Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, July 29, 2010 9:43 PM
Just wanted to verify this before proceeding:
We have in the DHCP MMC, an old DHCP server that was before my time in the list of Authorized Servers. I want to remove it from the list. Drilling down into ADSIEdit (Configuration -> Servers -> NetServices) I see a list of Authorized DHCP servers, along with the CN=DhcpRoot entry. I also see three servers that aren't showing up in the list but are in this container. Plus, there is one server with a CNF:randomguid after it.
My question is: Do I just delete all CN= entries for DHCP servers that no longer exist? Will this remove the old server from the list along with clean up the ones that aren't even showing up?
Every post or guide I am finding says to edit the CN=DhcpRoot and remove them from there, yet that only has two entries in it, which are still valid DHCP servers. I am going to make an educated guess that listing them individually is the 2003+ method of doing it?
Thanks for all your help!
All replies (9)
Saturday, July 31, 2010 5:13 PM ✅Answered
Hi All,
Can you all please clear this doubt that a Domain can have more than 1 authorized DHCP Servers ?
I believe it can have. And if anyone wants to transport the data from one DHCP to other i will recommend him to take a backup of old dhcp and install to new server may be that help ?
Regards,
Dhruv
Yes, absolutely. You can have multiple authorized DHCP servers. Some installations may have multiple subnets and/or domains, so practically speaking, one DHCP can't handle all of them. You would need them authorized too, if you were splitting the scope.
There are a few ways to migrate DHCP settings. If a small infrastructure, I usually just recreated the scope on the new server. If larger, you may want to migrate to retain the scope leases and other settings. Here are a couple of ways:
Move a DHCP database to another server: Dynamic Host Configuration ...Jan 21, 2005 ... This topic provides details on how to move a DHCP database from one server computer (the source server) to another server computer (the ...
http://technet.microsoft.com/en-us/library/cc776587(WS.10).aspx
How to move a DHCP database from a computer that is running ...This step-by-step article describes how to move a Dynamic Host Configuration Protocol (DHCP) database from a computer that is running Microsoft Windows NT ...
http://support.microsoft.com/kb/325473
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, July 30, 2010 6:02 AM
My bet it's the CNF entry. "CNF" means it's a conflicting entry. I assume you read the following KB?
After a new DHCP server is authorized, the original DHCP server ...Later, the new DHCP server may be authorized, but the existing DHCP servers may ... In the Values list, click the name of the new DHCP server, click Remove, ...
http://support.microsoft.com/kb/306925
Have you tried using netsh?
How to Use Netsh.exe to Authorize, Unauthorize and List DHCP ...Unauthorize a DHCP Server from the List of Authorized Servers in Active Directory. Syntax: "netsh dhcp delete server ServerDNSServerIP" ...
http://support.microsoft.com/kb/303351
It's also interesting that a conflicting entry exists to begin with. It's something you don't normally see for the most part and may indicate an AD replication issue. Lot's of things can cause replication issues from multihomed DCs, not using only the internal DNS server in IP properties, to single label name AD DNS domain name, and a few other misconfigs. I wonder if anything else is amiss conflict-wise? Out of curiosity, are there any conflicting or dupe AD integrated zones? Check my blog to find out:
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, July 30, 2010 9:15 AM
Hi Ace,
I totally agree with you, and also read the details in the link that you have provided. Does that mean there can not be 2 DHCP Servers in the active directory Win Server 2003 ?
One become authorized and other become un-authorized. I never tried this scenario in my office lab, but will try that for sure :-)
Regards,
Dhruv
Friday, July 30, 2010 1:12 PM
Ace,
Thanks for the reply. I have tried using netsh and the mmc to unauthorize the server that is still listed and shouldn't be. Problem is, the server using that IP no longer exists, nor does it hold the DHCP role anymore. So unauthorizing it fails. As for the CNF issue, that I can understand. It stemmed from failed DC Promo's that I have had to clean up from the previous admin. Our network static routes weren't configured properly, so that lead to an issue with our main firewall blocking traffic between DCs, which I have since fixed. Actually yes, you helped me awhile back with my process for deleting the duplicate/CNF DNS Zones. I found eight versions of the same zone in adsiedit between the Forest and Domain DNS Partitions :). Those have since been cleaned out and resolved.
