none
Upgrade From 2016 to 2019 Breaks DHCP Relay Agent when Using RRAS RRS feed

  • Question

  • Hi All

     I carried out an in place upgrade of Server 2016 1607 Standard to Server 2019 1809 Standard and it has broken the DHCP Relay Agent so my VPN clients no longer receive a valid IP Address from my DHCP Server. I have uninstalled and started the RRAS config from scratch but the issue remains.

    I have worked around it by using a static pool of addresses within the RRAS config and all is well for the interim. Ideally I need to get the DHCP Addressing working correctly again.

    Has anyone else experienced this? Thanks in advance....

    Thursday, November 15, 2018 4:59 PM

All replies

  • Hi,

    I have the exact same issue.

    After in place upgrade of Server 2016 1607 Standard to Server 2019 1809 Standard the RRAS DHCP IPv4 address assignment is not working anymore. After reboot the RAS (Dial In) interface fallback to IPv4 Address Autoconfiguration even if the interface is set DHCP enabled (manually):

    Configuration for interface "RAS (Dial In) Interface"
        DHCP enabled:                         Yes
        IP Address:                           169.254.0.32
        Subnet Prefix:                        169.254.0.0/16 (mask 255.255.0.0)
        InterfaceMetric:                      75
     

    The IPv6 address assignment and routing works as expected. As does WAP and ADFS Proxy.

    This was the IPv4 RRAS setting (in 2016) and still is (in 2019):

    Wednesday, November 21, 2018 8:55 AM
  • I have the same issue on my WS2019 upgraded from WS2016. I don't even use relay, because my DHCP server is on the same network and subnet. Before upgrade everything worked fine, now it does not.
    Sunday, November 25, 2018 3:38 PM
  • I can confirm what Lukas reports here. It's not the Relay function (not used in my setup either), but DHCP (IPv4) client not working. One workaround (like Rebell_dtu suggested) is to narrow in on the DHCP scope to free up some addresses and add them back in a "Static address pool".
    Monday, November 26, 2018 1:49 PM
  • I have this exact same issue in my lab when testing Server 2019 standard.  This was a clean install and nothing but RRAS setup on it, replacing similar functionality of Server 2016.  I can work around it with a static address pool but would rather default to my DHCP server.

    Microsoft - has this been acknowledged as a bug?

    Wednesday, December 5, 2018 6:42 PM
  • I have the same identical issue.

    I installed a new server 2019 and enabled RRAS but it has the same error even it NOT upgraded from 2016.

    It's a relay agent problem.

    Tuesday, December 18, 2018 10:34 AM
  • Hi i have the Same Thing here …. 

     what is the solution ? 

     in 2016 works  but in 2019 does not work …. 

    anybody should tell  MS ? 

    Thursday, December 27, 2018 1:16 PM

  • Hi i have the Same Thing here …. 

     what is the solution ? 

     in 2016 works  but in 2019 does not work …. 

    anybody should tell  MS ? 

    Thursday, December 27, 2018 1:16 PM
  • Hi.

    Did someone solve this problem?

    Tuesday, January 15, 2019 7:43 PM
  • I am also currently experiencing this problem with a newly installed 2019 server. Static IP address pool allocation works but not with DHCP relay agent set.

    Friday, January 18, 2019 5:28 AM
  • Not to date it would seem. I have tried all sorts of things from metrics on the adapters to different gateway configs etc etc etc. This is definitely an issue that is going to require a fix from Microsoft. Lets hope they release one soon.
    • Edited by rebell_dtu Wednesday, January 23, 2019 2:34 PM
    Wednesday, January 23, 2019 2:33 PM
  • I'm running in the same issue atm. Fresh installed 2019 Server ... Took me hours of troubleshooting until i found this post.

    Is there any solution for this problem yet?


    • Edited by arzo83 Tuesday, March 5, 2019 8:24 PM
    Tuesday, March 5, 2019 8:24 PM
  • Still no noise from Microsoft on this one. Something must have changed in the network stack as I also used to be able to set multiple gateways on my VPN Server... That's broken too in as much to say that if I set another Gateway it stops the AD authorisation...  I've been keeping an eye on the cumulative updates looking for the fix but no joy at all thus far.... Pretty poor showing to be honest. SRV2016 works without an issue. Might be time to rollback :-( 
    Wednesday, March 6, 2019 8:02 PM
  • Same issue here.
    Thursday, April 18, 2019 12:35 AM
  • Same issue here with windows 2019. please fix it.
    Saturday, April 27, 2019 3:12 PM
  • I am experiencing the same issue after doing an in-place upgrade from Server 2016 to Server 2019.

    Faisal Nahian

    Tuesday, May 21, 2019 3:44 AM
  • Same issue. Spent a lot of hours to troubleshoot. No solution at all except using a static adress pool.

    Monday, May 27, 2019 1:49 PM
  • We logged a case with Microsoft for it.

