none
DHCP server stops serving clients

    Question

  • Hello everybody,

    Before I explain the actual problem, let me first briefly introduce you our network:

    • We have two servers running Windows 2008 R2 SP1 in two different sites, both running AD, DNS, DHCP, WSUS etc.
    • The servers are automatically shut down every evening and started up every morning. The servers are not running during the weekend (i.e. shut down Friday evening and started only on Monday morning).
    • The sites are connected over the Internet trough a VPN (OpenVPN was used because our cheap routers wouldn't allow the traffic needed by RRAS). OpenVPN runs on the server, i.e. once the servers are started, the VPN connection is established automatically.
    • Both servers are domain controllers for the same domain and replicate correctly, once the VPN is established. Before the VPN is up, I get quite a lot of error messages, I think because AD tries to replicate but doesn't find the other DC.

    I'm aware that it would be better for the servers and the VPN to always be up, so the different replication errors would not occur. But that's not the main problem, the messages can be ignored.

    The big problem that we have is, that the DHCP server on one of the DC sometimes stops serving clients. It's on the DC that was installed first. Every day at startup, we get the following error with Id 1059:
    ----------------------------------------------------------------------------
    The DHCP service failed to see a directory server for authorization.
    ----------------------------------------------------------------------------
    Why doesn't it see itself?

    It is immediately followed by the information message below, so everything seems OK after all:
    ----------------------------------------------------------------------------
    The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mada.adesolaire.org, has determined that it is authorized to start. It is servicing clients now.
    ----------------------------------------------------------------------------

    But sometimes we get this error with Id 1046:
    ----------------------------------------------------------------------------
    The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mada.adesolaire.org, has determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons for this:
        This machine is part of a directory service enterprise and is not authorized in the same domain.  (See help on the DHCP Service Management Tool for additional information).

        This machine cannot reach its directory service enterprise and it has encountered another DHCP service on the network belonging to a directory service enterprise on which the local machine is not authorized.

        Some unexpected network error occurred.
    ----------------------------------------------------------------------------

    After restarting the DHCP service manually, it works again. This now happened twice on a Monday morning, and only on the DC that was installed first. The other one doesn't event display errors, just some warnings. So I'm asking myself if the server is trying to refresh some credentials after the long shutdown over the weekend but doesn't success because the VPN isn't up yet and thus stops to serve clients. But again the question: Why can't it authorize itself, AD runs on the same machine?!

    Is there something I can configure in order to avoid this problem? I know our situation is not ideal for for replication (I did the whole configuration mainly to learn things about replication and get some experience), but still I would rather leave it like that if possible.

    I think the only other solution would be to delete the other DC on each server so that each DC "thinks" to be the only DC for the domain.

    Your help is highly appreciated.

    Matthias


    • Edited by ADES IT Tuesday, February 11, 2014 7:14 AM
    Tuesday, February 11, 2014 7:13 AM

Answers

  • The server has now been running for almost two weeks without being shut down and everything works well. So this might be the solution, although not very satisfactory to me.

    • Marked as answer by ADES IT Tuesday, March 11, 2014 7:01 AM
    Tuesday, March 11, 2014 7:01 AM

All replies

  • how is your DNS setup on your domain controllers and servers?

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Tuesday, February 11, 2014 7:31 AM
  • Hello Denis,

    Thank you for your quick reply. I'm not sure if I understand your question correctly, but here my reply:

    • Both servers are DC and DNS at the same time.
    • Both DNS servers are holding the zone files, which are then replicated if I'm not mistaken.
    • Edit: I used the default options for the DNS servers when doing dcpromo.exe.

    Here an extract of ipconfig /all for the configuration of the network adapter for DC1:

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : ourdomain.com
       Description . . . . . . . . . . . : Intel(R) Gigabit 2P I350-t LOM
       Physical Address. . . . . . . . . : XXXX
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : XXXX
       Link-local IPv6 Address . . . . . : XXXX
       IPv4 Address. . . . . . . . . . . : XXXX
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : XXXX
       DHCPv6 IAID . . . . . . . . . . . : 198487634
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-FD-D5-E5-D4-AE-52-8A-8F-C2
       DNS Servers . . . . . . . . . . . : ::1
                                           IP address DC2
                                           IP address DC1
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    The configuration of the network adpter for DC2 is almost the same, except that it would list the IP address of DC1 before the IP address of DC2 in the list of DNS servers.

