Dynamic Host Configuration Protocol typically requires little maintenance, but when networking problems start, it’s imperative to track down the source.
DHCP is a critical function on the network, and guaranteeing its functionality and maintaining its security are essential. DHCP logs its own service records in Event Viewer, but it maintains lease information in separate logs. Learning to manage and utilize these logs enables you to troubleshoot the service more effectively.
How does DHCP work?
IP address management is an important but straightforward administrator task. There are two options for assigning IP address settings to a system on the network:
- Static IP addressing. An administrator manually enters values, including IP address, subnet mask, default gateway and DNS servers. This approach is common on servers and network appliances.
- Dynamic IP addressing. An administrator establishes a pool of IP addresses and related settings on a DHCP server, and client computers lease an IP address configuration during the startup process. Most client devices are configured dynamically.
Static addressing is a manual process, and dynamic addressing relies on DHCP servers. Most networks use a mix of both.
The advantages of a dynamic configuration are simplicity and consistency. Static IP addressing introduces the risk of typographical errors and duplicate addresses but provides fixed IP addresses for network devices.
The Windows DHCP service can offer clients IPv4 and IPv6 addresses and options. The service differentiates between the two using separate scopes and specific logging.
This article examines the Windows DHCP server logging mechanism managed by the DHCP service. It stores information about client lease attempts and service status, maintaining a useful troubleshooting and auditing record.
Lease generation
The DHCP lease generation process involves four steps. The client device initiates the exchange:
- Client checks for a DHCP server: Client > DHCPDiscover > DHCPServer.
- Server responds to the client: DHCPServer > DHCPOffer > Client.
- Client accepts the offer: Client > DHCPRequest > DHCPServer.
- Server finalizes the lease: DHCPServer > DHCPAck > Client.
The client begins the interaction with a DHCPDiscover broadcast, which checks for DHCP server availability on the network. The DHCP server hears the query and responds with a DHCPOffer that contains an available IP address configuration. The client accepts the offer with DHCPRequest. The server finalizes the exchange by acknowledging the request with DHCPAcknowledge.
The client device now has a full IP address configuration — usually an IP address, subnet mask, default gateway and two DNS servers. Administrators refer to this process as DORA: discover, offer, request, acknowledge.
Lease renewal
The lease is temporary and must be renewed periodically. The client begins the renewal with a DHCPRequest. The client requests to use the current configuration, and the server usually acknowledges the request with DHCPAck and renews the lease. If the DHCP server’s IP address settings for DHCP have changed, then it fails the request and forces the client to restart the DORA process. The client then receives the updated IP address settings.
The default lease time on a Windows DHCP server is eight days, and the renewal occurs at four days.
Introduction to DHCP logging
Configuring the DHCP server’s pool of IP addresses is not difficult but requires care to avoid typos while entering the values. Most client devices are configured as DHCP clients by default, so there’s rarely anything to do there.
Problems are rare, but logs help troubleshoot DHCP issues. Event Viewer tracks major DHCP events that affect the service. However, step-by-step DHCP lease events are stored in dedicated DHCP log files independent of Event Viewer. The logging mechanism identifies DHCP issues between the clients and the DHCP service.
Log entries include the following:
- Successful client leases, renewals and releases.
- Failed lease attempts.
- Log start and stop events.
- IP addresses in use.
- Pool exhaustion.
- DNS update events.
Windows enables DHCP logging by default, so you don’t need to provide any additional configuration to the service. The service maintains records by placing an entry in the appropriate log file for each exchange with a client computer.
Importance of DHCP logs
Use these log entries to troubleshoot situations where clients don’t successfully lease a configuration, the configuration is incorrect or the DHCP server does not respond as expected. You can also confirm service availability for service-level agreements using the logs. Finally, you can check these logs as part of a security audit to discover whether all connected clients are expected devices.
How to enable DHCP logging for auditing
The DHCP administrative console controls DHCP logging.
In Server Manager, go to Tools > DHCP to open the console. Drill down to the IPv4 node. Right-click the IPv4 node, select Properties > Advanced tab. The «Audit log file path» entry defines the log file location.
