Prestage DHCP scopes before DCPromo
Hi all,
We are looking to replace our W2003 DCs site servers with nice new shiny W2012 DCs and are currently thinking of hosting the DHCP role on the DCs. We are going to ensure that there is a standard domain account for DNS registration as per TechNet article
cc774797 (currently unable to link to it)
We are looking to prestage as much as possible including the DHCP role and relevant scopes beforehand, as we will be running Dcpromo on the night of the migration and once complete authorise the server and the scopes.
Is this going to be cause any problems? All of the articles I have read say there is no real link between DHCP and AD (apart from authoring the server), however all seem to suggest installing and configuring the DHCP role after dcpromo.
Hi Gerry,
Yes, it is recommended to move the DHCP server role after the new server was promoted to a new DC and the related roles are transferred to it.
After you promote the new server to a new DC and the DC replication is finished, you can export the DHCP configuration and DB backup on the old DC and then install the DHCP role and import the Database and configuration files to new DC. Then please stop
the service from the old server before you authorize the new DHCP server. After you test all the functionality of new DC/DNS/DHCP server works fine, you can demote the old DC.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
DHCP scope full, event ID 1020
Hi, one of our Windows 2008 R2 Domain controllers is returning the following warning message on almost a daily basis:
Log Name: System
Source: Microsoft-Windows-DHCP-Server
Date: 19/11/2014 11:32:41 AM
Event ID: 1020
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: computername.domain.x.x
Description:
Scope, 10.x.x.0, is 83 percent full with only 39 IP addresses remaining.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1020</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-11-19T00:32:41.000000000Z" />
<EventRecordID>12980</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>computer.domain.x.x</Computer>
<Security />
</System>
<EventData>
<Data>10.x.x.x</Data>
<Data>83</Data>
<Data>39</Data>
</EventData>
</Event>
Upon review of Microsoft Support online, I found the following article which illustrates a few options:
http://support.microsoft.com/kb/255999/en-au
What would be the logical choice for us, having the 10.x.x network?
Ideally, it would be good not having to re-subnet anything if possible, or re-create the scope.
Would a scope extension require a reboot of the server? Never done this before, so thought I should ask.Hi,
According to your description, my understanding is that DC prompts an warning event ID 1020, indicate 83% full with DHCP scope.
By default, the threshold value for firing of event 1020 is 80%. Estimate devices number, contrast with the number of IP address in this scope, if the percentage is less than 80%, you may try to reduce the lease duration and decrease the cleanup interval.
This can help to speed the reclaiming of expired scope IP addresses.
To reduce the lease duration:
1.At the DHCP server, click Start, point to Administrative Tools, and then click
DHCP.
2.In the DCHP console tree, right-click the scope you want to configure, and then click
Properties.
3.On the General tab, under Lease duration for DHCP clients, type the new lease duration.
To use a Netsh command to set the cleanup interval time:
1.At the DHCP server, click Start, click Run, type
cmd, and then press ENTER.
2.Type netsh dhcp set databasecleanupinterval <NewInterval> (where "NewInterval" is the amount of time in minutes between DHCP database cleanups).
As an existing DHCP scope, its subnet mask can’t be changed. If the Start Address and
End Address do not currently include all addresses for your specific subnet, you can increase the number of addresses in the scope by extending the
Start Address or End Address in the scope properties. This operation needn’t reboot.
If neither of above 2 suggestions is applicable, new a DHCP scope or reference
KB255999 (resubnetting and superscoping). At the same time, you need to change your network topology.
Best Regards,
Eve Wang -
Hi all,
I have DHCP server High Availability running on Windows Server 2012 R2.
Today, one of my DHCP scope is 100% in use.
But when i total IP leases and IP reservation on that scope from DHCP GUI, total hostname that get IP is less than 460.
When i get IP address usage on that scope using command get-dhcpserverv4lease -scope id 10.1.12.0 -alllease, there is +- 460 hostname that get IP address from that scope.
I found that some hostname is BADADDRESS or the DHCP session is expired, i try to remove that hostname from IP leases, but it didn't work. (Remove-dhcpserverv4lease -ipaddress x.x.x.x)
When i check from DHCP GUI, that scope always 100% in use and Computer cannot get IP Address from that DHCP scope again.
Can you help me resolve this issue?
Thanks before!
Best Regards,
Henry StefanusHi Henry,
>>I found that some hostname is BADADDRESS or the DHCP session is expired
BADADDRESS means that the IP address is used by other computer. Please check if any computer has configured static IP address.
>>Can you help me resolve this issue?