    Cheers,

    Matthias


    • Edited by ADES IT Tuesday, February 11, 2014 7:51 AM
    Tuesday, February 11, 2014 7:50 AM
  • okay, well im pretty sure this is your problem.

    change the DNS server order on your DC's so they are like this

    DC1

    Primary DNS = DC1

    Secondary DNS = DC2

    DC2

    Primary DNS = DC2

    Secondary DNS = DC1

    since the servers are only communicating by VPN the VPN needs to be established fully before they can communicate, so there is most likely a delay between the server communication which is breaking the DHCP service from starting up correctly


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Tuesday, February 11, 2014 8:44 AM
  • Hello,

    By the way you shouldn't shutdown DC everyday. Maybe You couldn't turn on again. 

    regards.


    MCT | Symantec Trusted Advisor

    Tuesday, February 11, 2014 8:55 AM
  • I will try that, although I'm not convinced that this will work, because of the following reasons:

    1. It's true that the VPN is not yet established at startup, but shouldn't the server contact itself if another DNS is not available? I mean there are four addresses in the list, three of them are references to itself.
    2. It does not happen on the second DC.
    3. It does not happen after every startup, until now only on Mondays.
    4. I thought it was recommended to point to another DNS first rather than itself.

    Perhaps I miss a point, so please could you explain your thoughts further?

    Tuesday, February 11, 2014 9:01 AM
  • Hello,

    By the way you shouldn't shutdown DC everyday. Maybe You couldn't turn on again. 

    regards.


    MCT | Symantec Trusted Advisor

    As I said I'm aware that it's not recommended to shut down a DC every day. The reason why we do it is to save energy, because there is no reason why the server should run on week-ends for example. I have to explain further that we work here in Madagascar, so power is not always very stable. So it has been a good solution for us to do it that way.

    I would like to mention also that the first DC has worked perfectly for almost a year now, it was always started as expected. The second DC was added recently, that's when the DHCP problems started.

    Thanks for your help.

    Matthias

    Tuesday, February 11, 2014 9:06 AM
  • If the first IP address is available but DNS has not started up fully you wouldn't necessarily go to the second server in the list.

    There is always debate surrounding the DNS entry and if a server should point to itself or something else, but generally it is preffered that the DC talks to itself first for DNS.

    if this doesn't work you could try and change the DHCP service to a delayed start rather than automatic, as to me it sounds like it is starting before DNS is fully available.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Tuesday, February 11, 2014 9:21 AM
  • If the first IP address is available but DNS has not started up fully you wouldn't necessarily go to the second server in the list.

    There is always debate surrounding the DNS entry and if a server should point to itself or something else, but generally it is preffered that the DC talks to itself first for DNS.

    if this doesn't work you could try and change the DHCP service to a delayed start rather than automatic, as to me it sounds like it is starting before DNS is fully available.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Hello Denis,

    I changed the DNS settings as suggested by you and also put the DHCP on delayed start. It worked fine for the rest of the last week (as it did before modifying the settings), but today Monday the same problem occurs. I really start to think that it's because the server is shut down during the whole week-end and that after a long down time, something causes the DHCP to stop servicing clients.

    What else can I try?

    Cheers,

    Matthias

    Monday, February 17, 2014 5:47 AM
  • Hi,

    As Fatih mentioned, you should not shudown the server frequently, it is really a risk.

    Best Regards

    Quan Gu

    Monday, February 17, 2014 5:51 AM
  • Hi,

    As Fatih mentioned, you should not shudown the server frequently, it is really a risk.