By default, the DHCP server log location is in the C:\Windows\system32\dhcp folder.
Windows saves the DHCP server logs each weekday in a separate file. Each log file is overwritten on the corresponding day of the week, enabling the administrator to look back one week at DHCP functions. The logs are specific to the IP version. The format for IPv4 logs is DhcpV6SrvLog-<DAY>.log, while the format for IPv6 logs is DhcpV6SrvLog-<DAY>.log.
How to work with DHCP log files
Open the log files using a regular text editor. The log begins with an explanation of event IDs. These categories make finding the information you’re looking for easier.
Windows saves DHCP server log files with a .log file extension in comma-separated format, which you can open in Microsoft Excel for a more user-friendly view.
The most interesting events for admins include any failure entries, such as these event IDs and their description:
- 13: An IP address was found in use on the network.
- 14: A lease request could not be satisfied because the address pool of the scope was exhausted.
- 15: A lease was denied.
These indicate a client attempted to lease a configuration, but the server could not fulfill the request.
The most referenced fields in the log file are ID, date, time, description, IP address, host name, media access control (MAC) address and user name.
The ID field relates to the event ID table and summarizes the general type of event. The date and time of the event and any available description come next. If possible, IP address, host name, MAC address and user name are listed. While not every event has an entry in the field header, the most common ones to appear are IP and MAC address.
How to check DHCP logs for troubleshooting
Here are some practical examples and methods for using DHCP logs to identify common network events. These apply to IPv4 and IPv6 DHCP scopes.
Successful processes
The following event IDs aid the troubleshooting process by indicating DHCP client events successfully occurred:
- 10: A new IP address was leased to a client.
- 11: A lease was renewed by a client.
- 12: A lease was released by a client.
Most entries should indicate a successful lease with event ID 10. Event ID 11 should also be prevalent, showing that clients successfully reinstated their current configuration. Expect many of these events, as most systems hold their IP settings for a long time.
Periodically, client machines release their IP configuration back to the server. Network troubleshooters may manually do this with the ipconfig /release command, usually as a precursor to the ipconfig /renew command, which manually initiates the DORA process. These releases are identified by event ID 12.
Duplicate IP addresses
Administrators must be careful not to use identical IP addresses on a network. Most Windows systems remove themselves from the network if they detect their IP address is already in use, reported with the following event ID:
- 13: An IP address was found to be in use on the network.
If properly configured, DHCP does not lease duplicate IP addresses. The issue typically arises when administrators don’t keep accurate records of static address assignments. It is common practice to assign static IPs to servers and network devices while Windows client systems get their IP settings from the DHCP server. If the DHCP scope includes static IP addresses, then the DHCP server has no way of knowing this and leases addresses in use.
There is an error message on the affected Windows device, but it’s easier to discover the duplicate IP by reviewing the logs.
Use this in combination with the «Conflict detection attempts» setting, which pings an address before offering the address for lease. If there is a response to the ping, the address is in use.
Scope exhaustion
The DHCP scope consists of the range of available IP addresses. The scope must contain enough addresses to support all clients that need a configuration. It’s possible that the number of clients on the segment exceeds the number of available addresses and the following event ID appears:
- 14: A lease request could not be satisfied because the scope’s address pool was exhausted.
You might not expect all clients to be on the network simultaneously, but short lease durations can be used to quickly free up unused addresses.
It’s easy to check the number of available and consumed addresses in the DHCP console, but the log file also displays an entry if a lease attempt fails due to scope exhaustion.
How to archive DHCP logs
DHCP log file names use abbreviated day names. Each week, the system overwrites the corresponding log with a new log of the same name, leaving IT just the seven most recent log files for review. If you do not archive them, then your DHCP records are relatively incomplete, which may be a problem when confirming service levels or investigating security events.
To keep logs longer than a week, copy or rename the current log file. I suggest copying it and appending the calendar date to the file name for easy reference. If your log is named DhcpSrvLog-Sun.log, copy it to DhcpSrvLog-Sun-07-31-2023.log to preserve it.
