|
| 1 | +--- |
| 2 | +title: Guidance for Troubleshooting DHCP Authorization Failures |
| 3 | +description: Introduces general guidance for troubleshooting authorization failures related to DHCP. |
| 4 | +ms.date: 01/17/2025 |
| 5 | +manager: dcscontentpm |
| 6 | +audience: itpro |
| 7 | +ms.topic: troubleshooting |
| 8 | +ms.reviewer: kaushika, shpune, rnitsch, 5x5dnd |
| 9 | +ms.custom: sap:Network Connectivity and File Sharing\Dynamic Host Configuration Protocol (DHCP), csstroubleshoot |
| 10 | +--- |
| 11 | +# Troubleshooting guide: DHCP authorization failures |
| 12 | + |
| 13 | +This guide provides a detailed step-by-step process for diagnosing and resolving Dynamic Host Configuration Protocol (DHCP) authorization failures in an Active Directory (AD) environment. |
| 14 | + |
| 15 | +## Symptoms |
| 16 | + |
| 17 | +During the post-installation phase of the DHCP role on a server, you encounter the following error message: |
| 18 | + |
| 19 | +> Authorizing DHCP server ….. Failed |
| 20 | +> The authorization of DHCP server failed with Error Code: 20070. The DHCP service could not contact Active Directory. |
| 21 | +
|
| 22 | +The DHCP console displays a downward red arrow in the IPv4 section, indicating that the server isn't authorized. |
| 23 | + |
| 24 | +:::image type="content" source="media/troubleshooting-guide-dhcp-authorization-failures/dhcp-console-showing-unauthorized-status.png " alt-text="Screenshot of the DHCP console showing an unauthorized status."::: |
| 25 | + |
| 26 | +Event ID 1046 is logged in the System event logs, indicating that the DHCP server isn't authorized to lease IP addresses: |
| 27 | + |
| 28 | +> The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain <domain>, has determined that it is not authorized to start. It has stopped servicing clients. |
| 29 | +
|
| 30 | +:::image type="content" source="media/troubleshooting-guide-dhcp-authorization-failures/event-log-indicating-unauthorized-status.png" alt-text="Screenshot of the event log indicating an unauthorized status."::: |
| 31 | + |
| 32 | +Manual attempts to authorize the DHCP server can also fail with the following error message: |
| 33 | + |
| 34 | +> The specified domain either does not exist or could be contacted. |
| 35 | +
|
| 36 | +## DHCP authorization flow |
| 37 | + |
| 38 | +DHCP authorization ensures that only authorized servers can operate within an AD domain. This mechanism prevents unauthorized servers from distributing IP addresses, which can cause network conflicts and security issues. |
| 39 | + |
| 40 | +When a DHCP server is authorized, an entry is created in AD under the list of authorized servers. This behavior is accomplished through Lightweight Directory Access Protocol (LDAP) communications between the domain controller (DC) and the DHCP server. This list resides in the **Configuration** container of the AD schema. |
| 41 | + |
| 42 | +:::image type="content" source=" media/troubleshooting-guide-dhcp-authorization-failures/entry-created-in-ad.png" alt-text="Screenshot showing the entry created in AD."::: |
| 43 | + |
| 44 | +The DHCP server validates its authorization status in Active Directory Domain Services (AD DS) every hour using LDAP. If the server's IP address isn't found in this list, the server deauthorizes itself. |
| 45 | + |
| 46 | +## Causes of authorization failures |
| 47 | + |
| 48 | +- Permission issues: The account used to authorize the server doesn't have sufficient privileges. |
| 49 | +- Missing entries in AD: The entry for the DHCP server might be deleted from AD's **Configuration** container. |
| 50 | +- Connectivity issues: Network or firewall problems prevent communication between the DC and the DHCP server. |
| 51 | +- AD replication problems: Delays or issues can cause inconsistent entries, leading to duplicate or conflicting entries (for example, Conflict (CNF) objects) in AD's **Configuration** container. The DHCP server can't be authorized with these entries. |
| 52 | + |
| 53 | +## Troubleshooting steps |
| 54 | + |
| 55 | +### Step 1: Verify permissions |
| 56 | + |
| 57 | +Use an Enterprise Administrator account to authorize the DHCP server. This account has sufficient permissions to make changes to AD. |
| 58 | + |
| 59 | +### Step 2: Check the authorization status |
| 60 | + |
| 61 | +Run one of the following commands to verify if the DHCP server's entry exists in the list of authorized servers in AD: |
| 62 | + |
| 63 | +**PowerShell command:** |
| 64 | + |
| 65 | +```powershell |
| 66 | +Get-DhcpServerInDC |
| 67 | +``` |
| 68 | + |
| 69 | +**Command Prompt command:** |
| 70 | + |
| 71 | +```cmd |
| 72 | +netsh dhcp show server |
| 73 | +``` |
| 74 | + |
| 75 | +Alternatively, use **ADSI Edit** to connect to the **Configuration** partition and verify if the server appears there: |
| 76 | + |
| 77 | +1. Open **adsiedit.msc** on the DC. |
| 78 | +2. Connect to the **Configuration** container. |
| 79 | +3. Navigate to **Configuration** > **Services** > **NetServices**. |
| 80 | +4. Check if the DHCP server's name appears on the right pane. |
