DHCP looks simple until it is down. If your only DHCP server fails, clients can keep their existing leases for a while, but new devices do not get addresses, renewals eventually fail, and the network slowly gets weird.

Windows Server DHCP failover solves that by pairing two DHCP servers. They share scope configuration and lease state, then serve clients in load-balance or hot-standby mode. This guide builds DHCP failover on Windows Server 2025 with GUI and Server Core/PowerShell paths, including replication and verification.

Windows Server 2025 DHCP failover topology

Image placeholders to add later:

  • Screenshot: DHCP role install in Server Manager
  • Screenshot: DHCP post-install authorization wizard
  • Screenshot: DHCP console showing DHCP01 and DHCP02
  • Screenshot: new IPv4 scope wizard
  • Screenshot: scope options with router, DNS servers, and DNS domain
  • Screenshot: Configure Failover wizard relationship page
  • Screenshot: load-balance or hot-standby mode selection
  • Screenshot: failover relationship status healthy
  • Screenshot: replicated scope visible on DHCP02
  • Screenshot: client lease and ipconfig /all verification

GUI vs Server Core Path

This guide covers both styles:

  • Desktop Experience / GUI: Server Manager, DHCP console, new scope wizard, DHCP authorization, and failover wizard.
  • Server Core / PowerShell: Install-WindowsFeature, Add-DhcpServerInDC, Add-DhcpServerv4Scope, Set-DhcpServerv4OptionValue, and Add-DhcpServerv4Failover.

Use GUI for screenshots and learning the flow. Use PowerShell for repeatable server builds and clean documentation.

Target Design

Item Value
DHCP server 1 DHCP01.gntech.me / 10.0.20.20
DHCP server 2 DHCP02.gntech.me / 10.0.20.21
Domain gntech.me
Scope 10.0.20.0/24
Lease range 10.0.20.100 - 10.0.20.200
Exclusions 10.0.20.1 - 10.0.20.99, 10.0.20.201 - 10.0.20.254
Gateway option 10.0.20.1
DNS option 10.0.20.10, 10.0.20.11
DNS suffix gntech.me
Failover mode Load balance 50/50 for LAN, hot standby for remote site

For a homelab LAN, load-balance mode is usually fine. For a branch or remote site, hot-standby mode can be cleaner.

DHCP Failover Modes

Windows DHCP failover supports two common designs.

Load Balance

Both DHCP servers answer clients and split the scope workload.

1
2

Use when: both DHCP servers are in the same site/VLAN and equally reachable.
Typical split: 50/50

Hot Standby

One server actively handles the scope; the partner waits and takes over if the active server is unavailable.

1
2

Use when: one server is primary for a site and the other is backup.
Typical split: 95/5 or standby role

For this guide, the PowerShell example uses load-balance mode.

Pre-Checks

On both DHCP servers:

1
2
3
4

hostname
Get-NetIPConfiguration
Resolve-DnsName gntech.me
Test-ComputerSecureChannel -Verbose

Both servers should be domain joined, statically addressed, patched, and able to resolve the domain.

Check domain DNS:

1
2

Resolve-DnsName DC01.gntech.me
Resolve-DnsName DC02.gntech.me

Install the DHCP Server Role

GUI: Server Manager

On each DHCP server:

  1. Open Server Manager.
  2. Go to Manage → Add Roles and Features.
  3. Select DHCP Server.
  4. Accept management tools.
  5. Install the role.
  6. Click the post-install notification to complete DHCP configuration.

Image placeholder: Add screenshot of the DHCP Server role selected in Server Manager.

Server Core / PowerShell

Run on both DHCP01 and DHCP02:

1

Install-WindowsFeature DHCP -IncludeManagementTools

Verify:

1
2

Get-WindowsFeature DHCP
Get-Service DHCPServer

Expected service:

1

Running

Authorize DHCP in Active Directory

Domain-joined Windows DHCP servers must be authorized in AD before they serve leases.

GUI: DHCP Console

  1. Open Server Manager → Tools → DHCP.
  2. Right-click the server.
  3. Select Authorize.
  4. Refresh until the server icon shows authorized.

Image placeholder: Add screenshot of both DHCP servers authorized in the DHCP console.

Server Core / PowerShell

Run from a domain admin session:

1
2
3
4
5
6
7

Add-DhcpServerInDC \
  -DnsName "DHCP01.gntech.me" \
  -IPAddress 10.0.20.20

Add-DhcpServerInDC \
  -DnsName "DHCP02.gntech.me" \
  -IPAddress 10.0.20.21

Verify:

1

Get-DhcpServerInDC

Create the Scope on DHCP01

Create the scope on one server first. The failover relationship will replicate it to the partner.

