Windows server 2012 – Basic analyze – Part 3

In this article we will discuss about high availability of DHCP in windows 2012 and  IPAM

High Available DHCP with Windows Server 2012

Windows Server 2012 DHCP role provides address and automate host configuration for end user devices. Failure of a DHCP can cause havoc and users will not be obtain IP addresses which leads to no network connectivity. For this reason, DHCP server is very important and must be available all the time. Today, to implement highly available DHCP servers, we have a few options:

• Buy 3^rd party DHCP appliance
  3^rd party DHCP / DNS appliances are headache to manage and costly. This introduces a new device into the environment which will require a learning curve.
• Old school 80 / 20 DHCP Split Rule
  Microsoft actually recommends this as best practice on Server 2003. You easily achieve redundancy by splitting IP ranges among two DHCP servers. If the DHCP server fails, devices will simply connect to the second DHCP server.  This wastes IP addresses and risk of inconsistent configuration increases. When you want to reserve an IP, you must do it on both servers. This configuration does not make sense in Enterprise environments since most of the scopes are utilized over 80 percent.
• Failover Cluster in Server 2008
  Windows Server 2008 introduces DHCP clustering using the failover cluster feature in Server 2008. This used a shared database between two servers. This eliminates the previous problem with wasting IPs and inconsistent configuration between two servers. Down side to this design is the shared storage. If the shared storage fails, DHCP service will fail and client will not receive IPs. This makes shared storage as a single point of failure and requires expensive hardware. Addition to these down falls failover cluster is complex and setup can be complicated.

Windows Server 2012 DHCP Server allows for highly available design without these downfalls. Windows Server 2012 DHCP failover feature allows IT admins to configure two DHCP servers to provide client IP configuration for the same scope. This doesn’t require shared storage. These two DHCP servers with failover feature enabled replicate IP lease data between them. This allows one server to serve as primary server of any DHCP scope as desired. As I will describe later in the article, load balancing mode allows both DHCP servers to serve IP addresses.

This means large enterprises can utilize Windows Server 2012 out of the box without requiring 3^rd party products. Windows Server 2012 introduces a new feature that allows for two DHCP servers to share data by replication. Two DHCP servers can sync lease information which leads to no wasted IP ranges. Two DHCP servers can provide high availability of DHCP service to client for IP address leases within the same subnet range. These two DHCP servers can also serve in load balancing mode where both DHCP servers are serving clients. You can also configure the service so one DHCP server serves as primary for one subnet and secondary for different subnet. The only down side to Windows Server 2012 DHCP failover feature is that It only support IP version 4 scopes and maximum of two cluster nodes. This is not a big deal since IPv6 has its own techniques to make it resilient to DHCP server failures.

Windows Server 2012 DHCP Failover Feature in Load Balancing configuration

Load balancing option in Windows Server 2012 allows two DHCP serves to share load for a single subnet range or multiple subnets. If you can afford to place two DHCP servers in same Active directory site or office, Load balancing method is preferred.

Windows Server 2012 DHCP Failover Feature in Standby configuration

As the name implies, standby configuration place the secondary server in standby mode as backup. This standby server will only activate when the primary server fails. Standby DHCP server can be used in hub and spoke environments and dedicate the centralized Windows Server 2012 DHCP server as the standby host for secondary sites. Note that you do not have to dedicate a server as “standby”, instead you specify the subnet as “standby” allowing for dynamic configuration.

Configuring Windows Server 2012 for DHCP Failover

1. Install two DHCP Servers roles on Windows Server 8
2. Configure desired DHCP IP ranges.
3. To configure DHCP failover, right click on the DHCP Scope and choose “Configure Failover.”

Configure WIndows 2012 DHCP Failover

4. Configure Relationship Name, Maximum Client Lead Time, Load balance mode or failover mode, Load Balance Percentages and Shared Secret.

