Windows Server DHCP Failover & Load Balancing

DHCP Failover KB ID 0001488

Problem

Applicable to: Server 2012/2016/2019/2022

Even though we have had this functionality for a while, I’m still seeing people deploy DHCP scopes (split 80/20) across two servers?

You can deploy multiple DHCP servers to serve the SAME DHCP scopes, in either load balanced, or hot standby deployment.

Solution: DHCP Failover

I’m assuming you already have one DHCP server setup and, with a working DHCP scope. On the new server, install the DHCP server role;

[box]Install-WindowsFeature DHCP -IncludeManagementTools[/box]

You normally have to go to Server Manager and run the configuration wizard, but as were are already in PowerShell lets do that here 🙂 (That’s three commands if the last one wraps!)

[box]

netsh dhcp add securitygroups

Add-DhcpServerInDC -DnsName pnl-mgmt.pnl.com -IPAddress 192.168.100.3

Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2

[/box]

On the original, (already working,) DHCP server, right click the scope you want to replicate > Configure Failover. Note: If you have multiple scopes you can right click at the IPv4 or IPv6 level, and run the same wizard to replicate multiple scopes at once).

Next.

Browse to, and select the target (new DHCP server) > Next.

Select Load Balancing or Hot Standby (as required) > Enter a shared secret password > Next.

Review the Settings and click Finish.

Hopefully you should see the following.

Configure DHCP Failover via PowerShell

To do the same from PowerShell.

PowerShell DHCP Load Balancing

Note: Where DC-01 is the source DHCP server and PNL-MGMT is the new one.

[box]Add-DhcpServerv4Failover –ComputerName “DC-01” –PartnerServer “PNL-MGMT” –Name “DHCP_DC01_PNLMGMT_LoadBalance” –LoadBalancePercent 50 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.200.0 -SharedSecret “Password123“[/box]

PowerShell DHCP Hot Standby

Note: Where DC-01 is the source DHCP server and PNL-MGMT is the new one.

[box]Add-DhcpServerv4Failover -ComputerName “DC-01” –PartnerServer “PNL-MGMT” -Name “DHCP_DC01_PNLMGMT_Hot_standby” -ServerRole Active -ReservePercent 10 -MaxClientLeadTime 1:00:00 -StateSwitchInterval 00:45:00 -ScopeId 192.168.200.0 -SharedSecret “Password123“[/box]

Related Articles, References, Credits, or External Links

NA

Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

PowerShell: Cannot Be Loaded Because Running Scripts is Disabled

KB ID 0001417

Problem

If you’ve arrived here, you are trying to run a script, and you cant;

[box]PS C:\Users\{User-name}> .\{script-name}.ps1
.\{script-name} : File C:\Users\{User-name}\{script-name} cannot be loaded because running scripts is
disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\{script-name}
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
PS C:\Users\\{User-name}>[/box]

 

Solution

 Execute the following command;

[box]Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass[/box]

Then run your script.

THIS WILL ONLY WORK: While that PowerShell window is open, so don’t close it if you are running a lot of scripts.

I Want to Always be Able to Run Scripts?

OK you can either change the ‘Scope’ of that last command, from ‘Process’ to to ‘CurrentUser’, or ‘CurrentMachine’.

  • Process: The execution policy affects only the current Windows PowerShell process.
  • CurrentUser: The execution policy affects only the current user.
  • LocalMachine: The execution policy affects all users of the computer.

Or you can simply change the policy ‘Globally’;

[box]Set-ExecutionPolicy {Value}[/box]

Possible values are;

  • Restricted: Does not load configuration files or run scripts. Restricted is the default execution policy.
  • AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
  • RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
  • Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
  • Bypass: Nothing is blocked and there are no warnings or prompts.
  • Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.

Related Articles, References, Credits, or External Links

NA

Cisco IOS – DHCP Helper (DHCP Relay) – IP-Helper Setup

KB ID 0001168 

Problem

Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).

So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).

To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.

Solution

Example 1 Cisco Router

Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.

This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.

So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).

IP-Helper Router Configuration

[box]

R1 Config

!
interface GigabitEthernet0/0
 description Uplink to DHCP Server
 ip address 10.2.2.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 description Uplink to 192_168_2_0
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
interface GigabitEthernet3/0
 description Uplink to 192_168_3_0
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!


R2 Config

!
interface GigabitEthernet2/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!

R3 Config

!
interface GigabitEthernet3/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!

[/box]

You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!

Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.

With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.

Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.

Example 2 Cisco Switches

OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.

I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).

Here’s the two scopes setup on the 2012 server;

And my client, (DHCP Client in VLAN 200) gets the correct IP.

IP-Helper Switch Configuration (VLANS)

[box]

SW1 Config

interface FastEthernet1/0/1
 description Uplink to DHCP Server
 switchport access vlan 100
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/4
 description Uplink 192_168_200_0
 switchport access vlan 200
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/5
 description Uplink 192_168_100_0
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
!

IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND 
ADDRESS LIKE SO;

!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
 ip helper-address 192.168.100.15
!

