VMware Cloud Community
mastersgerald
Contributor
Contributor
Jump to solution

Protect DHCP with SRM

Hey Guys,

We're in the middle of a DR project and have come to the point that we want to have our DHCP service DR ready.  The standard Split Scope (80/20) idea is one option we are looking at, but in a DR or even Single Server Failure scenario there is a bit of management that is required to ensure the secondary DHCP server can serve all IP addresses to all scopes (before it's 20% fills up).  So we have an idea to use SRM to protect DHCP.

We have two sites, connected over Layer 3, with two 10GB connections between the two (for fault tollerance and load balancing).  The DR site is a live environment; it is a branch office on the other side of the city (like 30 kms away).

Doing the Split Scope idea we will keep DHCP running on a DC in each location with the Secondary (DR) DHCP server serving 20% of the IP addresses from each scope and the Primary DHCP serving 80%.  This can all be setup using the Split Scope Wizard that MS has on Server 2008.  Doing this covers us for failure of the Primary DHCP server (it is also a VM so HA protects it too) as well as Site Failure as the Secondary DHCP server will be up.  If we have an extended outage of the Primary DHCP server then we need to get onto the Secondary DHCP server and increase all the scopes, making sure Conflict Detection is on.

Our thought is to move DHCP off the DC and give it it's own virtual server.  Then we protect the DHCP service by using SRM to relocate it to the DR site in a DR situation.  This will cause the DHCP server to get a new IP address, as the two sites are connected over Layer 3 - the same subnets can not exist in both locations.  And this is where our thought processes get cloudy... Smiley Happy

What will happen with the DHCP service if the server has a new IP address?

What will be the process for DHCP clients trying to renew their IP address:

     a) at reboot?

     b) at the 1/2 way mark of their lease?

I, for one, think that SRM is the easier way to not only protect DHCP, but also to minimise management of the DHCP solution.  Using the Split Scope idea you have to ensure any change to one DHCP server is replicated to the other server: Scope changes, scope options changes, reservation changes, etc etc...

Has anyone performed any testing around this?

Thanks!!

Gerald

Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
julianwood
Enthusiast
Enthusiast
Jump to solution

That is correct.  DHCP Server doesn't care about its own address.  As long as you have subnet broadcast forwarders to both DHCP server IP addresses so the request hits the DHCP server it just matches MAC address to IP reservations / scopes etc and will work.

Only thing to check when it comes up in DR is whether the DHCP Server may need to be authorised again before DHCP will work. Can't remember how this works off hand.

http://WoodITWork.com

View solution in original post

Reply
0 Kudos
11 Replies
abirhasan
Enthusiast
Enthusiast
Jump to solution

Have you rear this article? Please hava a look..

http://technet.microsoft.com/en-us/library/cc958935.aspx

abirhasan   
Reply
0 Kudos
julianwood
Enthusiast
Enthusiast
Jump to solution

You could always not actually fail the VM over but rather do a backup & restore of the DHCP database to / from a VM in primary site to separate VM in DR site.

http://WoodITWork.com
Reply
0 Kudos
mastersgerald
Contributor
Contributor
Jump to solution

Hey abirhasan,

Thanks for the reply.

Yeah, I've seen that (and many other) DHCP article before, and the DHCP process is pretty well known.

In my mind the process of SRM and the change in IP address will be pretty easy to manage and all should be well... that is the theory... Smiley Happy

So just the question about anyone else doing it this way already, and whether giving the DHCP server a new IP address will cause any issues with current IP leases...

Gerald

Reply
0 Kudos
mastersgerald
Contributor
Contributor
Jump to solution

Hey Julian,

Thanks for your reply..

That is an option, but the place where I work are not known for their ability to follow process very well, so we are trying to automate the DR process as much as possible. SRM (in my mind) would mean that there is very little to do in a DR scenario, except maybe check the DHCP Database for corruption.

I guess the main question now in my head is if the DHCP server will recognise each clients current lease when they ask for a renew.  I think it will as the clients won't be able to contact their original DHCP server, so they should broadcast out to ask for the address from any DHCP server, and the SRM'd DHCP server should repond with their original leased IP address. Yes? Maybe?

