"Access Denied" whe trying to use netsh to export DHCP v4 scopes from a 2008R2 Domain Controller, but works on another 2008R2 Member Server without issue. Stumped!

As always I would like to begin by thanking everyone who takes the time to answer this question with their expert insights.
I have a 2008R2 Domain Controller that hosts a variety of DHCP scopes that I need to migrate off it as we are demoting and replacing that server. However, no matter which command syntax (through power shell) I try for the netsh I cannot get it to export the settings from TGHDC2 (domain controller) and I continuously get an "Access Denied" error and it immediately stops the DHCP service and does not restart it but it does come back on if I restart it manually..

I have verified that the account (domain administrator account so it should have all required privileges) I am using is a member of the local servers administrator group, etc.

I have another 2008R2 DHCP server (member server only) and I tried to run the exact same command (same domain administrator account) on it and it ran without complaints and it did not stop the DHCP service at all.
 
The one on TGHDC2 also reports this error (1056) which is odd since neither of them have an account specified under this setting and yet it does not impact the other DHCP servers ability to export scopes using netsh.

 "The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.   This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool."

Please see some screenshots attached

Any help would be greatly appreciated. Also please note that I plan to integrate the scopes into the other DHCP server and it should not be an issue as all scopes are different (no overlap).
scopes.jpg
Laszlo DenesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Change it to c:\temp\DHCP Scopes\ and see if that works sounds silly but i've had a similar issue and it was the c:\ that caused it.
0
MaheshArchitectCommented:
Logon to dc with domain admins and open elevated cmd and then try exporting dhcp with netsh
0
Andy BartkiewiczNetwork AnalystCommented:
Run cmd as an administrator
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Laszlo DenesAuthor Commented:
Alex - sadly that did not work either
PS C:\windows\system32> netsh dhcp server \\tghdc2 v4 export c:\temp\dhcpscopes all
Access is denied.

Mahesh - Note that I did state that I am using  the domain administrator account (that is the one I am logged in with) and yes I am running the (Andy) powershell in the context of (elevated as) that domain administrator.
0
Steve KnightIT ConsultancyCommented:
I would also suggest using netsh dump rather than export, see my page here: http://scripts.dragon-it.co.uk/links/dhcp-scope-move-export-backup

You can use that to import directly back into another server having edited the text file, works great!

So I'd do along the lines of:

command prompt - right click run-as-admin

md c:\dhcp
cd /d c:\dhcp
netsh dhcp server \\servername dump > servername-dhcp.txt

and you end up with text file which if you look at in Notepad shows all you need to move to another server.

Then on the other server use netsh exec servername-dhcp.txt and it will combine those scopes etc. with any already on the server.
Steve
0
Laszlo DenesAuthor Commented:
Steve will this export/dump all reservations, scope settings, current leases, etc.
0
Steve KnightIT ConsultancyCommented:
If you have a look at the link I gave it explains.  It brings reservations, scope settings, server options etc. and being text you can remove any not needed.  You can also dump your other existing server before importing it. I have used it dozens of times to migrate servers.

My link shows you easy way to deal with existing leases.  Either add them as temporary reservations and dump them or combination of reducing lease time, using conflict detection settings (should be on anyway) and using exclusions temporary on the zones effectively splitting scope over the two servers -- that way you can use both servers in parallel and then turn the old one off too.

Steve
0
Laszlo DenesAuthor Commented:
I saw your link and we would likely just dump from the source and add to the destination all within a 30 min maintenance window, during which time we will change the IP helper address. Will read up on it. BTW any idea why the netsh export command got the Access Denied. Just curious if you have seen that...
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
That is a bug with netsh in 2008 R2. Do it remotely
0
Laszlo DenesAuthor Commented:
Shaun can you be more specific by remotely, because I tried to run the command from the other server (the 2008R2) and it did not like it.
DHCP Server import and export are allowed on local servers only.
0
Steve KnightIT ConsultancyCommented:
0
Laszlo DenesAuthor Commented:
going to another 2008r2 for now which is why I am stumped since the same netsh export command works fine on it
0
Steve KnightIT ConsultancyCommented:
If your scopes have decent amount of spare addresses I would suggest forget the leases, just get the new config in place, turn the lease time on the old server down to 1 hour say so that all leases will be running out at suitable time anyway, enable the scope on the new server with whatever length of lease you want to give and disable the old / change the IP helper.  May end up with a few conflicts but that's what it is for.
0
Laszlo DenesAuthor Commented:
so you mean just recreate (manually) the scopes on the new server... okay... might be doable
BTW what did you mean by do it remotely earlier?
0
Steve KnightIT ConsultancyCommented:
If you are replying to me I'd just netsh dump, edit the text file and netsh exec along with quick reduction to short time for leases
0
Laszlo DenesAuthor Commented:
Okay I solved it and can use the netsh command I was intending to.
It has to do with this https://support.microsoft.com/en-ca/help/890480/access-denied-error-message-when-you-use-the-netsh-dhcp-server-import
I was using the domain administrator account which is a member of domain admins which is a member of the local servers administrators group, BUT what eventually worked was adding my account (also domain admin) explicitly to the local servers administrators group and it worked right away through CMD (run as admin).
0
MaheshArchitectCommented:
try below cmd with elevated command prompt

netsh dhcp server export c:\DHCP\myscopes.txt all

If still you got error, add domain admins and system ID full control on C:\DHCP folder and try

I believe the problem exists with UNC path u used to connect dhcp server
0
Laszlo DenesAuthor Commented:
Okay I solved it and can use the netsh command I was intending to.
It has to do with this https://support.microsoft.com/en-ca/help/890480/access-denied-error-message-when-you-use-the-netsh-dhcp-server-import
I was using the domain administrator account which is a member of domain admins which is a member of the local servers administrators group, BUT what eventually worked was adding my account (also domain admin) explicitly to the local servers administrators group and it worked right away through CMD (run as admin).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
where local server administrators group comes in picture here?

You are already logged on domain controller, isn't it?
0
Laszlo DenesAuthor Commented:
Thanks everyone.
Special thanks to STeve for all the tips and Shaun who put the bug in my ear so I started looking to find a bug for netsh on 2008r2
0
Laszlo DenesAuthor Commented:
Mahesh.. I was logged in as domain admin which is a part of the domain admin group which is in the local server admin group.. and that did not work.. I then logged in as myself (my own account) which is also part of domain admin group BUT I added my account directly to the local server admin group and that worked
0
Steve KnightIT ConsultancyCommented:
I nearly suggested that as it did used to be an issue years ago but didn't know it still was... bizarre!

Steve
0
MaheshArchitectCommented:
Your issue is resolved, however if you could try other workaround command by removing your ID from "administrators" group, logoff and log back on and run below from elevated cmd:

netsh dhcp server export c:\DHCP\myscopes.txt all

If it works, we can ascertain that issue exists with UNC path used in netsh

Requesting you because I cannot reproduce issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.