[/box]

Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark

Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.

bootp.option.type == 53

DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.

Discover

Offer

Request

Acknowledge

And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.

Related Articles, References, Credits, or External Links

NA

Cisco IOS – Setting Up DHCP Scopes

KB ID 0001112 

I usually only have to do this on very small sites, or occasionally on the test bench. Most of the time we will have a server sat doing DHCP. The procedure below was carried out on a router, but the procedure is the same for a catalyst switch.

By default DHCP is disabled, you have to turn it on, then create a ‘dhcp pool.’

[box]

Petes-Router(config)#service dhcp
Petes-Router(config)#ip dhcp pool DATA-VLAN-10

[/box]

Then set the range of addresses and scope options.

[box]

Petes-Router(dhcp-config)#network 172.16.1.0 255.255.255.0
Petes-Router(dhcp-config)#default-router 172.16.1.1
Petes-Router(dhcp-config)#dns-server 8.8.8.8 8.8.4.4
Petes-Router(dhcp-config)#domain-name petenetlive.com
Petes-Router(dhcp-config)#exit

[/box]

Don’t forget to EXCLUDE the ip address of the router/switch from the DHCP scope, and any other static IP’s you have.

[box]

Petes-Router(config)#ip dhcp excluded-address 172.16.1.1

[/box]

There’s nothing to stop you running multiple scopes either, below I add another scope for my voice VLAN, and exclude the router IP on that VLAN, and my PBX.

[box]

Petes-Router(config)#ip dhcp pool VOICE-VLAN-11
Petes-Router(dhcp-config)#network 172.16.2.0 255.255.255.0
Petes-Router(dhcp-config)#default-router 172.16.2.1
Petes-Router(dhcp-config)#dns-server 8.8.8.8 8.8.4.4
Petes-Router(dhcp-config)#exit
Petes-Router(config)#ip dhcp excluded-address 172.16.2.1
Petes-Router(config)#ip dhcp excluded-address 172.16.2.250

[/box]

Related Articles, References, Credits, or External Links

NA

GFI MailArchiver

Deploying GFI MailArchiver with Exchange 2010, Using the Outlook Connector, Importing and Exporting Data.

KB ID 0000666

Problem

I’ve been involved with Exchange for a long time, either being directly responsible for it, or supporting others that do. And like all systems it would run a lot smoother if you kept users away from it! But unfortunately you can’t, so your system is probably full of users “Deleted Items” and “Sent Items” and a copy of every email that some users have ever received “Because I might need them”. And for years I’ve been saying “It’s a messaging system not a file storage system” and lecturing users about tidying up their inbox. Yes you can setup retention policies but most people don’t.

Even if you do have conscientious users, some of them click “Yes” when Outlook asks them “Would you like to Auto-Archive your old messages now?” Then you have PST files all over the place getting corrupted and not getting backed up.

In addition, just as techs like me are shouting at users to delete things, businesses are now finding that they need to keep ALL their digital messaging for things like Sarbanes-Oxley and Freedom of Information enquiries. Yes I’m sure you back up your Exchange server but what if you needed to produce a message thread about a particular project that was two years ago in the middle of a month?

Archiving

Is the process of taking a copy of mail messages as they pass through Exchange and copying them off to an external location, in this case a database. The advantage of doing this is that database can be on cheaper midline storage and (potentially) keeps the Exchange database sizes down. With Exchange this is done by setting up Journaling (that’s the process of sending a copy of all [or specified] mail to a journal users mailbox). MailArchiver then takes this mail and put it into its database.

Advantages

1. Performance: Getting all the ‘Old’ Data out of the exchange databases makes them smaller, and more efficient.

2. Elimination of PST files: There’s a big list of reasons why I don’t like PST files. If you’ve ever had a user lose email because of them, then as far as they’re concerned its YOUR fault. There are tools to import PST file into the database, (and to export as well).

3. Disaster Recovery: How nice would it be, the next time users email message ‘disappears’ (Users never delete emails they just disappear), they could restore it themselves, from within Outlook. the Outlook Mail Connector software will do this. Also your backup window for Exchange will be a lot smaller.

4. Compliance: Saving a copy of all messages in a database has the advantage, that it’s searchable, and you can export the data you find in a format that you can import straight back into Exchange or send to someone.

5. Investigation: MailArchiver provides some powerful search and reporting tools. If your HR department needed to see who said what to who about projectXYZ then using conventional methods would be a nightmare.

Solution

GFI MailArchiver 2012 Installation and Configuration

Enabling Journaling in Exchange 2010

Note: GFI Mail Archive setup can do this for you but I prefer to do things manually.

1. Launch the Exchange System Management Console > Recipient Configuration > Mailbox > New Mailbox.

2. User Mailbox > Give it a name and set the password > Don’t create an archive > New > Finish.

3. Option 1: Standard Journaling can be enabled on a mailbox store > Organisational Configuration > Mailbox > Locate the store> Properties.

4. Maintenance tab > Tick Journal recipient then browse for the user you created > Apply OK.

5. Option 2: (Note: Requires an Exchange Enterprise CAL) This is set up using a Journaling rule > Organizational Configuration > Hub Transport > Journal Rules > New Journal Rule.

