1
00:00:00,940 --> 00:00:03,370
this demonstration, we're going to work with DHCP,

2
00:00:03,370 --> 00:00:06,710
Dynamic Host Configuration Protocol, in Windows Server.

3
00:00:06,710 --> 00:00:11,990
I'm on a Windows Server 2022 box named localmem1.contosolocal.int.

4
00:00:11,990 --> 00:00:15,680
You can see in the upper right corner in my BG info output.

5
00:00:15,680 --> 00:00:17,900
We're also going to do DHCP failover.

6
00:00:17,900 --> 00:00:19,250
I don't want to forget about that.

7
00:00:19,250 --> 00:00:22,590
I'm going to do a Get‑WindowsFeature dhcp to make sure

8
00:00:22,590 --> 00:00:24,040
that the server role is installed.

9
00:00:24,040 --> 00:00:25,040
Now if it weren't,

10
00:00:25,040 --> 00:00:28,610
we could do an Install‑WindowsFeature and then just do an

11
00:00:28,610 --> 00:00:32,740
IncludeManagementTools and throw on a Restart and we're good to go.

12
00:00:32,740 --> 00:00:35,710
I always like to show PowerShell wherever possible.

13
00:00:35,710 --> 00:00:37,840
Let's also do an ipconfig all,

14
00:00:37,840 --> 00:00:44,690
and we can see that my subnet range that my servers are on is 192.168.1/24.

15
00:00:44,690 --> 00:00:48,410
Our default gateway is 254, our DNS server is 1.

16
00:00:48,410 --> 00:00:51,790
We're going to need that as we build out our DHCP scope.

17
00:00:51,790 --> 00:00:52,240
All right,

18
00:00:52,240 --> 00:00:56,770
so let me minimize my PowerShell console and bring up my admin console.

19
00:00:56,770 --> 00:00:59,720
I've got a custom MMC console with a bunch of

20
00:00:59,720 --> 00:01:02,910
snap‑ins that I'm going to need here, especially DHCP.

21
00:01:02,910 --> 00:01:05,240
I'm going to right‑click the node and Add Server,

22
00:01:05,240 --> 00:01:07,590
and I'm going to bring in localdc1.

23
00:01:07,590 --> 00:01:11,560
Now don't be alarmed the fact that when you look down in the list,

24
00:01:11,560 --> 00:01:15,100
this authorized, it's showing old IP addresses.

25
00:01:15,100 --> 00:01:18,750
I'm not sure why that update hasn't yet come through,

26
00:01:18,750 --> 00:01:25,290
but I did in fact change localdc1's IP address to 192.168.1.1.

27
00:01:25,290 --> 00:01:29,670
It's just for some reason the MMC console continues to list the

28
00:01:29,670 --> 00:01:32,850
old 10.1.10 address I was using the other day.

29
00:01:32,850 --> 00:01:35,660
All right, so I'm going to expand localdc1.

30
00:01:35,660 --> 00:01:39,150
I'm going to set this up as our primary DHCP server and then

31
00:01:39,150 --> 00:01:42,430
we're going to configure localmem as our standby,

32
00:01:42,430 --> 00:01:43,440
hot standby.

33
00:01:43,440 --> 00:01:45,700
So let me expand IPv4.

34
00:01:45,700 --> 00:01:49,410
Recall that DHCP failover doesn't work with IPv6 anyway,

35
00:01:49,410 --> 00:01:51,540
so we're going to stay with IPv4.

36
00:01:51,540 --> 00:01:53,960
And I'm going to right‑click and create a new scope.

37
00:01:53,960 --> 00:01:58,070
I'm going to call the scope by the subnet name, that's how I normally do it.

38
00:01:58,070 --> 00:02:06,710
And then we're going to start this as 192.168.1.100, 192.168.1.199.

39
00:02:06,710 --> 00:02:11,280
So there will be 100 addresses with a standard 24‑bit class C mask.

40
00:02:11,280 --> 00:02:15,590
Now what we could do is add our scope that includes my static addresses,

41
00:02:15,590 --> 00:02:18,520
because my servers are my first few addresses in the block,

42
00:02:18,520 --> 00:02:23,750
so I could have started at 1 and then just added my server IPs as exclusions.

