DHCP Server won’t authorize Error 20070

Built a brand new Windows 2012 R2 Domain the other day.  It was to replace a busted one elsewhere – busted? This happens when developers add anything they want to AD and there is zero management.   As this had to replace a 14 YO domain,  back in 2001 they had no concept of the issues around “Single label Top Level Domain zones” and the root domain was (and still is) as a SLTLD. This in itself is an issue as 2012 R2 simply refuses to create a  SLTD under any circumstances. The solution to that is break out you crusty old Windows 2003 R2 disks and use it to build the first server in the forest. You can then add target 2012 R2 servers to that domain and gradually work to removing the 2003 server and upgrading the forest to 2012 R2 functional level.  Stupid but it works.

Once I had it all built I then needed to add DHCP service to the child domain. Reason, in this organisation, the root is a placeholder and all the client based action occurs in the child domain so naturally I added DHCP to the child DC’s and set my IP Helpers to reflect that. This then revealed the following.

Problem: the DHCP server won’t authorize – returning error 20070 “The DHCP server could not contact Active Directory”. Not a lot of stuff on the internet but enough frustration to indicate that I’m not Robinson Crusoe on this issue. I bashed my head on this for about 4 hours and then did the right thing. I left the machine and went outside! It’s amazing how going for a walk, treating yourself to an ice-cream etc can clear stupid brain blocks.

Solution: Add the DHCP management tools to the root domain controllers and then authorise from there. Seems that the something has changed in the permission structure for 2012 R2. Thinking about it, the authorisation happens in the configuration partition of AD and naturally this would require Enterprise Admin rights.

I know it sounds trivial now but I hope this helps some other frustrated enterprise (sorry about the “Z” – In Australia its Enterprise not Enterprize) admin

Leave a Reply

Your email address will not be published. Required fields are marked *