Skip to end of metadata
Go to start of metadata

Introduction

DHCP failover is fully supported on MS DHCP servers through M&M, version 6.7 and newer. It's possible to manage the DHCP Failover relationships through M&M and add/remove scopes to/from failover, similarly as can be done  through the MS Snap-in (mmc)

But in addition to what the MS snap-in offers, M&M also makes sure the DHCP options, Address Pools, Exclusions and Reservations are identical in both scope instances. 

This means that every time the administrator/user makes a change to a scope's configuration or edits a reservation, that configuration change and/or reservation edit are replicated automatically to the partner server, if the scope is in a failover relationship.

This is currently done/attempted regardless of whether both DHCP servers in the failover relationship have been added to M&M, and it's the M&M DHCP server controller which takes care of this automatic replication. 

 

Problem

When making changes to scopes in DHCP Failover or when attempting to change DHCP failover configuration on a server, the user/administrator get's an error like "... [0x5] Access is denied ".

Also, in version 6.9 or above, the administrators will get errors like "unable to fetch scope info from partner server..."

 

Solution

Because the M&M DHCP server controller takes care of communicating with the partner server and automatically replicating changes made to failover scopes, it needs to have access not to only the DHCP server that it is running on, but to the Failover Partner server as well.

It is therefore not sufficient to run the DHCP Server Controller as Local System, which is the default configuration, on a DHCP server that has scopes in failover relationships.

Instead of using Local System as the account that runs the Men & Mice DHCP Server Controller you want to run it under a dedicated AD service account.

If the DHCP Server Role is installed on Windows Domain Controllers the AD service account must be  a member of the "DHCP Administrators" group in AD.

If the DHCP Server Role is installed on a non-Domain Controller (DHCP role is installed on a domain member server) the AD service account must be beside the AD "DHCP Administrators" group membership also be member

of the local DHCP Administrators group on each DHCP server. The local "DHCP Administrators" group is accessible by the "lusrmgr.msc" snap-in, e.g.

right-click on the Windows Start, select Run and insert lusrmgr.msc and press OK to start it. Then locate the DHCP Administrators group under Groups and add the AD service account:

 

Finally change the account that runs the DHCP Server Controller to the AD service account.

This is configured through the MS Services snap-in (services.msc):

 

 

  • No labels