, 2015
    My DHCP lease address are not replicating at all after configuration of DHCP server 2012 R2. Scope details and option has been force replicated but we need the lease to replicate which is not happening.

  • Anonymous
    September 21, 2015
    Subhra, if the DHCP failover relationship has been configured successfully and the failover relationship is in NORMAL state, the leases should replicate automatically. How are you verifying that the lease is not replicated to the second DHCP server.

  • Anonymous
    October 06, 2015
    Hi TeamDHCP,
    It is very informative. Here is my question... I have two DHCP server with hotstandby mode enabled, MCLT:1 hour and automatic failover enabled, and we use IP relay agent therefore the two DHCP servers IP has been added into our switch like primary helper and secondary helper. What if our primary server goes down , will our primary IP helper get the IP from partner server? Thanks.

  • Anonymous
    October 06, 2015
    I just modified a bunch of my DHCP scopes using a small PowerShell script. To my surprise, this created NOT a single event log entry and as a result DFACS did not detect the modifications and sync never happened. Doing the same changes with MMC does create event log entries and all works as expected. I'd expect DHCP scope modifications show up in the event log anyway - if applied in GUI or using PowerShell should not make a difference?

    is this a bug, a feature or just me missing something?

  • Anonymous
    October 06, 2015
    Hello Cornel, the DHCP server events should get logged regardless of whether a scope modification is made through PowerShell or MMC. Could you please share the script or the snippet of the script which performs the scope modification.

  • Anonymous
    October 06, 2015
    Hello RajK, IP helpers in the switch need to be configured with IP addresses of both DHCP servers such that each DHCP request is forwarded to both DHCP servers. I am not sure if the primary/secondary IP helper configuration would do that. I am not an expert on switch configuration but I am inclined to think that you need to have both IP addresses in primary IP helper configuration.

  • Anonymous
    October 07, 2015
    @teamdhcp: the relevant code is pretty simple:

    $scopes = Get-DhcpServerv4Scope
    foreach ($scope in $scopes) {
    $end = $scope.EndRange.IPAddressToString
    $newend = $end -replace ".254$", ".239"
    Set-DhcpServerv4Scope -EndRange $newend -ScopeId $scope.ScopeId -StartRange $scope.StartRange
    }

    the above correctly lowers the EndRange on all my maxed scopes, but does not create a single event log entry :-(

    what I just found out: the problem does not seem to be related to GUI vs PowerShell, it's the attribute I'm setting. same code as above but changing LeaseDuration instead of EndRange works as expected. and same results using GUI or PS - my previous message was incorrect about this.

  • Anonymous
    October 07, 2015
    The DHCP server does not log an event for change of IP address range of a scope. All other parameter changes are logged.

  • Anonymous
    October 07, 2015
    oh well - that's pretty close to the worst case I was worried about. any explanation why it got implemented like this?

    any chance to have this fixed - or it's a "documented" feature now?

    thanks a lot for your quick reply

  • Anonymous
    October 16, 2015
    Hi Cornel, please open a support case towards fixing this. By the way, the DHCP server events are documented herehttps://technet.microsoft.com/en-us/library/dn800668.aspx

  • Anonymous
    November 19, 2015
    Hello teamdhcp, the documentation for Automatic syncing of scope configuration changes between 2 DHCP failover servers pertains to Server 2012. Does it still apply to Server 2012 R2 or has this functionality been built into the OS now?

    Thanks.

  • Anonymous
    November 19, 2015
    Hello Belpad, you can use IPAM 2012R2 to manager DHCP scopes which are configured for failover. IPAM 2012R2 makes any changes done by admin to failover scopes to both the DHCP servers in the failover relationship.