Create New Failover relationship

5. This will add an additional tab to the scope properties.

Frequently Encountered Errors

• Following scopes already exist on the specified partner server. These scope will need to be deleted on the partner server before configuring failover.
• Unable to resolve specified DNS name.
• The specified IP address xxxxxxx is invalid
• The specified DHCP server is not reachable. Please provide a DHCP server that is reachable.
• The version of specified DHCP server does not support failover.
• You do not have permissions to perform this operation on the remote DHCP server.
• The local or partner server already has 31 (maximum allowed) failover relationships. A server cannot have more than 31 failover relationships.
• DHCP server is not running on the specified server. Please ensure that DHCP server is running on the specified server.
• The time difference between this server and the specified partner server is greater than the permissible value of x minutes. It is recommended to ensure that both servers are time synchronized before configuring failover. You could setup Network Time Protocol (NTP) service on both servers to ensure time synchronization.

Windows Server 2012 IPAM

IPAM, as known as IP Address Management is an important part of any IT infrastructure. As organization grows IP management becomes more challenging as well. With introduction of virtualization and IPV6, IP management can be even more challenging. IPAM is more of a model for provisioning, discovering, maintaining and auditing IP address in your IT environment. IPAM usually integrates other infrastructure components such as DHCP and DNS.

Traditionally this is handed via notepad, excel spreadsheet or a wiki page. Imagine tracking IPv6 addresses via a spreadsheet. This can be very painful due to the complexity of IPv6 and its address length. In past a few years, 3^rd part vendors are offering IPAM hardware appliances at outrageous cost. These devices are very complicated to use with very little support. Vendors such as Info***x offers IPAM solution bundled with infrastructure services such as DNS and DHCP. This introduces a new, unproven, unfamiliar technology to the environment. IT admins have been using Microsoft DNS and DHCP for years while it has proven its stability. 3^rd party vendors will often try to convince IT admins to replace these services just so they can have full integration with the IPAM software.

Windows Server 2012 now provides full IPAM solution that integrates with its DNS and DHCP services. This feature that’s part of Windows Server 2012 does not require additional license except for the operation system itself. IPAM feature Windows Server 2012 includes majority of the features compared to 3^rd party vendors. Here is the list:

• Support for IPv4 and IPv6
• Automatic environment discovery
• Trend monitoring and IP allocation statistics
• Support for reporting
• Allow importing from csv file
• Full integration with Microsoft DNS and DHCP
• APIs support for 3^rd party DHCP servers and SCVMM ( Microsoft version of VMware vCenter)
• Auditing for configuration changes
• Logon event tracking of IP Addresses
• Agentless deployment via GPO
• Logical visualization of IP ranges
• Support for Custom Field attributes

IPAM allows IT administrators to single value and multivalued custom attributes addition to the built-in ones. This allows for custom attribute tagging for defining logical groups which display IP address subnets in logical perspective. IPAM supports for CSV file import of IPaddress and IP ranges. This requires that column fields in the csv must match the IPAM field columns. When import, the order of the columns in CSV doesn’t matter but field names must match. Use the “Import-NamsRange” to import IP addresses from CSV file. IMO, IP address tracking feature in Windows Server 2012 IPAM is a game changer. It is essential to have trail of IP devices during a specific time used by the end user. Current DHCP technology only keeps track of current DHCP leases. Theses leases change expires and change which makes it hard to track down who had the particular address at certain time.

Windows Server 2012 IPAM Requirements

• Healthy Active Directory ( IPAM Server must be part of the domain )
• Access to domain controller for automatic discovery
• “Account logon” event logging must be on for Address Tracking feature
• IPAM should not collocate with other roles
• IPAM cannot collocate with Active Directory role

To install IPAM features, use the “Add Roles and Features Wizard”. After installing IPAM feature on your Windows Server 2012, you are ready to configure and deploy. You can choose to manual provisioning method or deploy via Group Policy for managed DHCP and DNS servers. As always Microsoft recommends using GPO to provision IPAM configuration. A mentioned in last a few artices, IPAM automatically discover DNS and DHCP servers by utilizing Active Directory. “Involke-IpamGpoProvisioning” PowerShell command to crete IPAM GPOs. This powershell command will create a GPO for DHCP, DNS and NPS.