How to Configure High Availability for DHCP with DHCP Failover on Windows Server 2025

How to Configure High Availability for DHCP with DHCP Failover on Windows Server 2025

A DHCP server is a critical piece of network infrastructure: if it fails, new devices cannot obtain IP addresses and existing leases will eventually expire, causing network connectivity outages. Historically, administrators worked around this limitation by splitting scopes manually between two servers (the 80/20 rule) or using Windows Server clustering. Windows Server 2025 includes a far more elegant solution — DHCP Failover — which synchronizes scope configurations and lease databases between two DHCP servers in real time, providing transparent high availability without the complexity of Windows Failover Clustering. DHCP Failover supports two modes: Load Balance, where both servers actively answer DHCP requests simultaneously sharing the address pool, and Hot Standby, where one server is active and the other takes over automatically only when the primary fails. This guide walks through the complete deployment of DHCP Failover on Windows Server 2025, from authorizing servers in Active Directory to monitoring failover state and performing a controlled failback.

Prerequisites

• Two Windows Server 2025 machines with the DHCP Server role installed
• Both DHCP servers authorized in Active Directory
• The same DHCP scope(s) configured on the primary server (the secondary’s scopes will be synchronized automatically)
• Network connectivity between both DHCP servers (TCP port 647 is used for failover communication)
• Administrative privileges and RSAT-DHCP tools installed
• A shared secret string for failover partner authentication

Step 1: Install and Authorize DHCP on Both Servers

If DHCP is not already installed, deploy and authorize it on both servers. The scope only needs to exist on the primary server initially — failover replication will push it to the secondary.

# Install DHCP role on both servers (run on each server separately, or use Invoke-Command)
Install-WindowsFeature -Name DHCP -IncludeManagementTools

# Complete post-install configuration (creates security groups, notifies AD)
Add-DhcpServerInDC -DnsName "dhcp01.corp.contoso.com" -IPAddress 192.168.1.10
Add-DhcpServerInDC -DnsName "dhcp02.corp.contoso.com" -IPAddress 192.168.1.11

# Suppress the post-install alert in Server Manager
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftServerManagerRoles12" `
    -Name "ConfigurationState" -Value 2

# Verify both servers are authorized in AD
Get-DhcpServerInDC

# On the primary server, create a test scope if not already present
Add-DhcpServerv4Scope -Name "CorpNetwork" `
    -StartRange 192.168.1.100 `
    -EndRange 192.168.1.254 `
    -SubnetMask 255.255.255.0 `
    -State Active `
    -LeaseDuration "8.00:00:00"

# Set scope options (DNS, gateway)
Set-DhcpServerv4OptionValue -ScopeId 192.168.1.0 `
    -Router 192.168.1.1 `
    -DnsServer 192.168.1.5, 192.168.1.6 `
    -DomainName "corp.contoso.com"

Step 2: Configure DHCP Failover in Load Balance Mode

Load Balance mode is ideal for environments where both DHCP servers are on the same site and both are always reachable. Each server handles approximately half the DHCP requests. When one server fails, the other takes over 100% of DHCP responses using the lease information it has synchronized.

# Run this on the PRIMARY DHCP server (dhcp01)
# The -ScopeId parameter accepts one or more scope IDs to include in the failover relationship

Add-DhcpServerv4Failover `
    -ComputerName "dhcp01.corp.contoso.com" `
    -PartnerServer "dhcp02.corp.contoso.com" `
    -Name "Corp-Failover-LB" `
    -ScopeId 192.168.1.0 `
    -Mode LoadBalance `
    -LoadBalancePercent 50 `
    -MaxClientLeadTime "01:00:00" `
    -StateSwitchInterval "00:01:00" `
    -SharedSecret "Dh@pF@ilover!Secret2025" `
    -Force

# Include multiple scopes in the same failover relationship
# Add-DhcpServerv4Failover ... -ScopeId 192.168.1.0, 192.168.2.0, 192.168.3.0