| 81 | + |
| 82 | +### Step 3: Try manual authorization |
| 83 | + |
| 84 | +If there's no existing entry for your server, follow these steps: |
| 85 | + |
| 86 | +1. Open **DHCP Management Console**. |
| 87 | +2. Right-click your DHCP server name. |
| 88 | +3. Select **Authorize**. |
| 89 | + |
| 90 | +If this fails, proceed further. |
| 91 | + |
| 92 | +### Step 4: Verify the connectivity |
| 93 | + |
| 94 | +Use the following tools to test the connectivity between the DHCP server and the DC: |
| 95 | + |
| 96 | +- **Ping** command for basic network connectivity checks between both servers. |
| 97 | +- **Test-NetConnection** command for TCP port 389 via PowerShell. For example: |
| 98 | + |
| 99 | + ```powershell |
| 100 | + Test-NetConnection -ComputerName <DC-IP> -Port 389 |
| 101 | + ``` |
| 102 | + |
| 103 | +Verify LDAP ports (TCP/UDP 389) are open and functional. Review firewall settings to ensure these ports aren't blocked. Resolve detected connectivity issues accordingly. |
| 104 | + |
| 105 | +Additionally, you can capture Wireshark traces to identify packet drops between the DC and the DHCP server. |
| 106 | + |
| 107 | +### Step 5: Identify and resolve conflicting entries |
| 108 | + |
| 109 | +1. Open **adsiedit.msc** and navigate to **Configuration** > **Services** > **NetServices**. |
| 110 | + |
| 111 | +2. Look for entries with the CNF tag that include the server name. The CNF tag is added under the attribute CN. For example: |
| 112 | + |
| 113 | + > cn <fqdn>CNF:ca69f501234 |
| 114 | +
|
| 115 | +In this case, the CNF object (conflicting object) needs to be deleted. We recommend that you take an AD backup and then delete this object. Once the object is deleted, you can reauthorize the DHCP server. |
| 116 | + |
| 117 | +## Extra troubleshooting steps |
| 118 | + |
| 119 | +When you manually try to authorize the server, it might work, but it fails again in a few days because its entry is deleted in AD. In such cases, it's important to understand why the entry keeps getting deleted in AD or who is deleting the entry from AD. |
| 120 | + |
| 121 | +To find who deleted the entry from the DC for the DHCP server, you can enable auditing on the DC, which isn't enabled by default. Follow these steps to enable auditing: |
| 122 | + |
| 123 | +### Enable auditing of AD changes |
| 124 | + |
| 125 | +1. Open the **Group Policy Management console** on the DC or run **gpmc.msc**. |
| 126 | + |
| 127 | +2. Navigate to **Domains** > *Domain_Name* > **Domain Controllers** > **Default Domain Controller Policy**. |
| 128 | + |
| 129 | +3. Right-click and edit the **Default Domain Controller Policy**. |
| 130 | + |
| 131 | +4. Navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **DS Access** > **Audit Directory Service Changes**. Enable **Success** and **Failure** attempts. |
| 132 | + |
| 133 | +### Set up auditing within the "Configuration" container |
| 134 | + |
| 135 | +1. Open **adsiedit.msc**. |
| 136 | + |
| 137 | +2. Connect to the **Configuration** container. |
| 138 | + |
| 139 | +3. Navigate to **Services** > **NetServices**. |
| 140 | + |
| 141 | +4. Right-click and select **Properties**. |
| 142 | + |
| 143 | +5. Go to the **Security** tab and select **Advanced**. |
| 144 | + |
| 145 | +6. In the **Auditing** tab, select **Add**. |
| 146 | + |
| 147 | +7. Add the **Everyone** group and enable auditing for: |
| 148 | + |
| 149 | + - **Write All Properties** |
| 150 | + - **Delete** |
| 151 | + - **Delete Subtree** |
| 152 | + |
| 153 | +8. Apply the changes. |
| 154 | + |
| 155 | +9. When the issue recurs, export the security event logs on the DC to identify who deleted or modified the DHCP entry. |
| 156 | + |
| 157 | +See the following example of event deletion: |
| 158 | + |
| 159 | +```output |
| 160 | +A directory service object was deleted. |
| 161 | +
|
| 162 | +Subject: |
| 163 | + Security ID: <domain>\administrator |
| 164 | + Account Name: Administrator |
| 165 | + Account Domain: <domain> |
| 166 | + Logon ID: 0x35D447 |
| 167 | +
|
| 168 | +Directory Service: |
| 169 | + Name: <url> |
| 170 | + Type: Active Directory Domain Services |
| 171 | +
|
| 172 | +Object: |
| 173 | + DN: CN=<fqdn>,CN=NetServices,CN=Services,CN=Configuration,DC=<domain>,DC=com |
| 174 | +``` |
| 175 | + |
| 176 | +For more information, see [Configure auditing on the configuration container](/defender-for-identity/deploy/configure-windows-event-collection#configure-auditing-on-the-configuration-container). |
| 177 | + |
| 178 | +## Data collection |
| 179 | + |
| 180 | +Before contacting Microsoft support, you can gather information about your issue. |
| 181 | + |
| 182 | +Follow the steps provided in [Introduction to TroubleShootingScript toolset (TSS)](../../windows-client/windows-tss/introduction-to-troubleshootingscript-toolset-tss.md) to download and collect logs using the TSS tool. Then, use this command to enable log collection on the impacted computer. |
| 183 | + |
| 184 | +```powershell |
| 185 | +.\TSS.ps1 -Scenario NET_DHCPsrv |
| 186 | +``` |
0 commit comments