Sunday, December 2, 2018

DHCP Fail-over Implementation Windows Server 2012R2



DHCP Fail-over Implementation Windows Server 2012R2

This article is about DHCP Fail-over implementation on Windows Server 2012R2, by the time I publish this blog Microsoft launched windows server 2016 and 2019 Technical preview but I would like to share this for those who are still with 2012R2 and planning for DHCP Fail-over implementation.
Microsoft introduced this feature in windows 2012 to make the DHCP service reliable and redundant.

I will take you all through the best practices to be followed and the detailed implementation plan, also i would like to flag the limitations in DHCP Fail-over scope option replication in W2K12 and its solution provided by Microsoft.

Anyway the limitation which we are going to talk about is rectified in windows server 2016 release


Document Scope


This document is focusing more on the limitation of DHCP Failover replication and its solution in Windows server 2012 platform; however an overview of the failover feature and its installation and configuration which has been performed on a demo site is covered here in the first half of this document.

Recommended to read the reference links provided in this document before installing it in production environment as the content may amend time to time by Microsoft.


Introduction


DHCP is one of the critical components of an IT environment today. Ensuring its continuous availability is one of the top priorities of any IT administration. In Windows Server 2012, DHCP server can be configured to provide high availability by pairing two DHCP servers in a failover relationship. Two DHCP servers in a failover relationship synchronize the IP address lease information on a continual basis there by keeping their respective databases up-to-date with client information and in sync with each other

DHCP Server Failover Feature

The DHCP failover feature can be used in two relationship modes:

Load Balance (Active-Active): Two independent DHCP servers share the responsibility for servicing clients in a scope or a set of scopes as per a configured load balance ratio. In case anyone of the servers fails the other assumes the complete responsibility for servicing the clients.

Load balancing in a single site with a single subnet

Load balancing in a single site with multiple subnets





Hot Standby (Active-Passive): A DHCP server can be designated as a standby server for a primary DHCP server. The standby server assumes the load in case primary server goes down.
Hot Standby in a multi-Site infrastructure


Hot Standby in a single site infrastructure



Both these modes increase the redundancy of DHCP service in the network and make it more fault-tolerant. This fail-over feature can be used in different topologies like hub and spoke topology or ring topology.
Note: But if the user makes any changes in any property/configuration (e.g. add/remove option values, reservation) of a failover scope, he/she needs to ensure that it is replicated to the failover server.

Due to these limitations in DHCP Fail-over replication, it is preferred to use Hot stand-by mode in both single and multi-site environment.

Solution: DHCP Failover Auto Config Sync (DFACS) which will be explained later in this document.

The DHCP Failover feature has been explained in greater detail on http://technet.microsoft.com/en-us/library/hh831385.aspx



DHCP Fail-over Implementation

Pre-requisites

1)  Ensure that a valid recent full backup of the server is available.

2)  Take a backup of DHCP Configurations on the existing server.

3)  Identify a server to configure DHCP standby partner server.

4)  Check the WDS roll is installed on the proposed DHCP standby server  (If yes make sure                     that the port 67 is checked in the WDS

5)  Ensure that the TCP port 647 is open in the firewall of both servers in the DHCP failover                     relationship.

If TCP port 647 is blocked, create an inbound and outbound firewall rule to allow the connection. (If it is a multisite environment make sure that TCP port 647 is opened in layer3 devices/Firewalls)

6)  Ensure that the clocks on both servers are synchronized to within one minute (Check NTP server’s info)

7)  Check existing DHCP server will update dynamic DNS records, if so new and existing DHCP server should use the same credentials

           Ex: Service account – “DHCPConfig” (Verify the password)

8)  If DHCP Failover partner is configure in hot-standby mode ensure each scope is having enough IP addresses to reserve 5-10% for the partner server.

Open DHCP manager à Navigate to the scopes configured under ipv4 à Right click on the scopes which are going to add to the failover à click “Display Statistics”.

The output will be shown as below

a) Scope – Example scope 1
IP Range – 10.20.0.0/22 (255.255.252.0)
Description,Details
Total Addresses819
In Use,479 (58%)
Available,340 (41%)

b) Scope – Example scope 2

IP Range – 10.20.4.0/24 (255.255.255.0)
Description,Details
Total Addresses,244
In Use,42(17%)
Available,202(82%)

09) The maximum number of fail-over relationships for either DHCP server

The local/partner server already has 31 (maximum allowed) fail-over relationships. A server cannot have more than 31 fail-over relationships.

