I adding a backup domain controller to our network and as part was going to add a backup DHCP and DNS server to the network.
Can I use my microtik router as a non-authoritative DHCP server? and If so, on what interface. I have the RB 1100AH x2 and have a "lan" interface that connects to our main switch but I have some other user machines also connected to the other interfaces.
Any thoughts?
Re: Backup/non authoritative DHCP server
For your question on interface the answer is whatever interface has the IP address. I am assuming everything can talk together so the interfaces are bridged together so just look at whatever interface has the IP address and use that.
However for the rest of your question regarding DHCP redundancy it is not straightforward so below is the long answer.
Unfortunately the DHCPv4 protocol sucks in this regards and is one of the bigger PITA's IPv6 will solve. Making matters worse the "authoritative" button in the Mikrotik DHCP server config is really a poorly named button since "authoritative" has no meaning in DHCP. What that feature does is it say's that if the Mikrotik hears 2 requests from the same client in x number of seconds, then assume it is the only DHCP server available and respond.
Since DHCP has no concept of "authoritative", "non-authoritative", "primary","backup" or method to replicate the DB between servers what you normally do with DHCP when you want redundancy is have two DHCP servers, each with a scope that covers half the subnet so they don't overlap. For example, lets say you are using the 192.168.254.0/24 RFC 1918 space for a VLAN. DHCP server 1 (in your case the MS server) will have a scope covering 192.168.254.2-127 and DHCP server 2 (Mikrotik) will have a scope covering 192.168.254.128-254. This essentially means you can only have ~126 devices on the subnet (and VLAN) but in the SMB space that is not normally an issue. Of course you need to keep the DHCP options synchronized between the servers or you will pull your hair out trying to figure out why some machines do one thing and some another.
If you want the MS server to be the main DHCP server configure the scopes as above (non-overlapping) and then set the Mikrotik to be authoritative after 10 second delay. The Mikrotik will then only hand out addresses if the MS server doesnt respond to the client in roughly 10 seconds. The reason for ten seconds is that if the MS server is configured for address validation (a good idea BTW) it takes ICMP pings 2 seconds to time out so you may get a lot of false failures with the 2 second timer. Another gotcha is that the clients unicast lease renewals to the server that issued the lease which means that once a client has a lease from the Mikrotik it will keep it until it needs a whole new lease, either because its interface bounces, its rebooted, etc. They will not automatically fail back to the MS server when it comes up again.
A word to the wise from the "been there done that" club: Don't try to get cute and use address validation to allow overlapping scopes, especially on scopes with more the 40% leases active. Microsoft DHCP servers as well as others (but not Mikrotik as far as I can tell) support address validation which means that before an address is given out it is pinged to validate that there is nothing on that IP. If no response is received the address is considered available and offered but if a ping is received it is marked as used, normally for the same amount of time as the lease time. In some cases with multiple DHCP servers and overlapping scopes and with a VLAN more then half full, the servers can actually get so messed up that nearly all the addresses are considered "used" I have had this happen accidentally on scopes with over 60% leases used and what happens is ugly and to fix it you need to shut down all the ports, clear out all the leases from each server and then bring the ports online again.
There is another way which I really don't like but will mention You can also have multiple IP subnets on the same VLAN but making this work depends on whether the DHCP server is in the same VLAN and if not would require the router to DHCP relay on all IP's associated with the interface, something I dont know if the Mikrotik supports..
However for the rest of your question regarding DHCP redundancy it is not straightforward so below is the long answer.
Unfortunately the DHCPv4 protocol sucks in this regards and is one of the bigger PITA's IPv6 will solve. Making matters worse the "authoritative" button in the Mikrotik DHCP server config is really a poorly named button since "authoritative" has no meaning in DHCP. What that feature does is it say's that if the Mikrotik hears 2 requests from the same client in x number of seconds, then assume it is the only DHCP server available and respond.
Since DHCP has no concept of "authoritative", "non-authoritative", "primary","backup" or method to replicate the DB between servers what you normally do with DHCP when you want redundancy is have two DHCP servers, each with a scope that covers half the subnet so they don't overlap. For example, lets say you are using the 192.168.254.0/24 RFC 1918 space for a VLAN. DHCP server 1 (in your case the MS server) will have a scope covering 192.168.254.2-127 and DHCP server 2 (Mikrotik) will have a scope covering 192.168.254.128-254. This essentially means you can only have ~126 devices on the subnet (and VLAN) but in the SMB space that is not normally an issue. Of course you need to keep the DHCP options synchronized between the servers or you will pull your hair out trying to figure out why some machines do one thing and some another.
If you want the MS server to be the main DHCP server configure the scopes as above (non-overlapping) and then set the Mikrotik to be authoritative after 10 second delay. The Mikrotik will then only hand out addresses if the MS server doesnt respond to the client in roughly 10 seconds. The reason for ten seconds is that if the MS server is configured for address validation (a good idea BTW) it takes ICMP pings 2 seconds to time out so you may get a lot of false failures with the 2 second timer. Another gotcha is that the clients unicast lease renewals to the server that issued the lease which means that once a client has a lease from the Mikrotik it will keep it until it needs a whole new lease, either because its interface bounces, its rebooted, etc. They will not automatically fail back to the MS server when it comes up again.
A word to the wise from the "been there done that" club: Don't try to get cute and use address validation to allow overlapping scopes, especially on scopes with more the 40% leases active. Microsoft DHCP servers as well as others (but not Mikrotik as far as I can tell) support address validation which means that before an address is given out it is pinged to validate that there is nothing on that IP. If no response is received the address is considered available and offered but if a ping is received it is marked as used, normally for the same amount of time as the lease time. In some cases with multiple DHCP servers and overlapping scopes and with a VLAN more then half full, the servers can actually get so messed up that nearly all the addresses are considered "used" I have had this happen accidentally on scopes with over 60% leases used and what happens is ugly and to fix it you need to shut down all the ports, clear out all the leases from each server and then bring the ports online again.
There is another way which I really don't like but will mention You can also have multiple IP subnets on the same VLAN but making this work depends on whether the DHCP server is in the same VLAN and if not would require the router to DHCP relay on all IP's associated with the interface, something I dont know if the Mikrotik supports..
Re: Backup/non authoritative DHCP server
nspitzer, thanks for the great answer.
Firstly as soon as you mentioned the interface with the ip address I realized my mistake, sorry for the stupid question!!
Regarding the DHCP backup info. In summary the best method to create a backup DHCP server is to have them set to give out different ranges of IP address as opposed to one DHCP server giving out the full range:
i.e.
MS Server: 192.168.1.20-192.168.1.100
Microtik DHCP: 192.168.1.101 - 192.168.1.254 (Set to 10 Sec authoritative delay)
Brogan
Firstly as soon as you mentioned the interface with the ip address I realized my mistake, sorry for the stupid question!!
Regarding the DHCP backup info. In summary the best method to create a backup DHCP server is to have them set to give out different ranges of IP address as opposed to one DHCP server giving out the full range:
i.e.
MS Server: 192.168.1.20-192.168.1.100
Microtik DHCP: 192.168.1.101 - 192.168.1.254 (Set to 10 Sec authoritative delay)
Brogan