Use scope extension to expand the address range for the current scope.
Reduce the lease duration and decrease the cleanup interval. This can help to speed the reclaiming of expired scope IP addresses.
For detailed information, please refer to the link below:
https://technet.microsoft.com/en-us/library/dd380166(v=ws.10).aspx
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Hi
I have a Server 2008 R2 DHCP server with one scope for our 10.165.x.x range. We are going to introduce some VLANs on a 172.16.x.x range and want to create a DHCP scope for this on the same DHCP server as the 10.165.x.x range. If I create the scope now before
configuring the VLANs, will computers in the 10.165 range get a 172.16 address?
Thanks in advance
ShaneHi
I have a Server 2008 R2 DHCP server with one scope for our 10.165.x.x range. We are going to introduce some VLANs on a 172.16.x.x range and want to create a DHCP scope for this on the same DHCP server as the 10.165.x.x range. If I create the scope now before
configuring the VLANs, will computers in the 10.165 range get a 172.16 address?
Thanks in advance
Shane
If you create a scope that has a different subnet than the interface on the DHCP server that's connected to the network, then no, it will not affect the current clients on the subnet.
To make it work for your VLAN, in the switch, you must create a DHCP Relay Agent or IP Helper. That's what makes it work to the VLAN subnet. To create the Relay Agent/IP Helper, consult your switch documentation.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
ASA Migration of DHCP Scope to a Server
Hello All,
We migrated the DHCP scope from the ASA to a MS DHCP server with this configuration:
group-policy BV-SSL1 internal
group-policy BV-SSL1 attributes
no address-pools value remotepool4 remotepool2 remotepool3
no intercept-dhcp enable
dhcp-network-scope 10.180.49.0
exit
tunnel-group BVVPN10 general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
tunnel-group BV-SSL general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
This is running good, until we used all 254 addresses that was specified in the dhcp-network-scope.
My question is should i have specified dhcp-network-scope none to allow for all 3 scopes can be used to hand out IP addresses for the remote users?
Thanks,
KimberlyOkay, that's at least a good start. Can you monitor the ULS logs while you attempt to browse to the site to see what form of error(s) you're getting?
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Windows 2008 R2 DHCP scope change - Netsh Exec not working
OK, there seems to be a disconnect between Netsh documentation and how it actually works. We are in the process of re-addressing ALL our DHCP scopes (joys of a buy-out) and using the steps outlined in numerous MS articles and Blogs etc... we should
be able to use "Netsh dhcp server scope 192.168.1.0 dump > scope1.cfg" then modify the cfg file with the new scope address (i.e. change all 192.168.1. to lets say 10.10.5.). Then use netsh exec scope1.cfg (yes, the file modified) to
create the new scope which would contain all the "stuff" the current scope has (reservations, options, etc).
Well, all we get is the response "The following command was not found: |".
Environment is as follows:
Account is a domain admin
working on a RDP session on the DHCP server
Server is Windows 2008 R2 (current functioning DHCP server)
Using administrative CMD (elevated)
have tried changing context into Netsh | DHCP | Server and default CMD - all "no go"
supporting link from MS: http://technet.microsoft.com/en-us/library/cc772372(v=ws.10).aspx#BKMK_1
There's a lot of discussions around this, but I haven't seen any response that says how to actually do it. export/import won't work for us since we have to update the scope info. With almost 100 scopes to update, we really need this functionality!
(or similar method)
Any assistance would be greatly appreciated.OK... It seems the issue is with the dump file. I actually got exec to run once with a dump file which wasn't modified. The stupid part is it only ran one time, I could not duplicate it. Since
I've beat this thing to death and no one could offer any assistance (Hello MS?), I'm not wasting any more time on it. Luckily, I was able to figure out an alternate method.
Looking at the dump file I realized all the lines are just a straight NetSh commands, which means all I needed to do is grab the lines and preface them with NetSh. Like this...
for /f "tokens=*" %a in ('type scope.cfg ^| find /i "dhcp"') do NetSh %a
where scope.cfg is your dump file. This runs perfect and seems to be the exact thing that exec should be doing. I did flip the "SET STATE 1" to "0" so the scope was deactivated (Don't forget to run it in an elevated
prompt).
Hope this helps someone else so they aren't spending days for nothing! -
Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)
Hi everybody.
A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
199.199.199.1 mac1
Dhcp server has the above entry in its database.
Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
You might say use dhcp snooping and it will prevent that ( dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
You might say use IP source guard feature but will it really prevent that problem from happening?