To automate log archiving, try PowerShell. The following code copies the Sunday log file with a file name that contains the date:
Copy-Item "C:\Windows\system32\dhcp\*Sun.log" "C:\Windows\system32\dhcp\archive\dhcplog-Sun-$(Get-Date -UFormat %d-%m-%Y).log"Consider copying the log to an archive folder. I modified the destination path to C:\Windows\system32\dhcp\archive\. Use whatever makes sense for your organization.
What are best practices for DHCP logging?
Use the following guidelines and recommendations to optimize DHCP logging and to effectively manage and utilize these logs:
- Proactively review the DHCP logs for scope and client information.
- Maintain DHCP to avoid troubleshooting situations.
- Implement automation to archive the logs for troubleshooting and auditing.
A solid DHCP design includes the following:
- Configure scope options accurately.
- Create plenty of IP addresses for the expected number of clients.
- Set a lease duration to match client network activity.
- Configure DHCP failover for Windows-based DHCP servers.
- Authorize Windows-based DHCP servers in AD.
- Use DHCP listeners if clients reside on different segments from DHCP servers.
Use DHCP logs the next time you investigate or troubleshoot your DHCP deployment.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.
The DHCP server logging system provides information on successful or failed lease grants, depletion of the server’s IP pool, or requests for messages and their corresponding acknowledgements. Analyzing DHCP server log files is thus an ideal audit mechanism
Common audit codes that might appear in the log include
- 00—The log was started.
- 01—The log was stopped.
- 02—The log was temporarily paused due to low disk space.
- 10—A new IP address was leased to a client.
- 11—A lease was renewed by a client.
- 12—A lease was released by a client.
- 13—An IP address was found to be in use on the network.
- 14—A lease request could not be satisfied because the scope’s address pool was exhausted.
- 15—A lease was denied.
- 16—A lease was deleted.
- 17—A lease was expired.
- 20—A BOOTP address was leased to a client.
- 21—A dynamic BOOTP address was leased to a client.
- 22—A BOOTP request could not be satisfied because the scope’s address pool for BOOTP was exhausted.
- 23—A BOOTP IP address was deleted after verifying that it wasn’t in use.
The DHCP Server uses codes above 50 for Rogue Server Detection information.
Using PowerShell Command
Set-DhcpServerAuditLog -ComputerName “servername.domain.com” -Enable $True -Path “D:\dhcpauditlog\” -MaxMBFileSize 1000
Using a graphical user interface
- Open the DHCP snap-in.
- In the left pane, right-click on DHCP and select Add Server.
- Type in the name of the DHCP Server you want to target and click OK.
- Right-click the server node and select Properties.
- On the General tab, check the box beside Enable DHCP audit logging.
- Click OK
Dhcp-Client logs its events to the Windows Event Log. To view this, open the Event Viewer, expand the Windows Logs entry on the left and select System. Here all system messages are shown. To view only Dhcp-Client entries, click «Filter Current Log…» on the right.
- How do I find the DHCP Server event log?
- How do I enable DHCP client events operational log?
- Where are DHCP audit logs stored?
- How do I view DHCP logs?
- How do I know if my DHCP Server is working Windows 2012?
- What is DHCP log files?
- Can I disable DHCP client service?
- What is DNS client service?
- How do I access DHCP server?
- How do I remove IP from DHCP conflict?
- How long are DHCP logs kept?
- Which rule does the DHCP server use when there is an IP address conflict?
How do I find the DHCP Server event log?
Events are displayed from the Operational event log. These events can also be viewed in Event Viewer on individual DHCP servers by navigating to Applications and Services Logs>Microsoft>Windows>DHCP-Server>Microsoft-Windows-DHCP Server Events/Operational.
How do I enable DHCP client events operational log?
To enable the required logs, open Event Viewer ( eventvwr ) and check the logs under Applications and Services Logs > Microsoft > Windows > Dhcp-Client and Applications and Services Logs > Microsoft > Windows > DHCPv6-Client. To enable a log, right-click on it and click Enable Log.