GUI: DHCP Console

  1. Expand DHCP01.
  2. Right-click IPv4New Scope.
  3. Name it LAB-10.0.20.0.
  4. Set range 10.0.20.100 to 10.0.20.200.
  5. Set subnet mask 255.255.255.0.
  6. Add exclusions if needed.
  7. Set router 10.0.20.1.
  8. Set DNS servers 10.0.20.10 and 10.0.20.11.
  9. Set DNS domain gntech.me.
  10. Activate the scope.

Image placeholder: Add screenshot of the New Scope Wizard with the address range configured.

Image placeholder: Add screenshot of DHCP scope options showing router, DNS servers, and DNS suffix.

Server Core / PowerShell

Run on DHCP01:

1
2
3
4
5
6
7

Add-DhcpServerv4Scope \
  -ComputerName "DHCP01.gntech.me" \
  -Name "LAB-10.0.20.0" \
  -StartRange 10.0.20.100 \
  -EndRange 10.0.20.200 \
  -SubnetMask 255.255.255.0 \
  -State Active

Set options:

1
2
3
4
5
6

Set-DhcpServerv4OptionValue \
  -ComputerName "DHCP01.gntech.me" \
  -ScopeId 10.0.20.0 \
  -Router 10.0.20.1 \
  -DnsServer 10.0.20.10,10.0.20.11 \
  -DnsDomain "gntech.me"

Verify:

1
2

Get-DhcpServerv4Scope -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4OptionValue -ComputerName "DHCP01.gntech.me" -ScopeId 10.0.20.0

Configure DHCP Failover

GUI: DHCP Failover Wizard

  1. In DHCP console, expand DHCP01 → IPv4.
  2. Right-click the scope → Configure Failover.
  3. Select the scope.
  4. Add partner server DHCP02.gntech.me.
  5. Name the relationship DHCP01-DHCP02-LAB.
  6. Choose Load balance.
  7. Set load balance percentage to 50%.
  8. Set shared secret.
  9. Finish the wizard.

Image placeholder: Add screenshot of the Configure Failover wizard with DHCP02 selected as the partner.

Image placeholder: Add screenshot of load-balance mode and shared secret configuration.

Server Core / PowerShell

Use a strong shared secret. Store it securely.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

$Secret = Read-Host "DHCP failover shared secret" -AsSecureString
$PlainSecret = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
  [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Secret)
)

Add-DhcpServerv4Failover \
  -ComputerName "DHCP01.gntech.me" \
  -Name "DHCP01-DHCP02-LAB" \
  -PartnerServer "DHCP02.gntech.me" \
  -ScopeId 10.0.20.0 \
  -SharedSecret $PlainSecret \
  -LoadBalancePercent 50 \
  -AutoStateTransition $true \
  -StateSwitchInterval 01:00:00

Clear the plaintext variable when done:

1

Remove-Variable PlainSecret

Verify the relationship:

1
2

Get-DhcpServerv4Failover -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4Failover -ComputerName "DHCP02.gntech.me"

Replicate Scope Configuration

Failover replicates leases automatically, but when you change scope options, reservations, policies, or exclusions, force replication.

GUI: Replicate Scope

  1. Open DHCP console.
  2. Right-click the scope or IPv4 node.
  3. Select Replicate Scope or Replicate Failover Scopes.
  4. Confirm replication to the partner.

Image placeholder: Add screenshot of the DHCP replicate scope action.

Server Core / PowerShell

Replicate a specific scope:

1
2
3
4

Invoke-DhcpServerv4FailoverReplication \
  -ComputerName "DHCP01.gntech.me" \
  -ScopeId 10.0.20.0 \
  -Force

Or replicate by relationship name:

1
2
3
4

Invoke-DhcpServerv4FailoverReplication \
  -ComputerName "DHCP01.gntech.me" \
  -Name "DHCP01-DHCP02-LAB" \
  -Force

Verify the scope exists on both servers:

1
2

Get-DhcpServerv4Scope -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4Scope -ComputerName "DHCP02.gntech.me"

Router / VLAN DHCP Relay

If clients are not on the same L2 segment as the DHCP servers, configure DHCP relay/IP helper on the router or L3 switch.

For a VLAN 20 client network, relay to both DHCP servers:

1
2

DHCP relay target 1: 10.0.20.20
DHCP relay target 2: 10.0.20.21

On MikroTik, this is usually DHCP Relay on the VLAN interface. On Cisco, it is usually ip helper-address under the SVI. The important part is that both DHCP servers receive requests.

Verification Checklist

1. DHCP Server Authorization

1

Get-DhcpServerInDC

Expected: both DHCP01 and DHCP02 listed with correct IPs.

2. Scope Exists on Both Servers

1
2

Get-DhcpServerv4Scope -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4Scope -ComputerName "DHCP02.gntech.me"

3. Options Are Correct

1
2
3
4
5
6
7

Get-DhcpServerv4OptionValue \
  -ComputerName "DHCP01.gntech.me" \
  -ScopeId 10.0.20.0

Get-DhcpServerv4OptionValue \
  -ComputerName "DHCP02.gntech.me" \
  -ScopeId 10.0.20.0

Expected:

1
2
3

003 Router: 10.0.20.1
006 DNS Servers: 10.0.20.10, 10.0.20.11
015 DNS Domain Name: gntech.me

4. Failover Relationship Is Healthy

1
2
3
4

Get-DhcpServerv4Failover \
  -ComputerName "DHCP01.gntech.me" \
  -Name "DHCP01-DHCP02-LAB" |
  Format-List *

Look for normal state on both partners.