43
00:02:23,750 --> 00:02:25,690
This is a way to account for those.

44
00:02:25,690 --> 00:02:28,800
That's particularly important with IP address management, actually.

45
00:02:28,800 --> 00:02:30,610
But for today, I'll leave that alone.

46
00:02:30,610 --> 00:02:34,960
I'm just de facto excluded those static IPs from the scope definition.

47
00:02:34,960 --> 00:02:38,270
The default lease duration in Windows Server is 8 days,

48
00:02:38,270 --> 00:02:41,160
and there's a metric after 50% of the lease period,

49
00:02:41,160 --> 00:02:44,360
the client will request a renewal, etc, etc,

50
00:02:44,360 --> 00:02:48,250
and that comes into play even more with the lead time on

51
00:02:48,250 --> 00:02:50,660
DHCP failover that we'll see eventually.

52
00:02:50,660 --> 00:02:52,400
I'm not going to configure options here.

53
00:02:52,400 --> 00:02:54,000
I'm going to click Next and Finish.

54
00:02:54,000 --> 00:02:57,430
And we can set up options at the server or scope level

55
00:02:57,430 --> 00:02:59,630
depending upon how global the option is.

56
00:02:59,630 --> 00:03:00,640
For the server option,

57
00:03:00,640 --> 00:03:04,370
why don't we right‑click and we'll add in a reference to our DNS server.

58
00:03:04,370 --> 00:03:07,100
This would be applicable to all scopes it seems to me.

59
00:03:07,100 --> 00:03:13,490
So, I'm going to do by IP address, I'm going to resolve my 192.168.1.1.

60
00:03:13,490 --> 00:03:17,170
Let's click Add and have the console tap out to my network

61
00:03:17,170 --> 00:03:18,900
and see if we can find it, which it did.

62
00:03:18,900 --> 00:03:21,250
So that option is going to pertain to all scopes.

63
00:03:21,250 --> 00:03:23,570
Then for our scope‑specific option,

64
00:03:23,570 --> 00:03:27,180
let's add in our default gateway, and we'll do that via IP address

65
00:03:27,180 --> 00:03:33,540
192.168.1.254. We'll click Add. And you can get more granular yet. If we

66
00:03:33,540 --> 00:03:38,580
right‑click the IPv4 node, we have user classes and vendor classes. Vendor

67
00:03:38,580 --> 00:03:43,480
classes in particular might be useful if you want to deliver TCP/IP

68
00:03:43,480 --> 00:03:48,420
options to devices from a particular vendor or servers or client machines

69
00:03:48,420 --> 00:03:49,960
that match a certain query.

70
00:03:49,960 --> 00:03:52,320
We don't need to get into the weeds here, just know that

71
00:03:52,320 --> 00:03:56,400
those classes are the most granular way to assign a TCP/IP

72
00:03:56,400 --> 00:03:58,010
configuration. And lastly,

73
00:03:58,010 --> 00:04:01,820
this notion of policies, DHCP policies, this is just

74
00:04:01,820 --> 00:04:05,620
essentially I describe it as an overlay that makes it easier to

75
00:04:05,620 --> 00:04:08,000
create those different class definitions,

76
00:04:08,000 --> 00:04:09,480
etc. That's all that is.

77
00:04:09,480 --> 00:04:10,010
All right,

78
00:04:10,010 --> 00:04:12,910
let's see. Reservations, just so you can see how that

79
00:04:12,910 --> 00:04:15,190
works, let's create a static reservation.

80
00:04:15,190 --> 00:04:19,310
And this, again, is a case where Windows Server IPAM can really help.

81
00:04:19,310 --> 00:04:23,320
Let's say we needed to create a reservation for a network printer and

82
00:04:23,320 --> 00:04:26,330
we want it to have 150 as its IP address.

83
00:04:26,330 --> 00:04:30,460
We're going to need a media access control hardware address for the NIC,

84
00:04:30,460 --> 00:04:32,840
the network interface, on that machine, and then we

85
00:04:32,840 --> 00:04:35,380
can support BOOTP, DHCP, or both.