Where are DHCP audit logs stored?
By default, the DHCP Server service writes daily audit logs to the folder WINDOWS \System32\Dhcp. These audit log files are text files named after the day of the week.
How do I view DHCP logs?
Log into the DHCP server, and start the DHCP MMC console. Expand the DHCP server instance we are wanting to audit and expand the IPv4 list. Right click on IPv4 and select properties. Under the General tab there should be a check box that states «Enable DHCP audit logging», select that check box to enable auditing.
How do I know if my DHCP Server is working Windows 2012?
On the Start screen, type DHCP , and click to open DHCP console. On the DHCP console, expand the Server name, and then right-click IPv4 .
What is DHCP log files?
DHCP server logs are comma-delimited text files with each log entry representing a single line of text. … 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client.
Can I disable DHCP client service?
The DHCP client is enabled by default. You can disable or re-enable DHCP client on a switch or a router. On a switch, enter global configuration mode. Enter the no ip dhcp-client enable command to disable the DHCP client.
What is DNS client service?
The DNS Client service is used to resolve DNS domain names, by querying locally cached information obtained from a previous query or by querying a remote DNS server.
How do I access DHCP server?
Remember that a scope is a range of IP addresses that the DHCP server can lease to clients. Begin by opening the DHCP console. You can access the DHCP console by selecting the DHCP command from the server’s Administrative Tools menu.
How do I remove IP from DHCP conflict?
show ip dhcp pool [pool name] – This will show information on number of IP’s leased. show ip dhcp conflict – This will show any conflicts in your pools. clear ip dhcp binding | conflict [x.x.x.x] | * – This will clear the pool of the address you specify or all in the case of *.
How long are DHCP logs kept?
With DHCP the logs are typically stored for anywhere from 90–365 days. The DHCP logs will include some important information for identifying who received a specific lease (IP assignment).
Which rule does the DHCP server use when there is an IP address conflict?
Once the conflicted address is found, the server removes it from the pool until the problem is manually resolved by the administrator. Use the «show ip dhcp conflict» command to determine the IP address conflict and use the «clear ip dhcp conflict» command to remove the conflict.
PowerShell How-To
Using PowerShell To Parse and Understand Windows Server DHCP Logs
Have you ever scrolled through the Windows Server DHCP logs in the Notepad app while trying to troubleshoot something? Then you know that it’s a tedious task.
There are many alternatives to Notepad such as importing to Excel, but that’s also time-consuming — even more so if you have several DHCP servers in a failover cluster.
In this column, we’ll go through how to collect, parse and understand the Windows Server DHCP logs with the help of PowerShell.
Requirements
There are a few things that you’ll need before following along in this post:
- A Windows DHCP server (I based this post on Windows Server 2019 but it should work the same for at least 2012 R2 and up).
- Local administrator rights on the DHCP server(s).
- WSMan (PowerShell remoting) and its required ports opened on the DHCP server(s).
- PowerShell 5.1 (it may work with other versions but it’s not tested).
Enabling Your DHCP Audit Logs
First, we need to make sure that the DHCP audit logs are enabled. This is easily done through PowerShell and it will just take a minute. Log on to the DHCP server, open PowerShell as an Administrator, then enter the following command:
PS51> Get-DhcpServerAuditLog
If enabled equals True as in the picture below, then you’re good to go.
If it isn’t enabled, then you need to enter the following commands that will enable it and restart the DHCP service:
Set-DhcpServerAuditLog -Enable $True -MaxMBFileSize 70 Restart-Service DhcpServer
The audit log is now enabled.
Repeat this for all servers in your DHCP cluster (if any).
Finding the Logs
Before parsing the DHCP logs, it’s a good idea to learn where to find them.