5. Client Lease Test

On a Windows client:

1
2
3

ipconfig /release
ipconfig /renew
ipconfig /all

Verify:

  • IPv4 address is inside 10.0.20.100-200
  • gateway is 10.0.20.1
  • DNS servers are 10.0.20.10 and 10.0.20.11
  • DNS suffix is gntech.me

6. Lease Visibility

1
2
3
4
5
6
7

Get-DhcpServerv4Lease \
  -ComputerName "DHCP01.gntech.me" \
  -ScopeId 10.0.20.0

Get-DhcpServerv4Lease \
  -ComputerName "DHCP02.gntech.me" \
  -ScopeId 10.0.20.0

Leases should replicate between partners.

Failover Test

Do not hard power off servers during early testing. First do a controlled service test.

On DHCP01:

1

Stop-Service DHCPServer

On a client:

1
2
3

ipconfig /release
ipconfig /renew
ipconfig /all

Expected: the client still receives a valid lease from DHCP02.

Restart DHCP01:

1

Start-Service DHCPServer

Check failover state:

1
2

Get-DhcpServerv4Failover -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4Failover -ComputerName "DHCP02.gntech.me"

Common Problems

DHCP Server Not Leasing Addresses

Check authorization:

1
2

Get-DhcpServerInDC
Get-Service DHCPServer

If unauthorized, authorize it in AD.

Client Gets APIPA Address

APIPA means the client did not receive DHCP.

Check the client and the DHCP server-side counters:

1
2
3
4
5

ipconfig /all
Get-DhcpServerv4Statistics -ComputerName "DHCP01.gntech.me"
Get-DhcpServerv4Statistics -ComputerName "DHCP02.gntech.me"
Get-DhcpServerv4Lease -ComputerName "DHCP01.gntech.me" -ScopeId 10.0.20.0
Get-DhcpServerv4Lease -ComputerName "DHCP02.gntech.me" -ScopeId 10.0.20.0

Do not use Test-NetConnection -Port 67 as a DHCP test. DHCP uses UDP broadcast/relay behavior, so a TCP port probe does not prove DHCP works. Also verify DHCP relay/IP helper on routed VLANs.

Scope Changes Did Not Appear on Partner

Force replication:

1
2
3
4

Invoke-DhcpServerv4FailoverReplication \
  -ComputerName "DHCP01.gntech.me" \
  -Name "DHCP01-DHCP02-LAB" \
  -Force

DNS Updates Not Working

If DHCP is registering DNS records for clients, configure DHCP credentials and check DNS dynamic update settings.

1
2

Get-DhcpServerDnsCredential
Get-DhcpServerv4DnsSetting

For AD environments, DNS zones should allow secure dynamic updates.

Final Verification Script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

$ScopeId = "10.0.20.0"
$Relationship = "DHCP01-DHCP02-LAB"
$Servers = "DHCP01.gntech.me", "DHCP02.gntech.me"

Write-Host "== Authorized DHCP Servers ==" -ForegroundColor Cyan
Get-DhcpServerInDC

foreach ($Server in $Servers) {
  Write-Host "== $Server Service ==" -ForegroundColor Cyan
  Get-Service DHCPServer -ComputerName $Server

  Write-Host "== $Server Scopes ==" -ForegroundColor Cyan
  Get-DhcpServerv4Scope -ComputerName $Server

  Write-Host "== $Server Options ==" -ForegroundColor Cyan
  Get-DhcpServerv4OptionValue -ComputerName $Server -ScopeId $ScopeId

  Write-Host "== $Server Leases ==" -ForegroundColor Cyan
  Get-DhcpServerv4Lease -ComputerName $Server -ScopeId $ScopeId |
    Select-Object -First 10

  Write-Host "== $Server Failover ==" -ForegroundColor Cyan
  Get-DhcpServerv4Failover -ComputerName $Server -Name $Relationship
}

Summary

The reliable DHCP failover path is:

  1. Build two domain-joined Windows Server 2025 DHCP servers
  2. Install DHCP role and management tools
  3. Authorize both servers in Active Directory
  4. Create the scope on the first server
  5. Set router, DNS server, and DNS suffix options
  6. Create a DHCP failover relationship
  7. Replicate scope configuration after changes
  8. Configure router/VLAN DHCP relay to both servers
  9. Verify leases, options, failover state, and client renewal

DHCP failover is not just a checkbox. Treat it like a replicated service: verify both partners, force replication after changes, and test client renewal before you trust it.