Actually, here is what I see in my adsiedit under CN=NetServices:
CN=DhcpRoot (Contains one valid DHCP server in list, and contains orchard (see below))
CN=jjc.domain.com (No longer exists)
CN=opgrand.domain.com (Valid DHCP server)
CN=orchard.domain.com (Was a failed DC that I had to manually clean up and wiped box, reloaded with same name. Now just File Server)
CN=orchard_server.domain.comCNF:randomguid (No longer exists)
CN=orcharddc.domain.com (Valid DHCP server)
CN=orion.domain.com (No longer exists)
CN=pace.domain.com (Valid DHCP server)
CN=vserv3.domain.com (No longer exists)
So as you can see, the jjc, orchard, orchard_server, orion, and vserv3 are all invalid. The only one still showing up in the DHCP mmc is orchard.
As my previous post (probably poorly asked), do I just need to delete these entries and edit out the entry listed in CN=DhcpRoot? All of the KBs, forum posts, guides, etc talk about editing the CN=DhcpRoot entry and editing out the invalid DHCP Servers. The only problem is, that entry only contains two servers in it, one of which is the invalid Orchard. I just can't see that I need to keep these other entries, so just wanted to verify that I can delete.
Thanks,
Craig
Saturday, July 31, 2010 9:52 AM
Hi All,
Can you all please clear this doubt that a Domain can have more than 1 authorized DHCP Servers ?
I believe it can have. And if anyone wants to transport the data from one DHCP to other i will recommend him to take a backup of old dhcp and install to new server may be that help ?
Regards,
Dhruv
Saturday, July 31, 2010 5:09 PM
Ace,
Thanks for the reply. I have tried using netsh and the mmc to unauthorize the server that is still listed and shouldn't be. Problem is, the server using that IP no longer exists, nor does it hold the DHCP role anymore. So unauthorizing it fails. As for the CNF issue, that I can understand. It stemmed from failed DC Promo's that I have had to clean up from the previous admin. Our network static routes weren't configured properly, so that lead to an issue with our main firewall blocking traffic between DCs, which I have since fixed. Actually yes, you helped me awhile back with my process for deleting the duplicate/CNF DNS Zones. I found eight versions of the same zone in adsiedit between the Forest and Domain DNS Partitions :). Those have since been cleaned out and resolved.
Actually, here is what I see in my adsiedit under CN=NetServices:
CN=DhcpRoot (Contains one valid DHCP server in list, and contains orchard (see below))
CN=jjc.domain.com (No longer exists)
CN=opgrand.domain.com (Valid DHCP server)
CN=orchard.domain.com (Was a failed DC that I had to manually clean up and wiped box, reloaded with same name. Now just File Server)
CN=orchard_server.domain.comCNF:randomguid (No longer exists)
CN=orcharddc.domain.com (Valid DHCP server)
CN=orion.domain.com (No longer exists)
CN=pace.domain.com (Valid DHCP server)
CN=vserv3.domain.com (No longer exists)So as you can see, the jjc, orchard, orchard_server, orion, and vserv3 are all invalid. The only one still showing up in the DHCP mmc is orchard.
As my previous post (probably poorly asked), do I just need to delete these entries and edit out the entry listed in CN=DhcpRoot? All of the KBs, forum posts, guides, etc talk about editing the CN=DhcpRoot entry and editing out the invalid DHCP Servers. The only problem is, that entry only contains two servers in it, one of which is the invalid Orchard. I just can't see that I need to keep these other entries, so just wanted to verify that I can delete.
Thanks,
Craig
Craig,
Yes, go ahead and delete all non-existing entries no matter where you found them. Firewall blocks will cause these issues, among other things. I do remember helping you with the dupe zones. Glad to hear I was helpful.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, August 2, 2010 2:01 AM
Hi,
I just want to check if the information provided was helpful. If there is any update on this issue, please feel free to let us know.
We are looking forward to your reply.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Friday, May 4, 2012 2:31 PM
I have a quite different start position on my Windows 2003 domain
Netservices records:
CN=10.31.40.14 (DHCP server with disabled service , though authorised)
CN=10.32.11.14 (only DHCP)
CN=DHCPRoot Class/dHCPClass Distingiushed Name CN=DhcpRoot,CN=Netservices,CN=...........
CN=DHCPRoot CNF:some guid Class/dHCPClass Distingiushed Name CN=DHCPRoot\some guid,CN=Netservices,CN=services,cn=configuraton;cn.....
The intention was to recover the DHCP data with daily exported DHCP date to file using netsh, at least this is the way it was setup prior to my coming. Mainly to recover if the principal DHCP server is dead, and no database backup/restore operation is possible.
1°) This is what I have to perform:
Now I face the job to move CN:10.31.40.14 to an new Server on new storage and phase out the former one.
I'm puzzled too with the last two records.
