Server 2012 and Up – Sync DHCP Filter List on Hot Spare Failover Server

Once again, we find out how worthless and pathetic Microsoft is when it comes to thoroughness. Starting with Server 2012, they added the ability to have a failover DHCP server using load balancing or by acting as a hot spare and have it replicate the server configuration, which is great, except they left out the MAC filtering lists, forcing us to use scripts yet again to accomplish something that should have been built in.

Originally, I found this script, but it had mistakes and didn’t work the way I wanted it to, so this was basically just a total rewrite.

Using this script, you can create a Scheduled Task (that is run under an account with administrator privileges), that gets triggered upon any of the four filter state change Event IDs in the Windows Event Log, to use remote PowerShell to update the filtering list of a remote server. Obviously, the execution policy of each machine needs to allow RemoteSigned scripts and also allow remoting through PowerShell. The only line that needs changed in the script is setting the $RemoteDHCPFailoverServer variable at the beginning where the code starts.

SyncDHCPServerFilters.ps1

# SyncDHCPServerFilters.ps1
# Author: Nathan Thomas
# Date: 10/23/2018
#
# Using Task Scheduler, trigger the update of the remote failover DHCP Server list
# upon the following event ID filter changes.
# Event ID 123 - Added to the IPv4 Allow List
# Event ID 124 - Removed from the IPv4 Allow List
# Event ID 127 - Added to the IPv4 Deny List
# Event ID 128 - Removed from the IPv4 Deny List
#
# NOTE: If you want to be able to edit the filter list on both DHCP servers and
# still have them sync, you would add a scheduled task on both servers, each
# pointing to the other server to update.

$RemoteDHCPFailoverServer = "remotedhcpserver.yourdomain.com";

# Get the REMOTE filters from $RemoteServer
$rfilters = invoke-command -computername $RemoteDHCPFailoverServer { Get-DhcpServerv4Filter };

# Delete the REMOTE Filter Set
If ($rfilters.count -ne "0") {
	Invoke-Command -ComputerName $RemoteDHCPFailoverServer -ScriptBlock {
		ForEach ($filter in $using:rfilters) {
			Remove-DhcpServerv4Filter -MacAddress $filter.MacAddress;
		}
	}
}

# Get the LOCAL filters from localhost
$lfilters = Get-DhcpServerv4Filter;

# Import the new Filter Set on $RemoteServer
If ($lfilters.count -ne "0") {
	Invoke-Command -ComputerName $RemoteDHCPFailoverServer -ScriptBlock {
		ForEach ($filter in $using:lfilters) {
			Add-DhcpServerv4Filter -List $filter.List -MacAddress $filter.MacAddress -Description $filter.Description;
		}
	}
}

Task Scheduler

General
Name: Sync DHCP Server Filter List
Security options:
When running the task, use the following user account: Domain\Domain Administrator Account
Run whether user is logged on or not - Radio button
Run with highest privileges - checked
Configure for: Windows Server 2012 R2

Triggers
Begin the task: On an event
Basic - Radio button
Log: Microsoft-Windows-DHCP Server Events/Opertational
Source: DHCP-Server
Event ID: 123
Enabled - checked

Begin the task: On an event
Basic - Radio button
Log: Microsoft-Windows-DHCP Server Events/Opertational
Source: DHCP-Server
Event ID: 124
Enabled - checked

Begin the task: On an event
Basic - Radio button
Log: Microsoft-Windows-DHCP Server Events/Opertational
Source: DHCP-Server
Event ID: 127
Enabled - checked

Begin the task: On an event
Basic - Radio button
Log: Microsoft-Windows-DHCP Server Events/Opertational
Source: DHCP-Server
Event ID: 128
Enabled - checked

Actions
Action: Start a program
Settings:
Program/Script: PowerShell
Add arguments (optional): .\SyncDHCPServerFilters.ps1 (name of PowerShell script)
Start in (optional): C:\ (path to folder where script resides)

Conditions
Leave at default

Settings
Allow task to be run on demand - checked
Stop the task if it runs longer than: 1 hour - checked
If the running task does not end when requested, force it to stop - checked
If the task is already running, then the following rule applies: Do not start a new instance.

Leave a Reply