"Access Denied" whe trying to use netsh to export DHCP v4 scopes from a 2008R2 Domain Controller, but works on another 2008R2 Member Server without issue. Stumped!
As always I would like to begin by thanking everyone who takes the time to answer this question with their expert insights.
I have a 2008R2 Domain Controller that hosts a variety of DHCP scopes that I need to migrate off it as we are demoting and replacing that server. However, no matter which command syntax (through power shell) I try for the netsh I cannot get it to export the settings from TGHDC2 (domain controller) and I continuously get an "Access Denied" error and it immediately stops the DHCP service and does not restart it but it does come back on if I restart it manually..
I have verified that the account (domain administrator account so it should have all required privileges) I am using is a member of the local servers administrator group, etc.
I have another 2008R2 DHCP server (member server only) and I tried to run the exact same command (same domain administrator account) on it and it ran without complaints and it did not stop the DHCP service at all.
The one on TGHDC2 also reports this error (1056) which is odd since neither of them have an account specified under this setting and yet it does not impact the other DHCP servers ability to export scopes using netsh.
"The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool."
Please see some screenshots attached
Any help would be greatly appreciated. Also please note that I plan to integrate the scopes into the other DHCP server and it should not be an issue as all scopes are different (no overlap).
scopes.jpg
I have a 2008R2 Domain Controller that hosts a variety of DHCP scopes that I need to migrate off it as we are demoting and replacing that server. However, no matter which command syntax (through power shell) I try for the netsh I cannot get it to export the settings from TGHDC2 (domain controller) and I continuously get an "Access Denied" error and it immediately stops the DHCP service and does not restart it but it does come back on if I restart it manually..
I have verified that the account (domain administrator account so it should have all required privileges) I am using is a member of the local servers administrator group, etc.
I have another 2008R2 DHCP server (member server only) and I tried to run the exact same command (same domain administrator account) on it and it ran without complaints and it did not stop the DHCP service at all.
The one on TGHDC2 also reports this error (1056) which is odd since neither of them have an account specified under this setting and yet it does not impact the other DHCP servers ability to export scopes using netsh.
"The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool."
Please see some screenshots attached
Any help would be greatly appreciated. Also please note that I plan to integrate the scopes into the other DHCP server and it should not be an issue as all scopes are different (no overlap).
scopes.jpg
Alex
Change it to c:\temp\DHCP Scopes\ and see if that works sounds silly but i've had a similar issue and it was the c:\ that caused it.
Logon to dc with domain admins and open elevated cmd and then try exporting dhcp with netsh
Run cmd as an administrator
ASKER
Alex - sadly that did not work either
PS C:\windows\system32> netsh dhcp server \\tghdc2 v4 export c:\temp\dhcpscopes all
Access is denied.
Mahesh - Note that I did state that I am using the domain administrator account (that is the one I am logged in with) and yes I am running the (Andy) powershell in the context of (elevated as) that domain administrator.
PS C:\windows\system32> netsh dhcp server \\tghdc2 v4 export c:\temp\dhcpscopes all
Access is denied.
Mahesh - Note that I did state that I am using the domain administrator account (that is the one I am logged in with) and yes I am running the (Andy) powershell in the context of (elevated as) that domain administrator.
I would also suggest using netsh dump rather than export, see my page here: http://scripts.dragon-it.co.uk/links/dhcp-scope-move-export-backup
You can use that to import directly back into another server having edited the text file, works great!
So I'd do along the lines of:
command prompt - right click run-as-admin
md c:\dhcp
cd /d c:\dhcp
netsh dhcp server \\servername dump > servername-dhcp.txt
and you end up with text file which if you look at in Notepad shows all you need to move to another server.
Then on the other server use netsh exec servername-dhcp.txt and it will combine those scopes etc. with any already on the server.
Steve
You can use that to import directly back into another server having edited the text file, works great!
So I'd do along the lines of:
command prompt - right click run-as-admin
md c:\dhcp
cd /d c:\dhcp
netsh dhcp server \\servername dump > servername-dhcp.txt
and you end up with text file which if you look at in Notepad shows all you need to move to another server.
Then on the other server use netsh exec servername-dhcp.txt and it will combine those scopes etc. with any already on the server.
Steve
ASKER
Steve will this export/dump all reservations, scope settings, current leases, etc.
If you have a look at the link I gave it explains. It brings reservations, scope settings, server options etc. and being text you can remove any not needed. You can also dump your other existing server before importing it. I have used it dozens of times to migrate servers.
My link shows you easy way to deal with existing leases. Either add them as temporary reservations and dump them or combination of reducing lease time, using conflict detection settings (should be on anyway) and using exclusions temporary on the zones effectively splitting scope over the two servers -- that way you can use both servers in parallel and then turn the old one off too.
