Once again, we find out how worthless and pathetic Microsoft is when it comes to thoroughness. Starting with Server 2012, they added the ability to have a failover DHCP server using load balancing or by acting as a hot spare and have it replicate the server configuration, which is great, except they left out the MAC filtering lists, forcing us to use scripts yet again to accomplish something that should have been built in.
Originally, I found this script, but it had mistakes and didn’t work the way I wanted it to, so this was basically just a total rewrite.
Using this script, you can create a Scheduled Task (that is run under an account with administrator privileges), that gets triggered upon any of the four filter state change Event IDs in the Windows Event Log, to use remote PowerShell to update the filtering list of a remote server. Obviously, the execution policy of each machine needs to allow RemoteSigned scripts and also allow remoting through PowerShell. The only line that needs changed in the script is setting the $RemoteDHCPFailoverServer variable at the beginning where the code starts.
SyncDHCPServerFilters.ps1
# SyncDHCPServerFilters.ps1 # Author: Nathan Thomas # Date: 10/23/2018 # # Using Task Scheduler, trigger the update of the remote failover DHCP Server list # upon the following event ID filter changes. # Event ID 123 - Added to the IPv4 Allow List # Event ID 124 - Removed from the IPv4 Allow List # Event ID 127 - Added to the IPv4 Deny List # Event ID 128 - Removed from the IPv4 Deny List # # NOTE: If you want to be able to edit the filter list on both DHCP servers and # still have them sync, you would add a scheduled task on both servers, each # pointing to the other server to update. $RemoteDHCPFailoverServer = "remotedhcpserver.yourdomain.com"; # Get the REMOTE filters from $RemoteServer $rfilters = invoke-command -computername $RemoteDHCPFailoverServer { Get-DhcpServerv4Filter }; # Delete the REMOTE Filter Set If ($rfilters.count -ne "0") { Invoke-Command -ComputerName $RemoteDHCPFailoverServer -ScriptBlock { ForEach ($filter in $using:rfilters) { Remove-DhcpServerv4Filter -MacAddress $filter.MacAddress; } } } # Get the LOCAL filters from localhost $lfilters = Get-DhcpServerv4Filter; # Import the new Filter Set on $RemoteServer If ($lfilters.count -ne "0") { Invoke-Command -ComputerName $RemoteDHCPFailoverServer -ScriptBlock { ForEach ($filter in $using:lfilters) { Add-DhcpServerv4Filter -List $filter.List -MacAddress $filter.MacAddress -Description $filter.Description; } } }
Task Scheduler
General Name: Sync DHCP Server Filter List Security options: When running the task, use the following user account: Domain\Domain Administrator Account Run whether user is logged on or not - Radio button Run with highest privileges - checked Configure for: Windows Server 2012 R2 Triggers Begin the task: On an event Basic - Radio button Log: Microsoft-Windows-DHCP Server Events/Opertational Source: DHCP-Server Event ID: 123 Enabled - checked Begin the task: On an event Basic - Radio button Log: Microsoft-Windows-DHCP Server Events/Opertational Source: DHCP-Server Event ID: 124 Enabled - checked Begin the task: On an event Basic - Radio button Log: Microsoft-Windows-DHCP Server Events/Opertational Source: DHCP-Server Event ID: 127 Enabled - checked Begin the task: On an event Basic - Radio button Log: Microsoft-Windows-DHCP Server Events/Opertational Source: DHCP-Server Event ID: 128 Enabled - checked Actions Action: Start a program Settings: Program/Script: PowerShell Add arguments (optional): .\SyncDHCPServerFilters.ps1 (name of PowerShell script) Start in (optional): C:\ (path to folder where script resides) Conditions Leave at default Settings Allow task to be run on demand - checked Stop the task if it runs longer than: 1 hour - checked If the running task does not end when requested, force it to stop - checked If the task is already running, then the following rule applies: Do not start a new instance.