I am struggling to keep DHCP filters in sync between multiple DHCP servers, each of them is running on a domain controller. I wrote a simple script to get filters from master DHCP server and push them to other DHCP servers:
$aDhcpServers = Get-DhcpServerInDC
New-Variable -Name sDhcpMasterServer -Value "master.server.fqdn" -Option Constant
$aDhcpMacFilters = Get-DhcpServerv4Filter -ComputerName $sDhcpMasterServer
foreach($DhcpServer in $aDhcpServers) {
#Don't overwrite ourself
if($DhcpServer.DnsName -notmatch "$sDhcpMasterServer") {
Invoke-Command -ComputerName $DhcpServer.DnsName -ScriptBlock {
#Clear remote entries
Get-DhcpServerv4Filter | Remove-DhcpServerv4Filter
#Add array of MacFilters to remote filter
$args[0] | Add-DhcpServerv4Filter
} -ArgumentList (,$aDhcpMacFilters)
}
}
Then I created a gMSA and added it to DHCP Administrators group, also granting Log on as a batch job privilege on domain controllers. The master DHCP server is allowed to retrieve gMSA password. The account is being used in a scheduled task that simply executes the script and (in theory) should push the changes from master DHCP to other DHCP servers.
However, that's not the case. The script is being executed, but no changes are made to DHCP filters on other servers (Task exit code is 0). When the same script is executed with Domain Admin credentials, it works fine. I suspect the problem is with Powershell Remoting using gMSA credentials, but I can't find any documentation regarding this matter.