10) The operating system on the fail-over partner server

The version of specified DHCP server does not support fail-over.

11) Are scopes already present on the fail-over partner server
Following scopes already exist on the specified partner server. These scope(s) will need to be deleted on the partner server before configuring fail-over

For detailed considerations and pre-requisites, please refer the links below

  https://sjohnonline.blogspot.com/2018/12/in-this-article-i-am-sharing-detailed.html




Implementation Plan


DHCP Role installation on partner server

1) Login to server (Proposed DHCP standby server) with domain admin credentials

2) Install DHCP service role on the proposed DHCP standby server but not installed with WDS role.

3) On Server Manager à under Configure this local server à click Add Roles and Features.

4) In the Add Roles and Features Wizard à click Next three times, and then on the Select server roles page select the DHCP Server checkbox.

When you are prompted to add required features àclick Add Features.

5) Click next three times and then click Install.

6) Wait for the installation process to complete.

7) On the Authorization screen of the DHCP Post-Install Configuration wizard, select the appropriate option for selecting a user with domain admin rights. This is required to authorize the server. When done, click Commit.

Configure DHCP failover

1)  Open the DHCP console from Existing DHCP Server

Expand IPv4
Right-click on IPV4 from the left column and select Configure Failover
Select all scopes

2)  Click Add Server to add the partner server and add the Proposed DHCP Standby server as DHCP partner server, then click next

3)  Give a valid failover relation name “servername1 – servername2 Failover “

4)  Maximum client lead time set it as 1 hour (Default value)

5)   Select the failover mode as "Hot Standby", then specify the role of partner server as "Standby"

6)  Enter the address reservation for standby server (As per the total address availability in each scope)

7)  State Switchover interval set to 60 minutes (Default)

8) Enable message authentication and enter the shared secret, then click next and finish

9) Check if all the jobs are completed successfully


Configure IP Helper (On a Layer 3 device)

As the routers block broadcast by default and DHCP Uses broadcast for the IP leasing mechanism, If your infrastructure is having multiple subnet and each subnet that does not have its own DHCP server then will need to be configured with a IP helper address on the router or layer 3 device to direct DHCP broadcast request to the DHCP Server.



1)  Login to the core switch “IP addresss” by entering the admin credentials

2)  Take the backup of switch

3)  Add standby DHCP Server’s IP address as secondary IP helper address to the Vlan’s which are already configured with IP Helper address.

For HP Layer 3 switches (Follow the below commands)

#vlan 105
#name "example1"
#untagged A12
#ip helper-address 10.20.0.10 ! Primary DHCP Server
#ip helper-address 10.20.0.11 ! Standby DHCP Server
#ip address 10.20.4.1 255.255.255.0
 #tagged A1,A3,A5,A24,B18-B20,C1-C2,C4,C6,C13-C24,D1,D13-D24
#ipigmp
Exit


For Cisco Switches

interface vlan123
descsvi for vl123 dhcp relay example
ip address 10.20.4.1
ip helper-address 10.20.0.10 ! Primary DHCP server
ip helper-address 10.20.0.11 ! Secondary DHCP server

4) Repeat step 3 for all the other Vlan’s

vlan 110 - name "example2"
vlan 115 - name "example3"
vlan 160 -  name "exampl34"

5)  Copy the changes to startup config
6)  Take the backup of Running & startup config and save it in a secure location.

#Copy running configtftp
#Copy startup configtftp

If you are using any other layer 3 device, use your vendor guide and check how to configure IP Helper.

Post Implementation Checks

1)  Right-click on Scope on the left column and select Properties, then open Failover tab

Review the failover configuration status of the main server - Role of this server should be "Active"

2)  Repeat the operation on the partner server

Review the failover configuration status of the partner server - Role of this server should be "Standby"

3) Failover the server in out of office hours and check whether the clients are getting new IP address.

Rollback Plan


1) Go to the primary server.

Right click IPV4 hit properties.
Go to failover tab.
Select server pair and hit delete.

2) Remove the DHCP role from replica server

3) Revert the IP helper configuration.

Read more »
Posted by at 1 comment:
Labels: , , , , ,

Microsoft DHCP Server Fail-over Requirements


DHCP Failover Requirements


In this article i am sharing detailed pre-requisites and plans needed for DHCP Fail-over implementation.

Upcoming article detailed about how to setup DHCP fail-over in your infrastructure.