The DHCP audit logs are usually located in C:32* and follow the naming context DhcpSrvLog-.log* for IPv4 logs and DhcpV6SrvLog-.log for the first three letters of the day written in English. We can easily locate them using PowerShell:
PS51> Get-ChildItem C:\Windows\system32\dhcp\Dhcp*SrvLog-*.log | Select -ExpandProperty Name DhcpSrvLog-Fri.log DhcpSrvLog-Mon.log DhcpSrvLog-Sat.log DhcpSrvLog-Sun.log DhcpSrvLog-Thu.log DhcpSrvLog-Tue.log DhcpSrvLog-Wed.log DhcpV6SrvLog-Fri.log DhcpV6SrvLog-Mon.log DhcpV6SrvLog-Sat.log DhcpV6SrvLog-Sun.log DhcpV6SrvLog-Thu.log DhcpV6SrvLog-Tue.log DhcpV6SrvLog-Wed.log
If you can’t find your audit logs here, then run the PowerShell command Get-DhcpServerAuditLog to see in what directory they are saved under the property Path. Also, double-check that you’ve enabled the audit logs and restarted the DhcpServer service as we described previously.
Understanding the Contents
Interpreting the logs is also fundamental while troubleshooting. The DHCP audit log files consists of two parts:
- Roughly 32 lines mainly describing what the different event codes (ID and QResult) mean in the CSV.
- A CSV with a header.
Most of the columns are pretty well-described by their headers. But the ID column can sometimes be quite cryptic, so I summarized a list of all the IPv4 ID descriptions both from the log files and Microsoft’s official documentation below:
0: The log was started.
1: The log was stopped.
2: The log was temporarily paused due to low disk space.
10: A new IP address was leased to a client.
11: A lease was renewed by a client.
12: A lease was released by a client.
13: An IP address was found to be in use on the network.
14: A lease request could not be satisfied because the scope’s address pool was exhausted.
15: A lease was denied.
16: A lease was deleted.
17: A lease was expired and DNS records for an expired leases have not been deleted.
18: A lease was expired and DNS records were deleted.
20: A BOOTP address was leased to a client.
21: A dynamic BOOTP address was leased to a client.
22: A BOOTP request could not be satisfied because the scope’s address pool for BOOTP was exhausted.
23: A BOOTP IP address was deleted after checking to see it was not in use.
24: IP address cleanup operation has began.
25: IP address cleanup statistics.
30: DNS update request to the name DNS server.
31: DNS update failed.
32: DNS update successful.
33: Packet dropped due to NAP policy.
34: DNS update request failed as the DNS update request queue limit exceeded.
35: DNS update request failed.
36: Packet dropped because the serve is in failover standby role or the hash of the client ID does not match.
50: Unreachable domain
51: Authorization succeeded
52: Upgraded to a Windows Server 2003 operating system
53: Cached Authorization
54: Authorization failed
55: Authorization (servicing)
56: Authorization failure, stopped servicing
57: Server found in domain
58: Server could not find domain
59: Network failure
60: No DC is DS Enabled
61: Server found that belongs to DS domain
62: Another server found
63: Restarting rogue detection
64: No DHCP enabled interfaces
There’s also the QResult column that specifies if a client has been blocked from receiving an IP address with the following description to its IDs:
0: NoQuarantine
1: Quarantine
2: Drop Packet
3: Probation
6: No Quarantine
Additional data is almost always supplied in the Description column. If you would like to learn more about the different events codes in the CSV columns, you can read Microsoft’s documentation here.
Parsing the Audit Log with PowerShell
Using PowerShell is one of the best ways to parse a DHCP audit log. It can also easily be executed on several DHCP servers at once so you don’t have to run it manually on each one.