Let me illustrate it :
h1---------f1/1SW---------DHCP server
Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port. The switch has following dhcp binding
199.199.199.1 mac1 vlan1 f1/1
Next we configure ip source guard to validate both src mac and src ip against the dhcp bindings . When we configures ip source guard first , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
A dhcp binding is already created as:
199.199.199.1 mac1 vlan 1 f1/1
Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message where src mac=mac2 in ethernet header and client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
199.199.199.1 mac1
199.199.199.2 mac2.
We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
So my question is how does ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
I really appreciate your input.
thanks and have a great week.Thanks Karthikeyan.
First of all, we gather all the information about the locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
it means if any of user connected in that switch/vlan runs a dhcp services like vmware for eg. Snooping will prevent the dhcp/bootp servers connected to that port will not be able to process.
Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined that end user is running a legitimate dhcp server using vm ware.
When we have the dhcp snooping it prevents the 1st level of hacking itself. I don't think so it will have any impact on dhcp address releasing.
I am sorry. You lost me here. What is 1 level of hacking?
Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
Here is why;
h1---------SW1-------dhcp server
|
h2
Let say we don't have dhcp snooping in above attack and h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
199.199.199.2 mac2
Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
199.199.199. 1 mac1
199.199.199.2 mac2
Now using hacking tools, h1 create a fake dhcp release message with 199.199.199.199.2 mac2
Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
IFor e.g
If have dhcp snooping configured , then switch will have adhcp binding as:
199.199.199.1 mac1 vlan 1 f1/1 lease time
199.199.199.2 mac2 vlan 2 f1/2 lease time.
If h1 tries to send fake dhcp release with ip address 199.199.199.2 mac2
Switch will check ip address 199.199.199.2 and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
Thanks -
Multiple Lease Duration for one DHCP Scope?
Hi All,
I have an urgent question. I wanted to know if it is possible to have many lease durations for different computer groups getting their addresses from one DHCP scope. I saw somewhere that it is possible to use User Classs or Vendor Classes for setting a lease
duration for a group of computers sharing the same class Id ?
If it is true, How can to configure ?
Also i would like to know about the lease duration period what is the maximum days can we have ( 8 days After )?
Thanks
AtulPlease refer to the following-
http://social.technet.microsoft.com/Forums/windowsserver/en-US/26de79f9-6ad7-4088-9077-006b9dd8c1fb/multiple-lease-durations-for-one-dhcp-scope?forum=winserveripamdhcpdns
You can configure any value as lease duration; however if you want a very big/infinite value; it makes sense to convert the lease(s) to a reservation. -
Hi Team,
I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance. Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:
Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for AD group ABC.
Client authenticating with registry key and in AD group XXX that passes authentication gets IP address or subnet for AD group XXX.
Clients---->WLC------>ISE-----> MS AD ( groups ABC, XXXX, YYY )
currently using EAP-PEAP/MSCHAPv2
Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this? Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership?
Thanks...Do check cisco how to guides you will get step by step configuration of the current requirement
-
Internal DHCP scope for AP on WLC 7.0 (on diff subnet)
hi All,
I would like to know if it is possible to assign dhcp pool on a different subnet to the WLC management interface?
Eg: Management Interface is on 172.16.4.100 /24
I would like to use the WLC Internal DHCP to assign IP to my APs on the a different range 172.16.2.x /24
Is that possible?
I have tried assigning dhcp scope for the AP within the same subnet as the management interface and it works. But that is not my requirement
Apparently i need my AP to be sitting on a different vlan
please adviseNo its not possible.. this works only if the AP and the WLC management interface is in the same subnet!! to ur issue we use something called as DHCP OPTION 43, google search DHCP OPTION 43 + cisco, the first link that u get wil help you!!
Please dont forget to rate the usefull posts!!
Regards
Surendra -
Hi Experts ,
Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
how about internet traffic for Guest SSID , which one will be recommanded :
1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
ThanksHi George ,
Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
how about if I have another anchor controller in lets say in other office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ? -
DHCP scope is configured on a WLC 5508.
I'm checking if there' a way for WLC to clear the dhcp leasing when a user is diconnected from wireless?Unless the client sends a DHCP Release upon disconnect, which is not mandaded in the protocol, the lease will simply remain until it has expired. If you're concerned with running out of leases, you only have 2 options.
1. reduce the lease time of your dhcp scope
2. increase the network size to accomodate more usable addresses.
There isn't a way to force a DHCP address lease to be "cleared" from the WLC simply because the client was disconnected. -
How to check particular DHCP Scope all Details.
How to check particular one DHCP Scope ALL Details. Server is Windows 2003 so Powershell.