Steve
My link shows you easy way to deal with existing leases. Either add them as temporary reservations and dump them or combination of reducing lease time, using conflict detection settings (should be on anyway) and using exclusions temporary on the zones effectively splitting scope over the two servers -- that way you can use both servers in parallel and then turn the old one off too.
Steve
ASKER
I saw your link and we would likely just dump from the source and add to the destination all within a 30 min maintenance window, during which time we will change the IP helper address. Will read up on it. BTW any idea why the netsh export command got the Access Denied. Just curious if you have seen that...
That is a bug with netsh in 2008 R2. Do it remotely
ASKER
Shaun can you be more specific by remotely, because I tried to run the command from the other server (the 2008R2) and it did not like it.
DHCP Server import and export are allowed on local servers only.
DHCP Server import and export are allowed on local servers only.
You can also use powershell to do it with an XML file to transfer to the new box, you can export from the 2008 box, I presume it is going onto 2012 or newer?
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/export-dhcpserver?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/import-dhcpserver?view=win10-ps
and a run through:
https://blogs.technet.microsoft.com/teamdhcp/2012/12/03/dhcp-powershell-export-import-cmdlets-in-windows-server-2012/
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/export-dhcpserver?view=win10-ps
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/import-dhcpserver?view=win10-ps
and a run through:
https://blogs.technet.microsoft.com/teamdhcp/2012/12/03/dhcp-powershell-export-import-cmdlets-in-windows-server-2012/
ASKER
going to another 2008r2 for now which is why I am stumped since the same netsh export command works fine on it
If your scopes have decent amount of spare addresses I would suggest forget the leases, just get the new config in place, turn the lease time on the old server down to 1 hour say so that all leases will be running out at suitable time anyway, enable the scope on the new server with whatever length of lease you want to give and disable the old / change the IP helper. May end up with a few conflicts but that's what it is for.
ASKER
so you mean just recreate (manually) the scopes on the new server... okay... might be doable
BTW what did you mean by do it remotely earlier?
BTW what did you mean by do it remotely earlier?
If you are replying to me I'd just netsh dump, edit the text file and netsh exec along with quick reduction to short time for leases
ASKER
Okay I solved it and can use the netsh command I was intending to.
It has to do with this https://support.microsoft.com/en-ca/help/890480/access-denied-error-message-when-you-use-the-netsh-dhcp-server-import
I was using the domain administrator account which is a member of domain admins which is a member of the local servers administrators group, BUT what eventually worked was adding my account (also domain admin) explicitly to the local servers administrators group and it worked right away through CMD (run as admin).
It has to do with this https://support.microsoft.com/en-ca/help/890480/access-denied-error-message-when-you-use-the-netsh-dhcp-server-import
I was using the domain administrator account which is a member of domain admins which is a member of the local servers administrators group, BUT what eventually worked was adding my account (also domain admin) explicitly to the local servers administrators group and it worked right away through CMD (run as admin).
try below cmd with elevated command prompt
netsh dhcp server export c:\DHCP\myscopes.txt all
If still you got error, add domain admins and system ID full control on C:\DHCP folder and try
I believe the problem exists with UNC path u used to connect dhcp server
netsh dhcp server export c:\DHCP\myscopes.txt all
If still you got error, add domain admins and system ID full control on C:\DHCP folder and try
I believe the problem exists with UNC path u used to connect dhcp server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
where local server administrators group comes in picture here?
You are already logged on domain controller, isn't it?
You are already logged on domain controller, isn't it?
ASKER
Thanks everyone.
Special thanks to STeve for all the tips and Shaun who put the bug in my ear so I started looking to find a bug for netsh on 2008r2
Special thanks to STeve for all the tips and Shaun who put the bug in my ear so I started looking to find a bug for netsh on 2008r2
ASKER
Mahesh.. I was logged in as domain admin which is a part of the domain admin group which is in the local server admin group.. and that did not work.. I then logged in as myself (my own account) which is also part of domain admin group BUT I added my account directly to the local server admin group and that worked
I nearly suggested that as it did used to be an issue years ago but didn't know it still was... bizarre!
Steve
Steve
Your issue is resolved, however if you could try other workaround command by removing your ID from "administrators" group, logoff and log back on and run below from elevated cmd:
netsh dhcp server export c:\DHCP\myscopes.txt all
If it works, we can ascertain that issue exists with UNC path used in netsh
Requesting you because I cannot reproduce issue
netsh dhcp server export c:\DHCP\myscopes.txt all
If it works, we can ascertain that issue exists with UNC path used in netsh
Requesting you because I cannot reproduce issue