The script below will use PowerShell remoting to connect to all of your DHCP servers at once to collect the logs and output them as objects instead of CSV:
Function Get-RemoteDhcpAuditLog {
Param(
[parameter(Mandatory)]
[string[]]$ComputerName,
[parameter(Mandatory)]
[ValidateSet('Mon','Tue','Wed','Thu','Fri','Sat','Sun','*')]
[string]$Day = '*',
[parameter(Mandatory)]
[ValidateSet('IPv4','IPv6')]
[string]$Protocol = 'IPv4',
[string]$LogPath = "C:\Windows\System32\dhcp"
)
$Parameters = @{
Day = $Day
LogPath = $LogPath
}
Switch($Protocol){
IPv6 {$Parameters["Protocol"] = "v6"}
IPv4 {$Parameters["Protocol"] = ""}
}
$Job = Invoke-Command -AsJob -ArgumentList $Parameters -ComputerName $ComputerName -ScriptBlock {
$Parameters = $Args[0]
$LogFiles = Get-ChildItem -Path "$($Parameters.LogPath)\Dhcp$($Parameters.Protocol)SrvLog-$($Parameters.Day).log"
Foreach($LogFile in $LogFiles){
# Read the log file
$LogContent = Cat $LogFile
# Determine start row of CSV
$StartRow = 0
$LogContent | Foreach {
if($_ -match "^ID,Date"){
Break
}
Else{
$StartRow++
}
}
# Create expressions to use with Select-Object
$DateTimeExpression = @{
Name="Date"
Expression={
$_.Date -match "(?\d\d)/(?\d\d)/(?\d\d)" | Out-Null
Get-Date "20$($Matches.year)-$($Matches.month)-$($Matches.day) $($_.Time)"
}
}
# Output as CSV from row $StartRow
$LogContent | Select -Skip $StartRow | ConvertFrom-Csv -Delimiter "," | Select $DateTimeExpression,* -ExcludeProperty Date,Time
}
}
$Job | Wait-Job
$Job | Receive-Job
}
If we want to fetch audit logs from one or several DHCP servers, we just have to run the following as a user with remoting permissions to the server(s):
# To collect logs from one server Get-RemoteDhcpAuditLogs -ComputerName srvDhcp01 -Day Tue -Protocol IPv4 # To collect logs from several servers Get-RemoteDhcpAuditLogs -ComputerName srvDhcp01,srvDhcp02 -Day Tue -Protocol IPv4
This returns a regular PSObject collection that we can filter like this:
Get-RemoteDhcpAuditLogs -ComputerName srvDhcp01 -Day Tue -Protocol IPv4 | Where-Object {$_.'IP Address' -eq "10.10.45.10"}
You can filter on all the properties of the object, making troubleshooting a lot easier (for example, mac, host name and so on).
Summary
Learning how to easily interpret and search the DHCP audit logs is half the battle when it comes to troubleshooting DHCP. And using PowerShell as a tool for that makes it so much quicker.
Creating a PowerShell function for collecting logs it makes it so much easier for us, especially considering that we don’t have to RDP to the DHCP server to run it. Also, running the log collection as a job and not as a regular Invoke-Command makes it so much faster.
About the Author
Adam Bertram is a 20-year veteran of IT. He’s an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam’s articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io.
Troubleshooting on DHCP server
Verify listening ports
Verify that only the DHCP server is listening on UDP port 67 and 68. No other process or other services (such as WDS or PXE) should occupy these ports.
# Run command
netstat -anb
Verify Event log
Check the System and DHCP Server service event logs for reported issues that are related to the observed problem.
Applications and Services Logs > Microsoft > Windows > DHCP-Server
DHCP Audit Logs
Enabling Your DHCP Audit Logs
Check DHCP audit logs are enabled
# PowerShell
Get-DhcpServerAuditLog
Result
a. Path c:\windows\system32\dhcp
b. Enable True
# If not enable, then enble it
Set-DhcpServerAuditLog -Enable $True -MaxMBFileSize 70
Restart-Service DhcpServer
Audit Log location
The DHCP audit logs are follow the naming context DhcpSrvLog-.log* for IPv4 logs and DhcpV6SrvLog-.log for the first three letters of the day written in English.
# Get dhcp audit logs
Get-ChildItem C:\Windows\system32\dhcp\Dhcp*SrvLog-*.log | Select -ExpandProperty Name
Understanding the Contents
Interpreting the logs is also fundamental while troubleshooting. The DHCP audit log files consists of two parts:
Roughly 32 lines mainly describing what the different event codes (ID and QResult) mean in the CSV.
A CSV with a header.
