You can use this procedure to enable Dynamic Host Configuration Protocol (DHCP) server logging.
Membership in the Administrators or DHCP Administrators group is the minimum required to complete this procedure.
To enable DHCP server logging |
-
Open the DHCP Microsoft Management Console (MMC) snap-in.
-
In the console tree, click the DHCP server you want to configure.
-
On the Action menu, click Properties.
-
On the General tab, select Enable DHCP audit logging, and then click OK.
Analyzing server log files
In Windows Server 2008, DHCP server log files are configured to manage log file growth and conserve disk resources by default. DHCP audit logs are located by default at %windir%\System32\Dhcp.
The following section outlines the format of these log files and how they can be used to gather more information about DHCP Server service operations on the network.
DHCP server log file format
DHCP server logs are comma-delimited text files with each log entry representing a single line of text. Following are the fields (and the order in which they appear) in a log file entry:
ID, Date, Time, Description, IP Address, Host Name, MAC Address
Each of these fields is described in detail in the following table:
Field | Description |
---|---|
ID |
A DHCP server event ID code. |
Date |
The date on which this entry was logged on the DHCP server. |
Time |
The time at which this entry was logged on the DHCP server. |
Description |
A description of this DHCP server event. |
IP Address |
The IP address of the DHCP client. |
Host Name |
The host name of the DHCP client. |
MAC Address |
The media access control (MAC) address used by the network adapter hardware of the client. |
DHCP server log: Common event codes
DHCP server audit log files use reserved event ID codes to provide information about the type of server event or activity logged. The following table describes these event ID codes in more detail.
Event ID | Description |
---|---|
00 |
The log was started. |
01 |
The log was stopped. |
02 |
The log was temporarily paused due to low disk space. |
10 |
A new IP address was leased to a client. |
11 |
A lease was renewed by a client. |
12 |
A lease was released by a client. |
13 |
An IP address was found in use on the network. |
14 |
A lease request could not be satisfied because the address pool of the scope was exhausted. |
15 |
A lease was denied. |
20 |
A Bootstrap Protocol (BOOTP) address was leased to a client. |
DNS dynamic update events
When the DHCP server is configured to perform Domain Name System (DNS) dynamic updates on behalf of DHCP clients, you can use the DHCP audit logs to monitor update requests by the DHCP server to the DNS server, DNS record update successes, and DNS record update failures. The following event IDs are used for DNS dynamic update events:
Event ID | Description |
---|---|
30 |
DNS dynamic update request |
31 |
DNS dynamic update failed |
32 |
DNS dynamic update successful |
The IP address of the DHCP client computer is included in the DHCP audit log so you can track the source in the event of a denial-of-service attack.
DHCP server logs: Server authorization events
The following are additional server log event ID codes and descriptions. These events can appear in logs made by DHCP servers running Windows Server 2008. They pertain to the specific DHCP server and its authorization status when deployed in Active Directory Domain Services (AD DS) environments.
Event ID | Description |
---|---|
50 |
Unreachable domain The DHCP server did not locate the specific domain for its configured Active Directory installation. |
51 |
Authorization succeeded The DHCP server was authorized to start on the network. |
52 |
Upgraded to a Windows Server 2008 operating system The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in AD DS) was disabled. |
53 |
Cached Authorization The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network. |
54 |
Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped. |
55 |
Authorization (servicing) The DHCP server was successfully authorized to start on the network. |
56 |
Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in AD DS before starting it again. |
57 |
Server found in domain Another DHCP server exists and is authorized for service in the same domain. |
58 |
Server did not find domain The DHCP server did not locate the specified domain. |
59 |
Network failure A network-related failure prevented the server from determining if it is authorized. |
60 |
No domain controller is directory service enabled No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required. |
61 |
Server found that belongs to DS domain Another DHCP server was found on the network that belongs to the Active Directory domain. |
62 |
Another server found Another DHCP server was found on the network. |
63 |
Restarting rogue detection The DHCP server is trying again to determine whether it is authorized to start and provide service on the network. |
64 |
No DHCP enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following:
|
Example: Excerpt from a sample DHCP server audit log
The following is a brief excerpt of sample log activity from an audit log generated by the DHCP Server service:
ID Date,Time,Description,IP Address,Host Name,MAC Address 00,04/19/99,12:43:06,Started,,, 60,04/19/99,12:43:21,No DC is DS Enabled,,MYDOMAIN, 63,04/19/99,12:43:28,Restarting rogue detection,,, 01,04/19/99,13:11:13,Stopped,,, 00,04/19/99,12:43:06,Started,,, 55,04/19/99,12:43:54,Authorized(servicing),,MYDOMAIN,
In this sample, the DHCP server was not authorized when initially started and is subsequently stopped. After it is authorized, the server can then restart and service clients.
Additional Resources
For a list of Help topics providing related information, see Recommended tasks for the DHCP server role.
For updated detailed IT pro information about DHCP, see the Windows Server 2008 documentation on the Microsoft TechNet Web site.