Any Command like Netsh or anything? For a particular Scope.
Also How to export & import a particular DHCP Scope?
AliahMurfyHi,
With netsh command you can manage your DHCP server.
For more information you can refer to:
Netsh commands for DHCP
http://technet.microsoft.com/en-us/library/cc787375.aspx#BKMK_export
Especially for subtitle Netsh DHCP server
Hope this helps. -
IPAM does not show all the dhcp scopes
Hello,
I have the following strange behavior.
I've installed IPAM on a new server (2012 R2), all the acces rules are completed. But when i'm looking to the DHCP scope, not all off the scopes are included.
For the moment its not possible to upload screenshots, but only 3 off the 4 scopes are included in IPAM.
Has anyone an idee what the problem can be?
Thank you in advance!
Regards,
KevinHi,
Check the selections you have made for viewing first. To see IPv4 scopes, click DHCP Scopes in the upper navigation pane and IPv4 in the lower navigation pane. To see IPv6 scopes click IPv6 in the lower nav pane, etc.
You can also view scopes by clicking DNS and DHCP Servers and choosing Server Type = DHCP and View = Scope Properties. Again, you must click IPv4 or IPv6 in the lower nav pane. You can't view IPv4 and IPv6 scopes at the same time.
Also check and see if the scopes are shown in IP Address Blocks when you choose the Current View = IP Address Ranges.
If a scope was recently created on a DHCP server, or the server was recently added, then all data might not yet be gathered. Right-click the server in SERVER INVENTORY and then click Retrieve All Server Data, and be sure to refresh the view using the display
pane refresh button or F5.
Let me know if this helps.
Thanks,
-Greg -
DHCP scope options: How TO
Hi,
I have a 10.4 server as DHCP for several VLANs. I need to setup DHCP scope options on two VLANs to be able to direct DHCP requests from a specific device (IP phones) to the relevant VLAN for obtianing IP addresses.
I cannot see bootpd.plist in /etc and not much information available online about this.
Found these two relevant posts but not much of help:
http://discussions.apple.com/message.jspa?messageID=7200952
http://discussions.info.apple.com/message.jspa?messageID=5054131
I can export the serveradmin settings out and can see the entries but where and how do I make the scope entries? plist editor won't open the file and if i convert to csv in excel the existing data is there and logical but where do i enter my scope options?
any help in the right direction will be much appreciated.
cheers
MuhammadYou didn't try hard enough... ;). You need to use the Get-DhcpServerv4OptionValue cmdlet (or ...v6...).
Get-DhcpServerv4OptionValue -ComputerName <computername> | Where-Object OptionID -eq 6 | Select-Object Value
Edit: I think it's important that you know how I solved this problem. Perhaps you can put it to use yourself some time. The first thing I did was return all the 'get' DHCP cmdlets using this command: Get-Command -Module dhcp* -Name get-*. I quick scanned
the cmdlets (actually, they're functions) and found the word 'option.' I jumped over to the DHCP MMC snap-in and quickly figured out why that sounded familiar. In the GUI, you right-click Server Options to get to this setting. I then ran the function in my
example without piping it to the Where-Object cmdlet, and it return a value property. I then added the | Where-Object to filter down what was returned.
In writing this edit, I determined there's actually an -OptionID parameter, which means I could have better written my example. Here's that now:
Get-DhcpServerv4OptionValue -ComputerName <computername> -OptionID 6 | Select-Object Value
Always filter as close to the left as possible. That's means we don't want to pipe to something when we can filter with a built-in parameter.
Maybe you are looking for
-
Keeping my iTunes Libraries in Sync
My wife and I share a single iTunes library from separate accounts on an iMac (actually I have two accounts - one for me and one for work, for a total of 3). The song files are on an external HD, the iTunes Library and iTunes Music Library.xml files
-
Adobe Acrobat XI Pro upgrade from 9 installation problem
I just purchased Adobe Acrobat XI Pro upgrade from 9. The installation has stalled. Any suggestions?
-
Allow user to select up to 5 answers and enter a ranking
Hello, I ahve a multi page form created with LiveCycle 10.0.2.201. On one page, there is a grid of goals presented to the user. There are 33 of these goals in 3 columns of 11. Here is a link to an image of the grid. (For some reason I cannot get the
-
My macbook pro is damage coz of water what should i do
-
SimilaProducts with different printing requirements related to BOM
I have a product which is offered to many cutomers. However when we are offering we have to paste a sticker which contains different facts details based on the cutomer requirement.Do we need to create different item codes or is there a system to mana