Location of DHCP logs and how to analyse them.
If you are in a situation where clients aren’t receiving DHCP leases and you are not sure what else to check the DHCP logs are a good indicator of where to investigate the issue.
The DHCP logs are particularly useful when implementing to a green field site where there could be a multitude of potential issues at play.
Logs are located on the DHCP server in the following location:
Within this folder you will have logs organised by Day, an odd choice of formatting but one Microsoft has run with nonetheless.
Log entries are in the format
ID, Date, Time, Description, IP Address, Host Name, MAC Address
Common Event codes
There is a very useful list of codes at the top of the log but these are the most common ones to look out for
|00||The log was started.|
|01||The log was stopped.|
|02||The log was temporarily paused due to low disk space.|
|10||A new IP address was leased to a client.|
|11||A lease was renewed by a client.|
|12||A lease was released by a client.|
|13||An IP address was found in use on the network.|
|14||A lease request could not be satisfied because the address pool of the scope was exhausted.|
|15||A lease was denied.|
|20||A BOOTP address was leased to a client.|
A full listing of common codes can be found here:
From the log:
Event ID Meaning 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired and DNS records for an expired leases have not been deleted. 18 A lease was expired and DNS records were deleted. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has began. 25 IP address cleanup statistics. 30 DNS update request to the named DNS server. 31 DNS update failed. 32 DNS update successful. 33 Packet dropped due to NAP policy. 34 DNS update request failed.as the DNS update request queue limit exceeded. 35 DNS update request failed. 36 Packet dropped because the server is in failover standby role or the hash of the client ID does not match. 50+ Codes above 50 are used for Rogue Server Detection information. QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.
Here is an example log file with the client entry highlighted:
ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError. 25,06/23/15,05:38:51,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 11,06/23/15,06:00:23,Renew,192.168.1.104,minint-i1bkgc7.corp.viamonstra.com,000C2938A8BC,,461094449,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 24,06/23/15,06:38:53,Database Cleanup Begin,,,,,0,6,,,,,,,,,0 25,06/23/15,06:38:53,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0 25,06/23/15,06:38:53,0 leases expired and 0 leases deleted,,,,,0,6,,,,,,,,,0
If your client does not appear in the log at all it is a reasonable assumption that there is an issue with your network set up.
For example if the DHCP server sits on a different subnet to the client checking IP Helper addresses would be the first point of all to ensure the broadcast is reaching the server.