86
00:04:35,380 --> 00:04:38,320
But, of course, the question that you would have as an administrator is

87
00:04:38,320 --> 00:04:41,780
how do I know that 150 is not used? Now I know in the real world you do

88
00:04:41,780 --> 00:04:44,010
ping if you're allowing ping on your LAN.

89
00:04:44,010 --> 00:04:47,620
IPAM can be really helpful as you saw with that find

90
00:04:47,620 --> 00:04:49,620
and allocate an IP address wizard.

91
00:04:49,620 --> 00:04:50,380
Really useful.

92
00:04:50,380 --> 00:04:54,160
So let's click Add and then Close. So now we've got a reservation.

93
00:04:54,160 --> 00:04:57,890
All right, now the scope is coming in as it normally does by

94
00:04:57,890 --> 00:05:00,670
default in an un‑activated state, and that's good.

95
00:05:00,670 --> 00:05:05,010
It's up to us to activate the scope to actually put it into effect.

96
00:05:05,010 --> 00:05:07,240
Now let's switch over to my client machine.

97
00:05:07,240 --> 00:05:11,540
This is a Windows 10 domain workstation, and I just did some work up here.

98
00:05:11,540 --> 00:05:15,110
You can see the workstation was configured for a static

99
00:05:15,110 --> 00:05:20,350
address, so I switched it over to DHCP, ran an ipconfig renew, and had a problem.

100
00:05:20,350 --> 00:05:24,750
Let me do a cls and see if we got a configuration yet. Yeah, looks like we did.

101
00:05:24,750 --> 00:05:27,950
So we were distributed the first address in that range, and

102
00:05:27,950 --> 00:05:31,120
we can see that our DHCP server is 1.

103
00:05:31,120 --> 00:05:35,020
We also picked up our DNS server and gateway if I didn't already say

104
00:05:35,020 --> 00:05:38,090
that. Back to localmem1. Let's get back to work here.

105
00:05:38,090 --> 00:05:42,130
I think we're ready to configure failover, so why don't we go to ‑‑‑well,

106
00:05:42,130 --> 00:05:44,720
actually, there's a couple other things I wanted to drive by.

107
00:05:44,720 --> 00:05:46,610
Sorry about interrupting myself there.

108
00:05:46,610 --> 00:05:50,790
If we right‑click the DHCP node, besides adding multiple servers to the

109
00:05:50,790 --> 00:05:54,740
console, this is a convenient place to manage authorized servers.

110
00:05:54,740 --> 00:05:58,920
So this is where you can authorize unauthorized Windows Server

111
00:05:58,920 --> 00:06:03,060
DHCP servers to make sure that you've got no rogue servers and

112
00:06:03,060 --> 00:06:05,200
only authorized ones in your environment.

113
00:06:05,200 --> 00:06:09,290
We can set up the failover here at the IPv4 node or

114
00:06:09,290 --> 00:06:11,250
we can come to a particular scope.

115
00:06:11,250 --> 00:06:14,360
Actually, I'm going to right‑click the server and go to Configure

116
00:06:14,360 --> 00:06:18,370
Failover, and this will open up a step‑by‑step wizard interface

117
00:06:18,370 --> 00:06:20,170
in which we're asked, first of all,

118
00:06:20,170 --> 00:06:23,880
which scopes do we want to failover. Now I just have the one, and

119
00:06:23,880 --> 00:06:27,730
notice that the check is set to Select all, but you can be specific in

120
00:06:27,730 --> 00:06:30,720
terms of creating your failover relationships.

121
00:06:30,720 --> 00:06:33,780
There's limits to how many failover relationship

122
00:06:33,780 --> 00:06:35,150
servers you can have, and so on.

123
00:06:35,150 --> 00:06:37,660
You can check the Microsoft Docs for that.

124
00:06:37,660 --> 00:06:38,750
Let me click Next.

125
00:06:38,750 --> 00:06:43,310
So if we're starting with localdc, we're going to add localmem1 as our partner.

126
00:06:43,310 --> 00:06:46,590
I'm not going to reuse existing, so we'll click Next. We give

127
00:06:46,590 --> 00:06:50,000
the relationship a name, and it defaults to the server name, so

128
00:06:50,000 --> 00:06:52,740
in my case localdc1, localmem1.

129
00:06:52,740 --> 00:06:56,230
Now we're going to want to be really careful in how we set up our options.

