Solved

Move DHCP from W2003 to w2008 r2

Posted on 2016-08-17
7
39 Views
Last Modified: 2016-09-17
Followed several KB articles to move our DHCP from an older 2003 server to a 2008 R2 server that is also our 2nd DC.
https://blogs.technet.microsoft.com/networking/2008/06/27/steps-to-move-a-dhcp-database-from-a-windows-server-2003-or-2008-to-another-windows-server-2008-machine/
Since we needed to preserve already existing scopes on the 2008 R2 I opted to use a 'merge' option (as discussed here https://support.microsoft.com/en-us/kb/281626) thus exporting only the scopes we need from the old server and importing the scopes (instead of ALL) on the new 2008 R2 server.
export c:\temp\dhcpdb 10.0.0.0 20.0.0.0
import c:\temp\dhcpdb 10.0.0.0 20.0.0.0
The export on the 2003 server worked fine and I managed to import on a 2008 R2 member server without issues as a test. However, when I try exactly the same process on the intended server (which is a DOMAIN CONTROLLER) I get an 'Access Denied" error. Please note that I have already looked at this article and similar one's (https://support.microsoft.com/en-us/kb/890480) and I AM LOGGED IN AS DOMAIN ADMIN which is a member of the local administrators group on the server. I even tried with an account that I made ENTERPRISE ADMIN, but same 'access denied' result. The exported data was copied to the 2008 R2 DC server, so it was not coming over the network. I tried importing using a regular cmd prompt (run as admin) and powershell but no luck. I did see this article (https://www.experts-exchange.com/questions/28645917/NETSH-DHCP-SERVER-Access-Denied.html) about changing the account as I do suspect it is running within a local context as no account etc. is specified, but since the server I am moving it to hosts live scopes for other subnets I am reluctant to make changes without some feedback. Help :-)
0
Comment
Question by:Laszlo Denes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 40

Expert Comment

by:Adam Brown
ID: 41759980
Just to make sure...are you running CMD as administrator when running the import? UAC may be blocking you here.
0
 

Author Comment

by:Laszlo Denes
ID: 41760897
I did run it as admin and UAC is turned off completely :-(
0
 

Author Comment

by:Laszlo Denes
ID: 41761001
Could it have to do with this (see below) even though the server is a DC not just a member server?

http://jackstromberg.com/2013/04/attempt-to-configure-dhcp-server-failed-with-error-code-0x8007005-access-is-denied/
Solution:

This is caused by permission issues on the user’s account.  To fix this, first right click on IPv4 and then select Properties.  Click on the Advanced tab and then click on Credentials.  Inside of here, enter in the credentials you want to use as the service account to run DHCP.

DHCP Credentials

Next, open up Server Manager, expand Configuration, expand Local Users and Groups.  Click on DHCPAdministrators, and then add your service account.

DHCP Administrators group

Next, restart the DHCP Server service.  Inside of server manager, right click on the DHCP server and click Authorize.  Restart the service one last time, and each of your DHCP scopes should now be up (with green checkmarks).
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Laszlo Denes
ID: 41761004
oh and I noted event 1056 under DHCP role on the 2008 R2 target server.
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41761096
The local groups don't exist on a DC, so the permission settings you note won't work the way it is shown there. You would go to AD Users and Computers, go to the Builtin Container, and make sure whatever account you're using is in the Administrators group there. The Builtin container is a replacement for the Local Users and Groups snapin for all the DCs in the environment (by default, anyway). Just note that adding a user account to the Administrators group will effectively turn them into Domain Admins as well. If the DHCP admins group is in the Builtin container, you can use that.

The credentials for the error you're getting wouldn't prevent you from importing DHCP information.
0
 

Author Comment

by:Laszlo Denes
ID: 41761185
Okay thanks. So I am trying it again.
Logged into source server (2003) as domain admin that has scopes I want to export.
Opened cmd prompt (run as administrator)
Ran command as shown and it worked

C:\>netsh
netsh>dhcp server \\mailman
netsh dhcp server>export c:\dhcpmailmanscopes\dhcpdb 172.17.0.0

Command completed successfully.
netsh dhcp server>

Then stopped DHCP on the 2003 source server.
Copied over the exported data/folder into the c: root of the target 2008 DC

Logged into target Domain Controller (2008 R2) with domain admin account (that is also member of local admin group) that I want to import DHCP scope 172.17.0.0 into.
That DC already has existing scopes and an authorized DHCP server hence the merge not a full export/import of all scopes from the 2003.
Opened a cmd prompt as admin and ran import command as shown below


C:\>netsh
netsh>dhcp server \\tghdc2
netsh dhcp server>import c:\dhcpmailmanscopes\dhcpdb 172.17.0.0
Access is denied.

netsh dhcp server>

Administrators have full control of that folder and file on both systems.
and it is then that I see the 1056 error
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.

P.S. The merge import of the single scope works on a test 2008 R2 member server that had a test scope configured but its DHCP is not authorized as I did not want to cause conflicts!

What am I missing or doing wrong.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 41802877
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Adam Brown (https:#a41761096)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question