Updated: July 31, 2013
Applies To: Windows Server 2012 R2, Windows Server 2012
Requirements to deploy DHCP failover are the following:
Item
Requirement
Details
Operating system
Windows Server® 2012, or a later operating system is required.
Both DHCP servers in a DHCP failover relationship must be running Windows Server® 2012 or a later operating system. Servers do not need to both be running the same operating system, but this is recommended to ensure consistent replication of settings.
Role services
The DHCP Server role service is required.
Both computers participating in a DHCP failover relationship must have the DHCP Server role installed and running. The DHCP Server service can be paused, but must not be stopped.
Additional roles, role services, and features are optional.
Network
DHCP servers can be on the same network or on different networks. The network connection between DHCP failover partners must be uninterrupted.
Both DHCP servers must be able to communicate with each other, and with all DHCP clients that will receive DHCP leases from failover-enabled scopes.
Both servers must also be time synchronized to within one minute of each other.
DHCP servers can communicate with each other directly, or through IP routing.
DHCP servers can communicate with DHCP clients either directly or using DHCP relay.
For more information about configuring DHCP relay agents for a DHCP failover deployment, see DHCP Failover Architecture.
IP addresses
DHCP servers should be configured with static IP addresses.
To ensure a persistent TCP connection between DHCP failover partners is maintained, it is important to use a static IP address on all DHCP server network interfaces.
If the static IP address of a DHCP server needs to be changed, for example during DHCP migration, you must first delete all DHCP failover relationships that exist on that server, and then recreate the relationships when the new IP address is active.
For more information about communication between DHCP failover partners, see DHCP Failover Communications.
DHCP scopes
At least one IPv4 DHCP scope must be configured on the primary DHCP server.
The same DHCP scope ID, or an overlapping scope, must not be configured on the failover partner.
Other DHCP scopes that are not overlapping can be configured on the failover partner, but are not required. Scopes that are not configured for DHCP failover are not affected.
The DHCP scope does not need to be active. An inactive DHCP scope that is replicated to a DHCP failover partner server will also be inactive on the failover partner.
You cannot configure DHCP failover using two DHCP servers that are already configured for a split-scope DHCP deployment because the same DHCP scope ID is present on both servers. Initial replication of a DHCP scope to the failover partner will fail if the scope ID already exists on the destination server.
Domain membership
Not required.
DHCP servers can be workgroup computers or domain member computers. However, workgroup computers cannot be authorized in Active Directory. For more information, see Authorizing DHCP servers.

Prerequisite checks

The following prerequisite checks are made before enabling DHCP failover:
Check performed
Error message displayed
DNS name resolution for the failover partner server
Unable to resolve the specified DNS name.
Valid IP address specified for the failover partner server
The specified IP address <x.x.x.x> is invalid.
The server has a network connection to the failover partner server
The specified DHCP server is not reachable. Please provide a DHCP server that is reachable.
The operating system on the failover partner server
The version of specified DHCP server does not support failover.
The user is a member of the DHCP Administrators group, or equivalent, on the failover partner server
You do not have permissions to perform this operation on the remote DHCP server.
The maximum number of failover relationships for either DHCP server
The local/partner server already has 31 (maximum allowed) failover relationships. A server cannot have more than 31 failover relationships.
The DHCP Server service is running on the failover partner server
DHCP server is not running on the specified server. Please ensure that DHCP server is running on the specified server.
Time is synchronized between both servers
The time difference between this server and the specified partner server is greater than the permissible value of x minutes. It is recommended to ensure that both servers are time synchronized before configuring failover. You could setup Network Time Protocol (NTP) service on both servers to ensure time synchronization.
A maximum permissible time difference can be configured in the Windows Registry. The registry value will be read from both the servers and the minimum of the values is used to perform this check. If registry value has not been configured, the default value is used.
Are scopes already present on the failover partner server
Following scopes already exist on the specified partner server. These scope(s) will need to be deleted on the partner server before configuring failover.


Checklist: Deploy DHCP Failover


Updated: July 31, 2013
Applies To: Windows Server 2012 R2, Windows Server 2012
This checklist includes cross-reference links to important concepts about deploying DHCP failover. It also contains links to procedures you can use to configure DHCP failover.
Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the steps in a procedure so that you can continue with the remaining tasks in this checklist.
 Checklist: Deploy DHCP Failover
Task
Reference
Review DHCP failover concepts and components; identify your design goals.
Review DHCP failover requirements and specifications; decide on a deployment topology; identify pilot sites; document deployment decisions and processes.
Configure DHCP failover
Replicate DHCP failover settings (optional)
Migrate to DHCP failover (optional)
Posted by at No comments:
Subscribe to: Comments (Atom)