130
00:06:56,230 --> 00:06:57,880
I'm going to set for Mode,

131
00:06:57,880 --> 00:07:01,390
not Load balance where we could do say a 50/50 split, but I'm going

132
00:07:01,390 --> 00:07:04,900
to do a Hot standby because I want everybody in my environment to

133
00:07:04,900 --> 00:07:08,150
use localdc1 unless it's unavailable.

134
00:07:08,150 --> 00:07:12,590
So when we set Hot standby, then the role of the Partner Server is Standby

135
00:07:12,590 --> 00:07:16,820
and you specify a percentage of IP addresses in the scope that you want to

136
00:07:16,820 --> 00:07:21,280
reserve on the primary. So the standby definitely will have some available to

137
00:07:21,280 --> 00:07:23,490
distribute in the event of a failover.

138
00:07:23,490 --> 00:07:26,800
You can do some simple pre‑shared key authentication between your

139
00:07:26,800 --> 00:07:31,080
replication partners using this Enable Message Authentication and putting in

140
00:07:31,080 --> 00:07:34,870
a shared secret. I'm going to disable that. And that brings us to State

141
00:07:34,870 --> 00:07:37,630
Switchover Interval and Maximum Client Lead Time.

142
00:07:37,630 --> 00:07:40,810
Now, if I leave State Switchover Interval unchecked,

143
00:07:40,810 --> 00:07:44,630
then I'm going to have to manually failover the primary server and put it

144
00:07:44,630 --> 00:07:48,710
in a partner down status. A way to automate that is to set your state

145
00:07:48,710 --> 00:07:51,070
switchover interval. And it defaults to 60.

146
00:07:51,070 --> 00:07:53,610
I'm going to put it down to 1 minute to make it easier

147
00:07:53,610 --> 00:07:55,390
in this demo so I don't have to wait.

148
00:07:55,390 --> 00:08:00,150
And what switchover interval does is after this duration, that failed server,

149
00:08:00,150 --> 00:08:05,550
the server that's lost contact, will be marked as down. And then we can layer

150
00:08:05,550 --> 00:08:10,560
in the maximum client lead time, and this is going to be the duration on top of

151
00:08:10,560 --> 00:08:14,800
the state switchover interval where the secondary server waits before it

152
00:08:14,800 --> 00:08:17,440
formally takes over handing out addresses.

153
00:08:17,440 --> 00:08:21,260
Now, you're going to see that when we take localdc1 down,

154
00:08:21,260 --> 00:08:25,820
the localmem will immediately see connection interrupted and it will step in

155
00:08:25,820 --> 00:08:29,850
and start working with DHCP at that point, but it will not be a permanent I'm

156
00:08:29,850 --> 00:08:33,540
taking over the scope assignment, it's more or less temp. And that's another

157
00:08:33,540 --> 00:08:38,010
occasion where maximum client lead time can be useful because that secondary

158
00:08:38,010 --> 00:08:42,940
server will hand out new leases, not with the 8‑day duration that I set for the

159
00:08:42,940 --> 00:08:46,900
scope, but your maximum client lead time because hopefully it's going to be a

160
00:08:46,900 --> 00:08:50,780
transient communication failure and we're going to need to go back or want to

161
00:08:50,780 --> 00:08:54,850
go back to our primary server once the primary server is back online.

162
00:08:54,850 --> 00:08:57,580
So let me click Next, and that's all we need to do here.

163
00:08:57,580 --> 00:09:02,590
So let's click Finish, and it looks like all of our options here are successful.

164
00:09:02,590 --> 00:09:06,730
And so from now on, any leases are going to be

165
00:09:06,730 --> 00:09:10,120
propagated to the secondary server, even new ones.

166
00:09:10,120 --> 00:09:13,250
So if I expand, we can see our Scope shows up, and if we

167
00:09:13,250 --> 00:09:15,800
expand our Scope, we see Address Leases.

168
00:09:15,800 --> 00:09:18,300
So I can tell you that those will be replicated.

