How-to: Configure DHCP Failover

Howto Configure DHCP Failover


  1. A single network configured with a single DHCP server already serving IP addresses.
  2. On a second UCS server in the same network the DHCP-Server app installed

Note1: The primary DHCP server has not necessarily to be the UCS domain master server. Use whatever server type (master, backup, slave) you like. Additionally, the “secondary DHCP” can be the UCS master server or any other server type. We will use the terms “primary” and “secondary” for DHCP failover.
Note2: The following works flawlessly if you have only a single network configured. In case of multiple networks you have to edit the below commands accordingly.

Setting up DHCP Failover

Step 1: Define Variables and Configuration Items

Open a shell on the upcoming primary server and set the variables to be used in the later steps:

export self_ip=$(univention-ldapsearch -LLLb "$(ucr get ldap/hostdn)" aRecord | sed -ne 's/^aRecord: //p;T;q')
export peer_ip=$(univention-ldapsearch -LLL '(univentionService=DHCP)' aRecord | sed -ne 's/^aRecord: //p' | grep -v -F "$self_ip")

Step 2: Create Service Records

kinit Administrator
service="$(udm dhcp/service list | sed -ne 's/^DN: //p;T;q')"
ldapadd -Y GSSAPI <<__LDIF__
dn: cn=failover,${service}
objectClass: dhcpFailOverPeer
cn: failover
dhcpFailOverPrimaryServer: $self_ip
dhcpFailOverSecondaryServer: $peer_ip
dhcpFailoverPrimaryPort: 5019
dhcpFailOverSecondaryPort: 5020
dhcpFailOverSplit: 128
dhcpMaxClientLeadTime: 600

Step 3: Configure UCS Firewall

Do the following on both servers:

ucr set security/packetfilter/package/univention-dhcp/tcp/{5019,5020}/all{=ACCEPT,/en=DHCP\ Failover}
systemctl restart univention-firewall

Step 4: Configure Pools

Change your address range below to your needs:

service=$(udm dhcp/service list | sed -ne 's/DN: //p')
subnet=$(udm dhcp/subnet list --superordinate "$service" | sed -ne 's/DN: //p')
udm dhcp/pool create \
 --superordinate "$subnet" \
 --set name=FailoverPool \
 --set range="" \
 --set dynamic_bootp_clients=deny \
 --set failover_peer=failover

Step 5: Restart Services

On both servers restart the service:
systemctl restart univention-dhcpd

Step 6: Verify Result

If everything configured properly you should see in /var/log/daemon.log both DHCP servers offering different IP addresses to clients.