Wednesday, May 30, 2012

Automating a Backup DHCP Server in Windows Server 2003 and Windows Server 2008

Something that many companies take for granted is their DHCP server. You set one up, and away you go. Even if you really utilize it with reservations, static blocks, extended DNS options, etc... what happens if it crashes? Do you have a backup? Is there an up to date backup with all those reservations and such?

Windows domain computers can still login a few times if your domain controller is unavailable - but they'll still need an IP to get online and perform most of their duties while you deal with why the primary DHCP server is down.

The following discusses creating backups of your Windows Server DHCP server, transferring them to a second server and even automatically enabling the backup if the primary goes down.


Requirements:

Assuming:
  • 192.168.0.101 = server IP you're exporting from (Primary DHCP Server)
  • 192.168.0.102 = server IP you're exporting to (Secondary DHCP Server)
  • Batch files are run from c:\tools\
  • While the SCOPE on the backup server may be disabled (or non-existent) the DHCP server SERVICE must be installed AND AUTHORIZED.
    • In other words, these commands can take a working DHCP server and update it / turn it on and off... but it's up to you to ensure the DHCP server is in working condition.

Export DHCP Server Settings from Windows Server 2008 to 2003 or 2003 to 2003

These commands don't directly copy the server, and instead export / import all the settings. It's still pretty close though. (You'll lose information on current leases, but keep reservations) This is pretty straight forward when transferring data from Server 2003 to another 2003 server.

When downgrading from 2008 to 2003, you can't do a straight database migration, because there are some incompatibilities. This method copies most of the info over, but you'll lose anything that's only supported by Server 2008, like IPv6.

In theory, this should also work to transfer DHCP settings from 2003 to 2008... I just haven't tried it.

Export from primary server:

echo Export the DHCP server settings
netsh dhcp server 192.168.0.101 dump > \\192.168.0.102\C$\tools\dhcpout.txt


Import to backup server:


echo Convert entries for the old server's IP address to the new server's IP address
powershell.exe "Get-Content dhcpout.txt | ForEach-Object { $_ -replace 'SERVER \\\\192.168.0.101', 'SERVER \\192.168.0.102' } | Set-Content dhcpin.txt"

echo Import the DHCP server to this computer
netsh exec c:\tools\dhcpin.txt

echo Ensure that this backup DHCP server is currently disabled
netsh dhcp server 192.168.0.102 scope 192.168.0.0 set state 0

del dhcpout.txt
del dhcpin.txt



If the server you exported from was a 2003 server, you'll need to omit the \'s from the Powershell replace command. (The netsh dump command works a little different in 2008 and 2003 server.) Basically, just check your dhcpout/in.txt files and make sure the lines "SERVER \\192.168.0.101" update the IP to the other server.

When using the backslashes, the Powershell script needs four \'s on the search string, because a "\" will often define that the next letter is a code for something else. (Advanced string manipulation) So, "\\" actually means a single "\" and "\\\\" just means "\\".

I like to delete the in/out text files, so if it doesn't run on the source server, say, because it's down, you won't accidently wipe out your DHCP settings if the backup is currently in use.




Transfer a DHCP Server between the same version of Windows Server
ex: 2003 to 2003 or 2008 to 2008

This method actually takes the DHCP server database and copies everything to a new server, INCLUDING leases. Great if you want to just move everything to a new server if you're replacing the old one.

This DOES NOT work when migrating between different versions of Windows Server. There are just too many differences. Use the above method instead.

Export from old server:


echo Export the current database
netsh dhcp server export \\192.168.0.102\C$\tools\dhcpout.txt all



Import to new server


echo Delete the current DHCP server settings.
netsh dhcp server delete scope 192.168.0.0 dhcpfullforce

echo Import the new server settings
netsh dhcp server import c:\tools\dhcpout.txt all

echo Ensure that this backup DHCP server is currently disabled
netsh dhcp server 192.168.0.102 scope 192.168.0.0 set state 0

del dhcpout.txt


Use "dhcpfullforce" to force the scope deletion because otherwise, if there are leased entries in your DHCP server, they will prevent the deletion.


Further Reading




Automatically Test and Swap to Backup DHCP Server

If you want to take all this another step further, you can configure a script on the backup DHCP server to check if the primary DHCP server is handling requests. This script can then enable the backup DHCP server, and disable it when the primary one starts working again.

For this to work cleanly, you'll need to enable "Conflict Detection" in your DHCP server properties. Do this on your primary DHCP server, because this setting is overwritten on the backup when importing settings. Basically, this checks if an IP is already in use before handing it out... only causes a slight delay in DHCP times.

On the backup DHCP server, you'll need a tool to check if the primary DHCP server is handling requests. I found this handy one from KS-Soft.
http://www.ks-soft.net/download/utils/dhcpcheck.zip
Found in thread: http://ks-soft.net/cgi-bin/phpBB/viewtopic.php?t=4231

Then, create the following batch file and schedule it to run on the backup server throughout the day:

@setlocal enableextensions enabledelayedexpansion
@echo off

echo create a variable to test with
set state=down

echo check if DHCP is running on the host
for /f "tokens=2" %%a in ('dhcpcheck.exe -host:192.168.0.101 -clientIP:192.168.0.102') do (
if "%%a"=="is" set state=up
)

echo. %date% %time% --- DHCP Server is !state!

if !state!==down (
netsh dhcp server 192.168.0.102 scope 192.168.0.0 set state 1
)

if !state!==up (
netsh dhcp server 192.168.0.102 scope 192.168.0.0 set state 0
)



I'm going to talk about email notifications in another post, but it couldn't hurt to put one in the "down" IF statement.

5 comments:

  1. I'm trying to implement this but dhcpcheck gets no response from the primary dhcp server. Any suggestion what might be stopping it? We're in a production environment so I'm a bit edgy about testing it by dropping the firewalls.

    ReplyDelete
  2. It shouldn't be a firewall problem on the server side, because a DHCP server should be able to acknowledge DHCP requests. But it could be a firewall on the computer running dhcpcheck.. or antivirus.

    You could try running dhcpcheck from a regular desktop (where you can drop the firewall and any antivirus) to your dhcp server.

    ReplyDelete
  3. Yeah, that worked fine on the client even with firewall and virus scan running, though the firewall prompted for permission. I've given dhcpcheck passage through the firewall, specifically.

    Could it be because the ip of the server that I'm running it from doesn't fall inside the dhcp scope?

    ReplyDelete
  4. Alright, I figured out what I was doing wrong. It was a combination of firewall and then needing to use the substitute clientIP address.

    ReplyDelete
  5. Glad you figured it out. DHCP is such a backbone of our network and yet there aren't many options for having a backup ready to go.

    ReplyDelete