169
00:09:18,300 --> 00:09:20,100
If I brought up a client2 machine,

170
00:09:20,100 --> 00:09:24,650
it would pick up its lease from server 1, dc1, and almost immediately, I

171
00:09:24,650 --> 00:09:28,250
mean I have gigabit connectivity between these servers, there may be some

172
00:09:28,250 --> 00:09:32,740
latency if you're in a multisite environment with slower links. You'll see

173
00:09:32,740 --> 00:09:34,690
that Reservations have come over,

174
00:09:34,690 --> 00:09:38,300
Scope Options have come over, but you will find that if

175
00:09:38,300 --> 00:09:41,740
I add a new scope option over here, which I'll do right now,

176
00:09:41,740 --> 00:09:48,300
I'll add a time server address of 192.168.1.1, and then come over here,

177
00:09:48,300 --> 00:09:51,480
that does not get updated automatically, unfortunately.

178
00:09:51,480 --> 00:09:53,170
So with DHCP server,

179
00:09:53,170 --> 00:09:57,190
although your leases, and I believe also your reservations will cascade

180
00:09:57,190 --> 00:10:00,870
and be synchronized, any other meta that you add,

181
00:10:00,870 --> 00:10:04,110
you're going to have to manually replicate. And you want to be careful

182
00:10:04,110 --> 00:10:06,680
with this because when you replicate your scope,

183
00:10:06,680 --> 00:10:08,740
it's immediately going to do an overwrite.

184
00:10:08,740 --> 00:10:11,720
So it's going to see here that most of this is identical,

185
00:10:11,720 --> 00:10:14,800
but we did change an option value, so that's gotten

186
00:10:14,800 --> 00:10:17,010
replicated over to the failover partner.

187
00:10:17,010 --> 00:10:21,710
So it's one way. We could also do it from localmem1‑to‑dc1.

188
00:10:21,710 --> 00:10:23,940
It's not a synchronization, it's an overwrite.

189
00:10:23,940 --> 00:10:26,140
So again, you want to be real careful about that.

190
00:10:26,140 --> 00:10:29,420
So we've got our new time server on the primary, now let's go

191
00:10:29,420 --> 00:10:32,940
to scope options on the secondary. You right‑click and

192
00:10:32,940 --> 00:10:35,090
Refresh, and there's our time server.

193
00:10:35,090 --> 00:10:36,660
Okay. So to finish out,

194
00:10:36,660 --> 00:10:41,190
let's simulate a failover. I'm going to start by right‑clicking IPv4 and

195
00:10:41,190 --> 00:10:43,880
going to Properties, and then we can go to Failover.

196
00:10:43,880 --> 00:10:47,750
I've got my dc1‑to‑mem1, as you can see here, and I want you to see that the

197
00:10:47,750 --> 00:10:52,770
failover status is normal and our partner is local dc1. I'm going to

198
00:10:52,770 --> 00:10:58,010
right‑click my localdc1 and go to All Tasks, Stop, and that's going to

199
00:10:58,010 --> 00:11:02,750
simulate a failure on the primary server. Of course the MMC can't locate the

200
00:11:02,750 --> 00:11:07,130
server anymore, so now if I come down to localmem1 and again come back to

201
00:11:07,130 --> 00:11:09,740
IPv4, Properties, Failover tab,

202
00:11:09,740 --> 00:11:13,250
we see that we're in lost contact with partner status. Now,

203
00:11:13,250 --> 00:11:15,340
how does that impact client connectivity?

204
00:11:15,340 --> 00:11:18,350
Let's go back to our client, and I'm going to do an ipconfig

205
00:11:18,350 --> 00:11:22,290
release, and now I'm going to do an ipconfig renew and see if

206
00:11:22,290 --> 00:11:24,420
we're able to pick up an address.

207
00:11:24,420 --> 00:11:28,250
Yeah, we picked up an address, and if I do an ipconfig all, we can

208
00:11:28,250 --> 00:11:33,450
see that our DHCP server is 2. And notice that we have a 1‑minute

209
00:11:33,450 --> 00:11:37,740
maximum client lead time for that duration. Now I set mine way too

210
00:11:37,740 --> 00:11:40,100
low just for demonstration purposes.

211
00:11:40,100 --> 00:11:43,820
At this point, the maximum client lead time should have expired.

212
00:11:43,820 --> 00:11:45,790
Let's go back and check on localmem.

