Export (0) Print
Expand All

More About DHCP Audit and Event Logging

Applies To: Windows Server 2008 R2

You can use this procedure to enable Dynamic Host Configuration Protocol (DHCP) server logging.

Membership in the Administrators or DHCP Administrators group is the minimum required to complete this procedure.

To enable DHCP server logging
  1. Open the DHCP Microsoft Management Console (MMC) snap-in.

  2. In the console tree, click the DHCP server you want to configure.

  3. On the Action menu, click Properties.

  4. On the General tab, select Enable DHCP audit logging, and then click OK.

Analyzing server log files

In Windows Server 2008, DHCP server log files are configured to manage log file growth and conserve disk resources by default. DHCP audit logs are located by default at %windir%\System32\Dhcp.

The following section outlines the format of these log files and how they can be used to gather more information about DHCP Server service operations on the network.

DHCP server log file format

DHCP server logs are comma-delimited text files with each log entry representing a single line of text. Following are the fields (and the order in which they appear) in a log file entry:

ID, Date, Time, Description, IP Address, Host Name, MAC Address

Each of these fields is described in detail in the following table:

 

Field Description

ID

A DHCP server event ID code.

Date

The date on which this entry was logged on the DHCP server.

Time

The time at which this entry was logged on the DHCP server.

Description

A description of this DHCP server event.

IP Address

The IP address of the DHCP client.

Host Name

The host name of the DHCP client.

MAC Address

The media access control (MAC) address used by the network adapter hardware of the client.

DHCP server log: Common event codes

DHCP server audit log files use reserved event ID codes to provide information about the type of server event or activity logged. The following table describes these event ID codes in more detail.

 

Event ID Description

00

The log was started.

01

The log was stopped.

02

The log was temporarily paused due to low disk space.

10

A new IP address was leased to a client.

11

A lease was renewed by a client.

12

A lease was released by a client.

13

An IP address was found in use on the network.

14

A lease request could not be satisfied because the address pool of the scope was exhausted.

15

A lease was denied.

20

A Bootstrap Protocol (BOOTP) address was leased to a client.

DNS dynamic update events

When the DHCP server is configured to perform Domain Name System (DNS) dynamic updates on behalf of DHCP clients, you can use the DHCP audit logs to monitor update requests by the DHCP server to the DNS server, DNS record update successes, and DNS record update failures. The following event IDs are used for DNS dynamic update events:

 

Event ID Description

30

DNS dynamic update request

31

DNS dynamic update failed

32

DNS dynamic update successful

The IP address of the DHCP client computer is included in the DHCP audit log so you can track the source in the event of a denial-of-service attack.

DHCP server logs: Server authorization events

The following are additional server log event ID codes and descriptions. These events can appear in logs made by DHCP servers running Windows Server 2008. They pertain to the specific DHCP server and its authorization status when deployed in Active Directory Domain Services (AD DS) environments.

 

Event ID Description

50

Unreachable domain

The DHCP server did not locate the specific domain for its configured Active Directory installation.

51

Authorization succeeded

The DHCP server was authorized to start on the network.

52

Upgraded to a Windows Server 2008 operating system

The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in AD DS) was disabled.

53

Cached Authorization

The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network.

54

Authorization failed

The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped.

55

Authorization (servicing)

The DHCP server was successfully authorized to start on the network.

56

Authorization failure, stopped servicing

The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in AD DS before starting it again.

57

Server found in domain

Another DHCP server exists and is authorized for service in the same domain.

58

Server did not find domain

The DHCP server did not locate the specified domain.

59

Network failure

A network-related failure prevented the server from determining if it is authorized.

60

No domain controller is directory service enabled

No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required.

61

Server found that belongs to DS domain

Another DHCP server was found on the network that belongs to the Active Directory domain.

62

Another server found

Another DHCP server was found on the network.

63

Restarting rogue detection

The DHCP server is trying again to determine whether it is authorized to start and provide service on the network.

64

No DHCP enabled interfaces

The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following:

  • The network connections of the server are either not installed or not actively connected to a network.

  • The server has not been configured with at least one static IP address for one of its installed and active network connections.

  • All of the statically configured network connections for the server are disabled.

Example: Excerpt from a sample DHCP server audit log

The following is a brief excerpt of sample log activity from an audit log generated by the DHCP Server service:


ID Date,Time,Description,IP Address,Host Name,MAC Address
00,04/19/99,12:43:06,Started,,,
60,04/19/99,12:43:21,No DC is DS Enabled,,MYDOMAIN,
63,04/19/99,12:43:28,Restarting rogue detection,,,
01,04/19/99,13:11:13,Stopped,,,
00,04/19/99,12:43:06,Started,,,
55,04/19/99,12:43:54,Authorized(servicing),,MYDOMAIN,

In this sample, the DHCP server was not authorized when initially started and is subsequently stopped. After it is authorized, the server can then restart and service clients.

Additional Resources

For a list of Help topics providing related information, see Recommended tasks for the DHCP server role.

For updated detailed IT pro information about DHCP, see the Windows Server 2008 documentation on the Microsoft TechNet Web site.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft