Migrate DHCP Server from 2008R2 to 2019

October 14, 2019

Extended support for Windows 2008R2 will end on 14 January 2020. Now is a good time for me to migrate my DHCP server to Windows Server 2019.
This should be a fairly easy process

Old DHCP Server: 2008R2DHCP
New DHCP Servers: VM-DHCP1, VM-DHCP2

1. Create a new VM for the new DHCP server

I will be using this script to create a new Windows Server 2019 Core VM on VHOST01
I'm saving this script as VM-DHCP1.ps1 on the D:\Templates folder on VHOST01 machine.

# Set VM Name, Switch Name, and Installation Media Path.
$VMName = 'VM-DHCP1'
$Switch = 'externalSwitch'
$VMPath = 'D:\Hyper-V\'
$VHD    = "$VMPath\$VMName\Virtual Hard Disks\$VMName.vhdx"
$Image  = 'D:\Templates\2019-CORE.vhdx'

# Create directory to store the virtual hard disk
New-Item -Path "$VMPath\$VMName\Virtual Hard Disks" -ItemType "Directory"

#Copy the base image to the Hyper-V virtual hard drive location
Start-BitsTransfer -source $Image -destination $VHD

# Create New Virtual Machine
New-VM -Name $VMName -MemoryStartupBytes 4GB -Generation 2 -Path $VMPath -SwitchName $Switch

# Attach Base Image
Add-VMHardDiskDrive -VMName $VMName -Path $VHD

# Start the VM
Start-VM -VMName $VMName

2. Configure the new 2019 Core VM

Connect to the new VM via Hyper-V Manager, and open a PowerShell prompt

Assign static IP to the server
Get InterfaceIndex value

Get-NetAdapter -Name * | Format-Table –AutoSize

Configure static IP using the ifIndex value returned from the command above

New-NetIPAddress –InterfaceIndex 7 –IPAddress 192.168.1.6 -PrefixLength 24 -DefaultGateway 192.168.1.1

Configure DNS, using the same ifIndex value as above

Set-DnsClientServerAddress -InterfaceIndex 7 -ServerAddresses ("192.168.1.2","192.168.1.3")

Add server to the existing domain

Add-Computer -Credential Admin-Username -DomainName dccb.net -NewName VM-DHCP1; Restart-Computer -force

After the VM has been restarted. Log in with a domain admin credential and enable Ping for diagnostic

Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request – ICMPv4-In)" -enabled True

3. Export my current DHCP database

On VM-DHCP1, run the following PowerShell command:

MkDir C:\Backup
Export-DhcpServer -File C:\Backup\DHCP\DHCPDB.xml -Leases -Force -ComputerName 2008R2DHCP –Verbose

It looks like the export was successful.

VERBOSE: Exporting configuration from server Nightwing to file P:\Chamber\Backup\DHCP\DHCPDB.xml.
VERBOSE: The configuration (and leases) on server Nightwing will be exported to the file D:\Backup\DHCP\DHCPDB.xml.
VERBOSE: Exporting classes from server...
VERBOSE: Exporting option definitions from server...
VERBOSE: Exporting server wide option values...
VERBOSE: Exporting Link Layer Filters...
VERBOSE: Exporting scope 192.168.1.0 from server 2008R2DHCP...
VERBOSE: Exporting exclusion ranges from scope 192.168.1.0...
VERBOSE: Exporting option values from scope 192.168.1.0...
VERBOSE: Exporting reservations from scope 192.168.1.0. This operation may take some time.
VERBOSE: Exporting leases from scope 192.168.1.0. This operation may take some time.
VERBOSE: Exporting classes from server...
VERBOSE: Exporting option definitions from server...
VERBOSE: Exporting server wide option values...
VERBOSE: Export operation on server 2008R2DHCP completed.

4. Install the DHCP server role and configure service

install-WindowsFeature -Name DHCP –IncludeManagementTools

add the DHCP Users and DHCP Administrators security groups to the DHCP server

Add-DHCPServerSecurityGroup -ComputerName VM-DHCP1

Set credentials that the DHCP server uses to register and deregister client records on a DNS server

Set-DHCPServerDNSCredential -ComputerName VM-DHCP1 -Credential dccb\DHCP-Service

Authorize the server in Active Directory

Add-DhcpServerInDC -DnsName "VM-DHCP1.dccb.net" -IPAddress 192.168.1.6

Get a list of all authorized DHCP Servers to check if the authorization was successful

Get-DhcpServerInDC

Deauthorize old Windows 2008 R2 DHCP server

Remove-DhcpServerInDC -DnsName "2008r2dhcp.dccb.net" -IPAddress 192.168.1.15

5: Configure DHCP Failover

Import the DHCP databse XML to Windows Server 2019

MkDir C:\DHCPDB
Import-DhcpServer -File C:\backup\DHCPDB.xml -BackupPath C:\DHCPDB\ -Leases -ScopeOverwrite -Force -ComputerName VM-DHCP1 –Verbose

Verify the new DHCP server is working.
On a Windows 10 machine, run:

ipconfig /release && ipconfig /renew
ipconfig /all

If the IP address of the DHCP server listed in the above command is 192.168.1.6, then it's working.

Spin up another DHCP Server and name this one VM-DHCP2
Repeat the commands in Step 4 for this new DHCP server

Configure DHCP Failover in Load Balancing mode

Add-DhcpServerv4Failover –ComputerName vm-dhcp1.dccb.net –PartnerServer vm-dhcp2.dccb.net –Name dhcp1-dhcp2 –ScopeID 192.168.1.0 –LoadBalancePercent 60 -Force

I'm getting an error message:

The time difference between this server and the partner server is greater than the permissible value of 60 seconds. 
Please ensure that both servers are time synchronized before configuring failover. 
You can configure the Windows Time Service on both servers to ensure time synchronization

I ran this command on primary domain controller

w32tm /query /source

I'm getting

VM IC Time Synchronization Provider

So, my virtualized domain controller is syncing time with its Hyper-V host. However, my Hyper-V host is a member of the domain and synchronizes time with the domain controller, but my domain controller is a virtual machine that synchronizes time with the host.
What a time loop.

On the Hyper-V host that has the guest domain controller named DC1, I ran this PowerShell command:

Get-VMIntegrationService -VMName DC1 -Name 'Time Synchronization'

Result

VMName Name                 Enabled PrimaryStatusDescription SecondaryStatusDescription
------ ----                 ------- ------------------------ --------------------------
DC1    Time Synchronization True    OK

I'm going to disable Time Synchronization now

Get-VMIntegrationService -VMName DC1 -Name 'Time Synchronization' | Disable-VMIntegrationService

Run it again to verify

Get-VMIntegrationService -VMName DC1 -Name 'Time Synchronization'

I'm getting

VMName Name                 Enabled PrimaryStatusDescription SecondaryStatusDescription
------ ----                 ------- ------------------------ --------------------------
DC1    Time Synchronization False   OK

I need to disable Time Synchronization for VM-DHCP1

Disable-VMIntegrationService –Name 'Time Synchronization' -VMName VM-DHCP1

Then log into HOST2 and disable Time Synchronization for VM-DHCP2

Disable-VMIntegrationService –Name 'Time Synchronization' -VMName VM-DHCP2

After that, reconfigure the guest VM's time configuration to sync from the domain hierarchy

w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync /nowait
net stop w32time
net start w32time

Now, run the DHCP Failover setup again.

Add-DhcpServerv4Failover –ComputerName vm-dhcp1.dccb.net –PartnerServer vm-dhcp2.dccb.net –Name dhcp1-dhcp2 –ScopeID 192.168.1.0 –LoadBalancePercent 60 -Force

All done!