    They confirmed it being an issue and are working on a permanent solution, and provided us a workaround for the time being:

    1-Add this registry key :

     

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f

    2-Restart the DHCP client service :-

     

    $dhcpPID = $( tasklist /svc /fo CSV | findstr Dhcp).split(",")[1].replace('"','')

     

    stop-process $dhcpPID -force

     

    Start-Service Dhcp

     

    3-Restart the Remote Connection Service.

    If you want, you can skip step 2 & 3 and just reboot the RRAS server after step 1.

    Confirmed on 2 servers.

    • Proposed as answer by Danny.V Wednesday, June 19, 2019 11:08 AM
    Wednesday, June 19, 2019 7:01 AM
  • Great! It works. I've been waiting for months for a solution.
    • Edited by zemitch Wednesday, June 19, 2019 7:22 AM
    Wednesday, June 19, 2019 7:22 AM
  • I've just tried this on my 2019 server.

    After running the regadd and it adding the entry, i tried to restart the dhcp service but get:

    error 5 : access is denied.

    If i reboot the server i still get a red cross against VPN Addressing on the status screen.

    What did i do wrong?

    What OS build are you running?

    Thanks.

    Wednesday, August 28, 2019 8:47 PM
  • Usually a permission error. Please try this : https://support.citrix.com/article/CTX223831
    Thursday, August 29, 2019 4:09 AM
  • In Server 2016 and earlier releases, the DHCP client service gained the SeImpersonatePrivilege priveldge from other services running in the same SVCHOST instance.

    Service hosts in SVCHOST.EXE are split into separate processes on RS3 and later versions of Windows 10 and  Windows Server 2016 and all versions of Windows Server 2019 configured with more than 3.5 GB+ of RAM.

    Calls to DHCP client API DhcpLeaseIpAddressEx fail with ACCESS_DENIED because the DHCP Client Service process lacks the SeImpersonatePrivilege. Without this privilege, the process can not impersonate credentials.

    Microsoft was tracking a bug for THIS issue and recently built a private that was validated internally

    All fixes must be validated by a customer prior to release. To date no customer with a related support case has been willing to test and validate the private.

    If someone wants this fix on WIn10 1809 / Windows Server 2019, open a support case with Microsoft commercial support and tell them you have a match for internal KB 4508686

    Friday, September 6, 2019 3:07 PM
  • Issue still exists as of 10/7/2019, fresh win 2019 vm with all updates.
    Monday, October 7, 2019 10:45 PM
  • Thank you!  I spent the last week pulling hair and questioning my life choices until I ran across your post. 

    This registry change fixes broken VPN on a new Server 2019 VM install (not an upgrade), using ISO straight from VLSC (X22-02970). I applied the change and rebooted and everything works as intended now.

    JDRAGGI is right, it's not fixed as of September's updates; I haven't installed October's yet.

    Wednesday, October 16, 2019 1:19 AM
  • I don't seem to be able to get the fix to work, from running WINVER what version/build are you running with the fix working?

    Thanks

    Sunday, November 24, 2019 5:13 PM
  • I can't get the fix to work either.  Really disappointing that after all this time they don't have it updated yet.
    Tuesday, December 10, 2019 1:12 AM

  • PS C:\Windows\system32> reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f
    ERROR: Invalid syntax.
    Type "REG ADD /?" for usage.
    Only needed to add SeImpersonatePrivilege, as the other two existed



    • Edited by scerazy Saturday, December 14, 2019 1:52 PM
    Saturday, December 14, 2019 1:46 PM
  • I still cannot get the fix/workaround to work.

    Tried on 2 servers both clean installs and still get a red X against 'vpn addressing'

    Surely they should have a fix by now... it's holding me back from migrating from working 2016 server.

    Monday, December 30, 2019 6:20 PM
  • This should work, if you set the vpn dhcp from automatic to manually It should work for you By applying the below work around should work with vpn dhcp set to automatic If it does not work with static up addresses then there is something else wrong 1-Add this registry key : reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f ​ 2-Restart the DHCP client service :- $dhcpPID = $( tasklist /svc /fo CSV | findstr Dhcp).split(",")[1].replace('"','') stop-process $dhcpPID -force Start-Service Dhcp 3-Restart the Remote Connection Service. If you want, you can skip step 2 & 3 and just reboot the RRAS server after step 1. Confirmed on 2 servers.
    Monday, December 30, 2019 10:20 PM
  • Works a treat. Thanks we have had this issue on a few servers
    Thursday, January 23, 2020 10:00 AM
  • Confirmed working 2/25/20, I love you guys.
    Wednesday, February 26, 2020 2:15 AM
  • This solution worked for me too. Thank you.
    Thursday, April 23, 2020 7:07 AM
  • I got to say, this was on of the first articles I saw and was like "nah, that doesn't apply to me". And then 5 hours later I find Lukas Beran posting this info and I give it a shot. Added reg key, rebooted RRAS server, working perfectly. Thank you!

    https://www.lukasberan.com/2016/12/how-to-configure-sstp-vpn-on-windows-server/


    VR// Brian Mc

    Tuesday, May 5, 2020 10:35 PM