# Verify the failover relationship was created on the primary
Get-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com"

# Verify it also shows on the secondary (the scope was replicated)
Get-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com"

# Confirm the scope now exists on the secondary server
Get-DhcpServerv4Scope -ComputerName "dhcp02.corp.contoso.com"

Step 3: Configure DHCP Failover in Hot Standby Mode

Hot Standby mode is designed for multi-site scenarios where a standby DHCP server should take over only when the active server becomes unavailable. The standby server holds a reserved percentage of the address pool to handle clients during the failover window. The remaining addresses are managed exclusively by the active server during normal operation.

# Remove existing failover relationship before reconfiguring (if applicable)
Remove-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com" `
    -Name "Corp-Failover-LB" -Force

# Recreate in Hot Standby mode
# ReservePercent: percentage of the scope the standby holds in reserve
# during normal operation (used to service clients if active server is unreachable)
Add-DhcpServerv4Failover `
    -ComputerName "dhcp01.corp.contoso.com" `
    -PartnerServer "dhcp02.corp.contoso.com" `
    -Name "Corp-Failover-HS" `
    -ScopeId 192.168.1.0 `
    -Mode HotStandby `
    -ServerRole Active `
    -ReservePercent 20 `
    -MaxClientLeadTime "01:00:00" `
    -StateSwitchInterval "00:01:00" `
    -SharedSecret "Dh@pF@ilover!Secret2025" `
    -Force

# The standby server automatically gets ServerRole = Standby

# Verify mode is HotStandby
Get-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com" | 
    Select-Object Name, Mode, ServerRole, ReservePercent, State

Step 4: Understanding Failover States

DHCP Failover uses a state machine to coordinate between the two servers. Understanding these states helps you interpret monitoring output and respond to failures correctly.

# Check the current failover state on both servers
Get-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com" | 
    Select-Object Name, Mode, State, PartnerState, PrimaryServer, SecondaryServer

Get-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" | 
    Select-Object Name, Mode, State, PartnerState

# DHCP Failover States explained:
# Normal          - Both servers are communicating and in sync
# CommunicationInterrupted - Partner is unreachable, operating independently
# PartnerDown     - Administrator has declared the partner as down
#                   (the active server uses 100% of the pool)
# RecoverWait     - Recovering after partner returns
# Recover         - Re-synchronizing lease databases

# Get detailed failover statistics including lease counts per server
Get-DhcpServerv4FailoverStatistics -ComputerName "dhcp01.corp.contoso.com"

# Expected output includes:
# AddressesTotal, AddressesFree, PercentageInUse
# Plus per-server lease counts for Load Balance mode

Step 5: Replicate Scope Changes After Modification

After the initial failover setup, any changes to scope configuration (options, exclusions, reservations) made on the primary server must be replicated to the secondary. This does not happen automatically for all changes — you must trigger replication.

# After modifying a scope on the primary, replicate changes to the partner
Invoke-DhcpServerv4FailoverReplication `
    -ComputerName "dhcp01.corp.contoso.com" `
    -ScopeId 192.168.1.0 `
    -Force

# Replicate all scopes in all failover relationships at once
Invoke-DhcpServerv4FailoverReplication `
    -ComputerName "dhcp01.corp.contoso.com" `
    -ReplicatePeers `
    -Force

# Add an exclusion range on the primary and replicate
Add-DhcpServerv4ExclusionRange -ComputerName "dhcp01.corp.contoso.com" `
    -ScopeId 192.168.1.0 `
    -StartRange 192.168.1.200 `
    -EndRange 192.168.1.220

Invoke-DhcpServerv4FailoverReplication -ComputerName "dhcp01.corp.contoso.com" `
    -ScopeId 192.168.1.0 -Force

# Verify the exclusion exists on the secondary
Get-DhcpServerv4ExclusionRange -ComputerName "dhcp02.corp.contoso.com" -ScopeId 192.168.1.0

Step 6: Simulate and Recover from a DHCP Server Failure

Test your failover configuration by simulating a primary server failure and confirming the secondary takes over. Then perform a controlled failback when the primary comes back online.