Most of the columns are pretty well-described by their headers. But the ID column can sometimes be quite cryptic, so I summarized a list of all the IPv4 ID descriptions both from the log files and Microsoft’s official documentation below:
0: The log was started.
1: The log was stopped.
2: The log was temporarily paused due to low disk space.
10: A new IP address was leased to a client.
11: A lease was renewed by a client.
12: A lease was released by a client.
13: An IP address was found to be in use on the network.
14: A lease request could not be satisfied because the scope's address pool was exhausted.
15: A lease was denied.
16: A lease was deleted.
17: A lease was expired and DNS records for an expired leases have not been deleted.
18: A lease was expired and DNS records were deleted.
20: A BOOTP address was leased to a client.
21: A dynamic BOOTP address was leased to a client.
22: A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23: A BOOTP IP address was deleted after checking to see it was not in use.
24: IP address cleanup operation has began.
25: IP address cleanup statistics.
30: DNS update request to the name DNS server.
31: DNS update failed.
32: DNS update successful.
33: Packet dropped due to NAP policy.
34: DNS update request failed as the DNS update request queue limit exceeded.
35: DNS update request failed.
36: Packet dropped because the serve is in failover standby role or the hash of the client ID does not match.
50: Unreachable domain
51: Authorization succeeded
52: Upgraded to a Windows Server 2003 operating system
53: Cached Authorization
54: Authorization failed
55: Authorization (servicing)
56: Authorization failure, stopped servicing
57: Server found in domain
58: Server could not find domain
59: Network failure
60: No DC is DS Enabled
61: Server found that belongs to DS domain
62: Another server found
63: Restarting rogue detection
64: No DHCP enabled interfaces
There's also the QResult column that specifies if a client has been blocked from receiving an IP address with the following description to its IDs:
0: NoQuarantine
1: Quarantine
2: Drop Packet
3: Probation
6: No Quarantine
Additional data is almost always supplied in the Description column.
Parsing the auditing logs
Function Get-RemoteDhcpAuditLog {
Param(
[parameter(Mandatory)]
[string[]]$ComputerName,
[parameter(Mandatory)]
[ValidateSet('Mon','Tue','Wed','Thu','Fri','Sat','Sun','*')]
[string]$Day = '*',
[parameter(Mandatory)]
[ValidateSet('IPv4','IPv6')]
[string]$Protocol = 'IPv4',
[string]$LogPath = "C:\Windows\System32\dhcp"
)
$Parameters = @{
Day = $Day
LogPath = $LogPath
}
Switch($Protocol){
IPv6 {$Parameters["Protocol"] = "v6"}
IPv4 {$Parameters["Protocol"] = ""}
}
$Job = Invoke-Command -AsJob -ArgumentList $Parameters -ComputerName $ComputerName -ScriptBlock {
$Parameters = $Args[0]
$LogFiles = Get-ChildItem -Path "$($Parameters.LogPath)\Dhcp$($Parameters.Protocol)SrvLog-$($Parameters.Day).log"
Foreach($LogFile in $LogFiles){
# Read the log file
$LogContent = Cat $LogFile
# Determine start row of CSV
$StartRow = 0
$LogContent | Foreach {
if($_ -match "^ID,Date"){
Break
}
Else{
$StartRow++
}
}
# Create expressions to use with Select-Object
$DateTimeExpression = @{
Name="Date"
Expression={
$_.Date -match "(?\d\d)/(?\d\d)/(?\d\d)" | Out-Null
Get-Date "20$($Matches.year)-$($Matches.month)-$($Matches.day) $($_.Time)"
}
}
# Output as CSV from row $StartRow
$LogContent | Select -Skip $StartRow | ConvertFrom-Csv -Delimiter "," | Select $DateTimeExpression,* -ExcludeProperty Date,Time
}
}
$Job | Wait-Job
$Job | Receive-Job
}
# Troubleshooting by filtering ip, mac, hostname
Get-RemoteDhcpAuditLog -ComputerName srvDhcp01 -Day Tue -Protocol IPv4 | Where-Object {$_.'IP Address' -eq "10.10.45.10"}