213
00:11:45,790 --> 00:11:49,700
Let's right‑click, go to Properties, Failover, and it looks like we are

214
00:11:49,700 --> 00:11:53,340
partner down. Now, when you edit the relationship here,

215
00:11:53,340 --> 00:11:56,500
if we didn't have the state switchover interval set, then we

216
00:11:56,500 --> 00:11:59,660
would have to switch the Relationship from Communication

217
00:11:59,660 --> 00:12:01,740
interrupted to Partner down manually.

218
00:12:01,740 --> 00:12:03,460
That's what this grayed out button is.

219
00:12:03,460 --> 00:12:06,680
But the state switchover means that after that duration

220
00:12:06,680 --> 00:12:09,860
completes and your maximum client lead time completes, the

221
00:12:09,860 --> 00:12:12,040
state of the server will go to partner down.

222
00:12:12,040 --> 00:12:16,340
So at this point, my backup server has formally taken control of

223
00:12:16,340 --> 00:12:20,190
the pool. So to bring things back to normal, let's right‑click

224
00:12:20,190 --> 00:12:22,440
our source server and click Start.

225
00:12:22,440 --> 00:12:26,680
And if we right‑click IPv4, go to Failover, still showing

226
00:12:26,680 --> 00:12:29,310
Partner down, but if we come up to the server,

227
00:12:29,310 --> 00:12:33,240
the localdc server, and go to Properties, go to Failover, we're in

228
00:12:33,240 --> 00:12:37,460
Recover wait status. Now while we're waiting for this, pun intended, you

229
00:12:37,460 --> 00:12:40,400
can find appropriate messages in Event Viewer.

230
00:12:40,400 --> 00:12:43,170
So let's look at localmem's Event Viewer, we'll go

231
00:12:43,170 --> 00:12:46,150
into Applications and Services Logs, Microsoft,

232
00:12:46,150 --> 00:12:52,070
Windows, DHCP Server, and we'll take a look at the DHCP Server Events Admin,

233
00:12:52,070 --> 00:12:57,080
and we can see if we follow the track down here that at 9:23 AM, Server has

234
00:12:57,080 --> 00:13:01,850
lost contact with failover partner server. Failover state went from normal

235
00:13:01,850 --> 00:13:06,760
to communication interrupted, still showing that. Then we've got timeout,

236
00:13:06,760 --> 00:13:11,430
warning, and then finally we have Servers transitioned to partner down

237
00:13:11,430 --> 00:13:16,270
because the MCLT of 60 seconds has expired. And then we have some good news

238
00:13:16,270 --> 00:13:16,860
showing up.

239
00:13:16,860 --> 00:13:19,930
Server has established contact with partner server.

240
00:13:19,930 --> 00:13:20,440
However,

241
00:13:20,440 --> 00:13:24,290
we've got an error. It looks like I've got some reverse lookup zone errors.

242
00:13:24,290 --> 00:13:27,040
I haven't actually configured a reverse lookup zone, so

243
00:13:27,040 --> 00:13:28,840
those are actually to be expected.

244
00:13:28,840 --> 00:13:32,800
So let's come back to localdc1 and look at the properties and

245
00:13:32,800 --> 00:13:36,310
its failover situation. Still in Recover wait. I've seen

246
00:13:36,310 --> 00:13:39,200
that. A good way to kickstart it, so to speak,

247
00:13:39,200 --> 00:13:41,780
is to restart the service on that server.

248
00:13:41,780 --> 00:13:45,170
So let me right‑click and do an All Tasks, Restart.

249
00:13:45,170 --> 00:13:50,000
And then if we look at the properties one more time of IPv4 and go to Failover,

250
00:13:50,000 --> 00:13:51,140
we're back to normal.

251
00:13:51,140 --> 00:13:54,240
So at this point the server is operational,

252
00:13:54,240 --> 00:13:58,530
it's taken over the scope formally, and if there's any residual

253
00:13:58,530 --> 00:14:02,940
differences, that is if the primary was offline for a while and you

254
00:14:02,940 --> 00:14:06,550
don't see those changes come back from localmem, remember that we

255
00:14:06,550 --> 00:14:14,000
can always replicate scope and relationship details one way from the backup to the primary.