6. Give the rule a name > Browse for the user you created earlier > Set the scope (in most cases you will want global) > New > Finish.

7. To test it’s working send and email then log on as your ‘Journal’ user and make sure you have a copy in the inbox.

Installing GFI MailArchiver 2012

8. Before installing the GFI MailArchiver server needs the Exchange MAPI Client and Collaboration Data Objects 1.2.1 (Unless you are installing it on the Exchanges server).

9. Also (though not essential) I prefer to disable IE Enhanced Security Configuration, so IE wont get upset with the management console.

10. You can add the URL to trusted sites if you want, but I’m not a fan of IE ESC anyway so I simply disable it.

11. Now run the GFI MailArchiver installer.

12. Now this I DO LIKE, why can’t Exchange do this! These are the server pre-requisites, rather than just falling over and giving you an error (I’m looking at you Windows Exchange Developers!) It offers to do the hard work for you. It takes a while though, best go for a coffee at this point > Next > Select whether you want to check for a newer version > Accept the EULA > Set the destination folder > Next.

13. Here the default setting, WARNING if you already have web services on this server (or even UPS software using port 80), have a common sense check.

Note: If you are not sure, the following command will tell you if port 80 (http) is in use;

[box]netstat -aon | find “:80″[/box]

14. Select Install > Finish.

Configuring MailArchiver 2012

15. The GFI MailArchiver management console will launch > Configure.

16. Next.

17. Enter your licence key and select verify licence key > Next.

18. Next.

19. In this example I’m using the Firebird database, in a production environment you should be using SQL server > Next.

20. Change the paths if required > Enter some domain credentials> Next.

21. Next

22. Next

23. Next

24. I’m selecting Auto > Next

25. As I set the user up myself I’m choosing Manual > Next.

26. Exchange Web Services seems to be less problematic > Enter your Journal user account > Next.

27. Next.

28. Finish.

29. We are now up and configured.

GFI MailArchiver – Outlook Connector, Import and Export

GFI MailArchiver – Using the Outlook Connector

30. Firstly you need to enable ‘Mailbox Folder Structure Retrieval’ on the GFI server > Launch the MailArchiver Management console.

31. Mailbox Folder Structure Retrieval.

32. Change Settings.

33. Enter a user account to connect to Exchange Web Services with, here I’m using my domain admin, whichever account you use needs to have administrative access on the Exchange and the GFI server. It also (domain admin included) needs the following Powershell commands running on the Exchange server before it will work, (change the user name to match your own);

[box]New-ManagementScope -name “MAUMPolling” -recipientrestrictionfilter {recipienttype -eq “UserMailbox”}</p> <p>New-ManagementRoleAssignment -name “MAUMPollingRA” -role:applicationimpersonation -user “administrator@petenetlive.net” -customrecipientwritescope “MAUMpolling”[/box]

34. Next.

35. Finish.

Installing the Outlook Connector on a Client

36. I’ve already got a client PC setup with Outlook 2010.

37. I’m just connecting to the GFI servers management URL from the client and downloading the Outlook Connector.

Note: The versions are for Outlook 32 bit and Outlook 64 bit, even if your Windows client is 64 bit you may still be running 32 bit Outlook/Office. If you get it wrong it will tell you your version of Office is not supported.

38. Install the client software, accept the defaults, all you need to specify is the URL of the GFI MailArchiver server.

39. Now when your user opens Outlook, they get an additional mailbox called “GFI MailArchiver Mailbox” that carries a copy of ALL the users mail (Note: Not the mail from before the product was installed, to import that see the import section below, and choose ‘Import for Exchange mailbox’. In addition each user now has a MailArchiver tool bar from which they can search for their mails.

Note: If a user ‘loses’ a mail they can simply drag a copy from their GFI mailbox to their live inbox.

GFI MailArchiver – Importing Data from PST Files

Note: To do this the machine needs to have Outlook installed on it (and NOT Outlook 64 bit!)

40. Launch the GFI MailArchiver Import and Export Tool.

41. Import from .pst files.

42. Add PST file > Browse to your PST file > Open.

43. Select the folder(s) required > Next

44. Select a date range > Select the user that will own the imported data > Next.

Note: I’d rather have an “Import Everything” option!

45. When complete > Finish.

46. Now that user will have the imported mail as well (Note: The default view is “Emails in last 30 days” so don’t panic if you don’t see it all).

GFI MailArchiver – Exporting Data to PST File

47. Launch the GFI MailArchiver Import and Export Tool.

48. Enter the URL of the GFI server > Verify > Ensure it says OK > Next.

49. Select what you want to export (I’m going to search for email containing particular words) > Next.

50. Type in your search text > Find > Next.

51. Here you can restore the mail to a mailbox, export it to .msg or .eml format, or my old nemesis .pst files, I’ll choose the latter > Next.

52. And there’s my .pst file, ready to be sent out to satisfy my freedom of Information enquiry.

 

Related Articles, References, Credits, or External Links

NA