My plans are to export DHCP to a flat file using netsh, unauthorise the current DHCP, ask the network guy to assure proper DHCP relaying cross sites, import config using netsh, authorise new server and do some tests on the remote site for which relaying must occur. I hopefully will not get any authorisation problems, as the reported ones only relates to systems having the same name or IPs which is not my case.
Can someone explain what the last 2 records a.o the one with CNF actually indicate and what has to be done with them ? Do they have to edited ? or is in my case all well ?
2°) My second course of action is to perform the following:
My plans are lateron to unauthorise he "Disabled" DHCP service on the backup DHCP server, as this one is going to be phased out too, but am unsure if this can be done with netsh. I suppose I could delete its record in the MMC Site&Services in the services view. Not sure what is the best order to proceed with an Disabled DHCP service, suppose that the record is missing and someone launches the service... I expect that netsh can't be used to unauthorise it if the services are not running ? Can I suffise removing it from the Site & Services MMC ? Or Simply uninstall the DHCP server and will it unregister in AD if the uninstall is performed with the service set to disabled ?
I think for the future recovery possibility I will opt the plan to install a 2nd DHCP service , with no data, leave it unathorised, leave the service enabled thoug and schedule a hourly export from the principal DHCP server to a flatfile on the "Backup" DHCP server, instead of having a DHCP server with the service disabled and being unsure of what is contained inside. I suppose I could copy the mdb file and read out what is contained within.
What would you guys do ?
Greetings,
Stefan T
Monday, May 7, 2012 8:01 PM
I have a quite different start position on my Windows 2003 domain
Netservices records:
CN=10.31.40.14 (DHCP server with disabled service , though authorised)
CN=10.32.11.14 (only DHCP)
CN=DHCPRoot Class/dHCPClass Distingiushed Name CN=DhcpRoot,CN=Netservices,CN=...........
CN=DHCPRoot CNF:some guid Class/dHCPClass Distingiushed Name CN=DHCPRoot\some guid,CN=Netservices,CN=services,cn=configuraton;cn.....
The intention was to recover the DHCP data with daily exported DHCP date to file using netsh, at least this is the way it was setup prior to my coming. Mainly to recover if the principal DHCP server is dead, and no database backup/restore operation is possible.
1°) This is what I have to perform:
Now I face the job to move CN:10.31.40.14 to an new Server on new storage and phase out the former one.
I'm puzzled too with the last two records.
My plans are to export DHCP to a flat file using netsh, unauthorise the current DHCP, ask the network guy to assure proper DHCP relaying cross sites, import config using netsh, authorise new server and do some tests on the remote site for which relaying must occur. I hopefully will not get any authorisation problems, as the reported ones only relates to systems having the same name or IPs which is not my case.
Can someone explain what the last 2 records a.o the one with CNF actually indicate and what has to be done with them ? Do they have to edited ? or is in my case all well ?
2°) My second course of action is to perform the following:
My plans are lateron to unauthorise he "Disabled" DHCP service on the backup DHCP server, as this one is going to be phased out too, but am unsure if this can be done with netsh. I suppose I could delete its record in the MMC Site&Services in the services view. Not sure what is the best order to proceed with an Disabled DHCP service, suppose that the record is missing and someone launches the service... I expect that netsh can't be used to unauthorise it if the services are not running ? Can I suffise removing it from the Site & Services MMC ? Or Simply uninstall the DHCP server and will it unregister in AD if the uninstall is performed with the service set to disabled ?
I think for the future recovery possibility I will opt the plan to install a 2nd DHCP service , with no data, leave it unathorised, leave the service enabled thoug and schedule a hourly export from the principal DHCP server to a flatfile on the "Backup" DHCP server, instead of having a DHCP server with the service disabled and being unsure of what is contained inside. I suppose I could copy the mdb file and read out what is contained within.
What would you guys do ?
Greetings,
Stefan T
StefT,
First, it would have been beneficial to create a new thread, which makes you the owner of the thread, and reference this one. THis way you have control of the thread. If you start a new thread, pleaase reference this one.
.
As for the CNF, that means "CONFLICT," which simply means there is a conflicting or duplicate entry in the AD database. Anything with a CNF is pretty much useless and should be deleted.
.
Tell you what, it concerns me that you have found CNFs. While in ADSI Edit, please check the DNS partitions (all three of them) to make sure you don't see any CNFs or "InProgress" entries, for they are DNS zone conflicts and duplicates. If you find any, please delete them. Here's how:
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
Published by Ace Fekay, MCT, MVP DS on Sep 2, 2009 at 2:34 PM 2313 0
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This post is provided AS-IS with no warranties or guarantees and confers no rights.