# SIMULATE FAILURE: Stop DHCP service on the primary
Stop-Service -Name DHCPServer -Force -ComputerName "dhcp01.corp.contoso.com"

# On the secondary server — the failover state will transition to CommunicationInterrupted
# Wait for StateSwitchInterval (1 minute as configured) to pass, then check state
Start-Sleep -Seconds 70
Get-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" | 
    Select-Object Name, State, PartnerState

# Declare the partner as down (so secondary uses 100% of the pool)
# This is an administrative action — do this only when the primary is confirmed down
Set-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" `
    -Name "Corp-Failover-HS" `
    -State PartnerDown -Force

Get-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" | Select-Object Name, State

# FAILBACK: Restore the primary server
Start-Service -Name DHCPServer -ComputerName "dhcp01.corp.contoso.com"

# Wait for the MaxClientLeadTime window (1 hour as configured) before failover normalizes
# Or force immediate recovery by setting state back to Normal on both sides
Set-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" `
    -Name "Corp-Failover-HS" `
    -State Recover -Force

# After recovery period, both servers return to Normal state
Get-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com" | Select-Object Name, State
Get-DhcpServerv4Failover -ComputerName "dhcp02.corp.contoso.com" | Select-Object Name, State

Step 7: Ongoing Monitoring and Alerting

# Monitor failover health from the primary server
function Get-DhcpFailoverHealth {
    param([string[]]$Servers = @("dhcp01.corp.contoso.com", "dhcp02.corp.contoso.com"))
    foreach ($srv in $Servers) {
        Write-Host "=== $srv ===" -ForegroundColor Cyan
        Get-DhcpServerv4Failover -ComputerName $srv | 
            Select-Object Name, Mode, State, PartnerState, MaxClientLeadTime, StateSwitchInterval |
            Format-Table -AutoSize
        Get-DhcpServerv4FailoverStatistics -ComputerName $srv | 
            Select-Object ScopeId, AddressesTotal, AddressesFree, PercentageInUse |
            Format-Table -AutoSize
    }
}

Get-DhcpFailoverHealth

# Check DHCP event log for failover-related events
Get-WinEvent -LogName "Microsoft-Windows-DHCP Server Events/Operational" -MaxEvents 50 |
    Where-Object { $_.Message -like "*failover*" -or $_.Id -in @(20276, 20277, 20278) } |
    Select-Object TimeCreated, Id, Message | Format-List

# Alert if failover state is not Normal
$failoverState = Get-DhcpServerv4Failover -ComputerName "dhcp01.corp.contoso.com"
if ($failoverState.State -ne "Normal") {
    Write-Warning "DHCP Failover state is: $($failoverState.State) — investigate immediately!"
    Send-MailMessage -To "[email protected]" -From "[email protected]" `
        -Subject "DHCP Failover Alert: State is $($failoverState.State)" `
        -Body "Check DHCP servers immediately. Failover state: $($failoverState.State)" `
        -SmtpServer "mail.corp.contoso.com"
}

DHCP Failover on Windows Server 2025 provides an elegant, built-in solution for eliminating the DHCP server as a single point of failure in your network. Whether you choose Load Balance for active-active redundancy on a single site or Hot Standby for a primary/secondary arrangement across sites, the configuration is straightforward using PowerShell cmdlets and requires no shared storage or Windows clustering. The key to maintaining a healthy DHCP Failover deployment is understanding the failover state machine, replicating scope changes after every modification, and regularly reviewing the failover statistics to ensure both servers have a synchronized and balanced lease database. With the monitoring script from Step 7 integrated into your alerting pipeline, you will be notified immediately if the failover relationship enters a degraded state, giving you time to remediate before clients are affected.