    Best Regards

    Quan Gu

    Hello Quan Gu,

    Thanks for your reply. I don't see why it is a risk, it worked well for almost a year now! It could always be started up manually if one day it doesn't start up automatically... There are three points that I would like to mention again:

    • DC1 had no problem whatsoever when it was the only DC controller in our network. The problems started, once the DC2 was installed in the remote site.
    • DC2 in the remote site is shut down and started up after the same schedule as DC1 and has no errors at all!
    • And the most astonishing point is that it's always on Mondays that DHCP doesn't serve clients. I think that due to the long shut down over the week-end, the server tries to refresh some credentials or whatever after startup on Monday, and cannot do it because the VPN is down, so it stops serving clients. But then why does the DC2 not have the same problem???

    Thank you very much for your help!

    Matthias

    Monday, February 17, 2014 6:52 AM
  • Hi

    I does not know OpenVPN, but does the OpenVPN software do create a virtual NIC in your server ? A multihomed DC could create error like you see. As your routing table might not be ok when the DHCP service start, maybe bind the DHCP service to the local NIC only. Please ignore the tip if it's not a second NIC it create.

    If yes, you fall to post like that; http://social.technet.microsoft.com/Forums/windowsserver/en-US/dcb6fc40-021a-4fce-b840-87034213bb6a/active-directory-domain-controller-could-not-be-contacted?forum=winserverDS, with maybe a easy possible solution to make the openvpn software run on another computer, or buying small so-ho router that support a site-to-site tunnel. 


    Regards, Philippe


    Tuesday, February 18, 2014 2:50 AM
  • Hello Philippe,

    Thanks for your reply. There is indeed a virtual NIC in the server, on which OpenVPN listens. But DHCP is only listening on the "real" NIC of the server. This configuration worked well before the second DC was added to the domain, so I think it's not an OpenVPN problem.

    Hmm I really start to think that the only solution would be to remove the other DC from the domain, what a pity.

    Regards,

    Matthias

    Tuesday, February 18, 2014 7:54 AM
  • the additional DC wouldn't prevent DC from starting if the config is correct.

    Did you try and set the DHCP server service to delayed start?


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Tuesday, February 18, 2014 8:04 AM
  • Hello Denis,

    The server is starting, but the DHCP server is then not serving clients. Yes I tried to put it on a delayed start but it didn't solve the problem. It works fine during the whole week, except on Monday morning after the long shutdown over the weekend.

    Cheers,

    Matthias

    Tuesday, February 18, 2014 8:12 AM
  • Hi, I agree with Denis, the fact you have another DC would not matter at all.

    I got in the past a server in a remote construction's site that was out of sync for weeks, and the dhcp never stoped to work.

    The fact you got a multihomed DC on the other side, can make a LOT of unknown error, more than just the DHCP's one.

    You can use another computer for that link ?? and just route the packet to the remote site by that computer... route add remote_site 255.255.255.0 ip_of_other_computer in worst case.

    To keep a link down or server down is something, but go read on multihomed DC, youvwill see that for that case there is a lot of ressource that tell "no" for that.


    Regards, Philippe




    Tuesday, February 18, 2014 11:29 AM
  • OK in that case I will try and disable the OpenVPN service and the virtual NIC to see if it solves the problem of the DHCP server. I just want to mention that DHCP never stops working at random moments, but always on Monday when the server is started up (at least this was the case for the last three weeks). And the second DC hasn't that problem, even with OpenVPN and virtual NIC installed. The only difference between both DC is that one acts as VPN server and the other as VPN client.

    It's true that it would be a better solution to use a separate computer for the VPN link, but if it could be done directly on the server, it would be easier. I'll try what you suggested and will post again if there are any news.

    Thanks guys for your help, appreciate it!

    Matthias



    • Edited by ADES IT Tuesday, February 18, 2014 12:15 PM
    Tuesday, February 18, 2014 12:12 PM
  • Hello everybody,

    On Friday, I disabled the VPN service and the virtual NIC. Today, after the startup of the server, again the same problem with the DHCP service.

    Perhaps the solution is not to shut down the server over the week-end...

    Regards,

    Matthias

    Monday, February 24, 2014 5:07 AM
  • The server has now been running for almost two weeks without being shut down and everything works well. So this might be the solution, although not very satisfactory to me.

    • Marked as answer by ADES IT Tuesday, March 11, 2014 7:01 AM
    Tuesday, March 11, 2014 7:01 AM