DHCP: Log location and explanation

 Summary

Location of DHCP logs and how to analyse them.

Issue:

If you are in a situation where clients aren’t receiving DHCP leases and you are not sure what else to check the DHCP logs are a good indicator of where to investigate the issue.

The DHCP logs are particularly useful when implementing to a green field site where there could be a multitude of potential issues at play.

Resolution

Location

Logs are located on the DHCP server in the following location:

%windir%\System32\Dhcp

Within this folder you will have logs organised by Day, an odd choice of formatting but one Microsoft has run with nonetheless.

DHCP_Logs_LogLocation_23062015

Log Format

Log entries are in the format

ID, Date, Time, Description, IP Address, Host Name, MAC Address

Common Event codes

There is a very useful list of codes at the top of the log but these are the most common ones to look out for

Event ID Description
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found in use on the network.
14 A lease request could not be satisfied because the address pool of the scope was exhausted.
15 A lease was denied.
20 A BOOTP address was leased to a client.

A full listing of common codes can be found here:

https://technet.microsoft.com/en-us/library/dd183591(v=ws.10).aspx

From the log:

Event ID  Meaning
00	The log was started.
01	The log was stopped.
02	The log was temporarily paused due to low disk space.
10	A new IP address was leased to a client.
11	A lease was renewed by a client.
12	A lease was released by a client.
13	An IP address was found to be in use on the network.
14	A lease request could not be satisfied because the scope's address pool was exhausted.
15	A lease was denied.
16	A lease was deleted.
17	A lease was expired and DNS records for an expired leases have not been deleted.
18	A lease was expired and DNS records were deleted.
20	A BOOTP address was leased to a client.
21	A dynamic BOOTP address was leased to a client.
22	A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23	A BOOTP IP address was deleted after checking to see it was not in use.
24	IP address cleanup operation has began.
25	IP address cleanup statistics.
30	DNS update request to the named DNS server.
31	DNS update failed.
32	DNS update successful.
33	Packet dropped due to NAP policy.
34	DNS update request failed.as the DNS update request queue limit exceeded.
35	DNS update request failed.
36	Packet dropped because the server is in failover standby role or the hash of the client ID does not match.
50+	Codes above 50 are used for Rogue Server Detection information.

QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.

Here is an example log file with the client entry highlighted:

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.
25,06/23/15,05:38:51,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0
11,06/23/15,06:00:23,Renew,192.168.1.104,minint-i1bkgc7.corp.viamonstra.com,000C2938A8BC,,461094449,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0
24,06/23/15,06:38:53,Database Cleanup Begin,,,,,0,6,,,,,,,,,0
25,06/23/15,06:38:53,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0
25,06/23/15,06:38:53,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0

If your client does not appear in the log at all it is a reasonable assumption that there is an issue with your network set up.

For example if the DHCP server sits on a different subnet to the client checking IP Helper addresses would be the first point of all to ensure the broadcast is reaching the server.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s