Cheers
Gerald

Reply
0 Kudos
Gav0
Hot Shot
Hot Shot
Jump to solution

ok so you are right that there is a management overhead with the 80/20 split (reservations etc) but in an extended outage all you would need to do is remove the exclusioned ip range (the 80%) for each scope.  will probably take 5 minutes.  Regarding the clients, they will broadcast for new ip's at their regular intervals and as long as you have ip helper set up on your routers pointing to both DHCP servers then one in the DR site will respond and renew the IP address.

my 2008 clustering is a little hazy (especially as im 3/4 of the way through a bottle of Rioja) but ist it possible to set up a Microsoft failover cluster with node in different sites?  if so you could cluster your dhcp service and then if your primary site goes down the m$ cluster will failover to the DR site.  you probably need some 3rd party replication tools to sync the data between sites.  not sure if SRM will accomodate this.  if you are using Netapp for your storage and have SnapMirror licensed I guess that would do the trick.

Please award points to your peers for any correct or helpful answers
Reply
0 Kudos
Gav0
Hot Shot
Hot Shot
Jump to solution

just read your last post and i'm pretty sure somewhere in the DCHP lease renew broadcast the client specifies its prefered IP address (ie its current address) and if its available it will get it.

Please award points to your peers for any correct or helpful answers
julianwood
Enthusiast
Enthusiast
Jump to solution

That is correct.  DHCP Server doesn't care about its own address.  As long as you have subnet broadcast forwarders to both DHCP server IP addresses so the request hits the DHCP server it just matches MAC address to IP reservations / scopes etc and will work.

Only thing to check when it comes up in DR is whether the DHCP Server may need to be authorised again before DHCP will work. Can't remember how this works off hand.

http://WoodITWork.com
Reply
0 Kudos
mastersgerald
Contributor
Contributor
Jump to solution

Hey Gav0,

Thanks for the posts.

It was my belief that a client DHCP renew broadcast (after it fails to find it's original DHCP server) includes it's current IP address.  But I've read so many different articles about all this that I can't (again) find where it is written Smiley Happy

Also, there is the difference between WinXP and Win7 (we are still on XP - the upgrade to 7 is coming up soon so I am told).  When XP starts up it will contact it's DHCP server to check it can still have the same address, and if it can't find the original DHCP, it requests a new address via broadcast (hopefully asking if it can keep its current address).  Windows 7 will also try to communicate with the DHCP server to make sure it can still have the same address, but if there is no response from the DHCP server, it tries to ping its Default Gateway, which if successful means it is in the same subnet, and will carry on using the same IP address until it expires.  (again, can't re-find the article that specifies this)

Since we are moving to Win7 (soon?) the solution needs to take into account both scenarios.

Cheers

Gerald

Reply
0 Kudos
mastersgerald
Contributor
Contributor
Jump to solution

Ah yes, good point about authorisation.  This will all have to be tested...

Thanks guys!


Gerald

Reply
0 Kudos
julianwood
Enthusiast
Enthusiast
Jump to solution

A DHCP Client doesn't search for a particular DHCP Server, All it does is broadcast for a DHCP Server and the first one to respond wins and either the client requests a renewal or gets issued a new IP address. You can move the DHCP server to any new IP address and as long as broadcasts get to it the client can renew or get a new IP address without an issue.

http://WoodITWork.com
Reply
0 Kudos
mastersgerald
Contributor
Contributor
Jump to solution

Ah, dont forget the renewal process, where the client first asks the DHCP server that it got its current lease from first (renewing). If that DHCP server does not respond, then the client goes through the rebinding process.  Below is taken from the Technet article which was posted by arbihasan above: http://technet.microsoft.com/en-us/library/cc958935.aspx.

Renewing

IP addressing information is leased to a client, and the client is responsible for renewing the lease. By default, DHCP clients try to renew their lease when 50 percent of the lease time has expired. To renew its lease, a DHCP client sends a DHCPRequest message to the DHCP server from which it originally obtained the lease.

Rebinding

If the DHCP client is unable to communicate with the DHCP server from which it obtained its lease, and 87.5 percent of its lease time has expired, it will attempt to contact any available DHCP server by broadcasting DHCPRequest messages. Any DHCP server can respond with a DHCPAck message, renewing the lease, or a DHCPNak message, forcing the DHCP client to initialize and restart the lease process.

Note that these two entries talk about what happens when 50% and 87.5% amount of the lease is used up.  The part that isn't written in that article is what happens if the original DHCP server does not respond to the Renewing request.  I think that it is different for each client OS.  From memory, Windows 7 will ping its configured Gateway to see if it is still on the same subnet, and if it gets a response will carry on using the IP address it has been leased until the lease expires (or gets to the 87.5% lease duration point).  Also from memory, I think Windows XP will go through the Renew process every time the client is restarted, and if there is no response from the DHCP server that holds its lease, it will do the Rebinding process.

Or thats the process that is in my head Smiley Happy

Reply
0 Kudos