Logo
programming4us
programming4us
programming4us
programming4us
 Home
programming4us
 XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
Windows Server

Windows Server 2003 : Monitoring DHCP Through Audit Logging

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/19/2011 11:31:27 AM

Exploring DHCP Audit Logging

By default, the DHCP Server service writes daily audit logs to the folder WINDOWS\System32\Dhcp. These audit log files are text files named after the day of the week. For example, DhcpSrvLog-Mon is the log file that records all DHCP server activity between midnight and 11:59 P.M. on Monday, and DhcpSrvLog-Tue is the log file that records all DHCP server activity between midnight and 11:59 P.M. on Tuesday. Audit log files are typically overwritten after seven days, at which time a new log file of the same name is created. For example, the audit log file named DhcpSrvLog-Tue that is created at midnight on January 5 is replaced by a new file of the same name that is created at midnight on January 12.

You can modify the location of these log files on the Advanced tab of the DHCP server properties dialog box, shown in Figure 1. To do so, adjust the value in the Audit Log File Path text box.

Figure 1. Modifying the audit log file location

The DHCP console also allows you to disable audit logging completely on the General tab of the DHCP server properties dialog box, shown in Figure 2. To perform this task, clear the Enable DHCP Audit Logging check box. (Audit Logging is enabled by default.)

Figure 2. Disabling audit logging

Assuming the default is set, the largest size that the current audit log file can reach is 1 MB. Also by default, if the amount of disk space remaining on the server disk falls below 20 MB, audit logging is halted. When sufficient space again becomes available, DHCP audit logging resumes.

Understanding DHCP Server Log File Format

DHCP server logs are comma-delimited text files with each log entry representing a single line of text. Figure 3 shows a sample audit log file.

Figure 3. Sample DHCP audit log file

A log file entry contains the fields of ID, Date, Time, Description, IP Address, Host Name, and MAC Address. A comma is used to separate each field, even when a field is empty. For example, in the following log entry, two commas in a row indicate that both the IP Address and MAC Address fields are empty:

55,06/03/03,09:08:57,Authorized(servicing),,domain1.local,,

Table 1 describes the values of DHCP server log fields.

Table 1. DHCP Server Log Fields
FieldDescription
IDA DHCP server event ID code
DateThe date on which this entry was logged on the DHCP server
TimeThe time at which this entry was logged on the DHCP server
DescriptionA description of this DHCP server event
IP AddressThe IP address of the DHCP client
Host NameThe host name of the DHCP client
MAC AddressThe Media Access Control (MAC) address used by the network adapter hardware of the client
Common Event Codes

DHCP server audit log files use reserved event ID codes to provide information about the type of server event or activity logged. Event IDs lower than 50 are described in the log file itself and therefore do not need to be memorized.

Server Authorization Events

Table 2 presents additional server log event ID codes and descriptions. These codes pertain to the Active Directory authorization status of the DHCP server. Unlike the preceding events, these events are not described in the log file. Therefore, you should become familiar with these codes or use Windows Server 2003 Help to assist you when you need to determine what a code represents.

Table 2. Log Event Codes 50 and Above
Event IDDescription
50Unreachable domain The DHCP server could not locate the applicable domain for its configured Active Directory installation.
51Authorization succeeded The DHCP server was authorized to start on the network.
52Upgraded to a Windows Server 2003 operating system The DHCP server was recently upgraded to Windows Server 2003, Standard Edition; therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled.
53Cached authorization

The DHCP server was authorized to start using previously cached information.

Active Directory was not visible at the time the server was started on the network.
54Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped.
55Authorization (servicing) The DHCP server was successfully authorized to start on the network.
56Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by Windows Server 2003. You must first authorize the server in the directory before starting it again.
57Server found in domain Another DHCP server exists and is authorized for service in the same Active Directory domain.
58Server could not find domain The DHCP server could not locate the specified Active Directory domain.
59Network failure A network-related failure prevented the server from determining whether it is authorized.
60No DC is DS-enabled No Active Directory domain controller (DC) was located. For detecting whether the server is authorized, a domain controller that is enabled for Active Directory is needed.
61Server found that belongs to DS domain Another DHCP server that belongs to the Active Directory domain was found on the network.
62Another server found Another DHCP server was found on the network.
63Restarting rogue detection The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network.
64No DHCP-enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This configuration usually means one of the following:

  • The network connections of the server are either not installed or not actively connected to a network.

  • The server has not been configured with at least one static IP address for one of its installed and active network connections.

  • All of the statically configured network connections for the server are disabled.
Excerpts from a Sample DHCP Server Audit Log

The following excerpt shows a normal start and authorization of a DHCP server with no errors. The first two events correspond to the successful authorization at startup. The last two events correspond to the periodic DHCP database cleanup that occurs every 60 minutes.

ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,06/03/03,09:08:57,Started,,,,
55,06/03/03,09:08:57,Authorized(servicing),,domain2.local,,
11,06/03/03,09:48:25,Renew,192.168.0.11,server2.domain2.local,0003FFBC3B46,
24,06/03/03,10:08:58,Database Cleanup Begin,,,,
25,06/03/03,10:08:58,0 leases expired and 0 leases deleted,,,,

In the following excerpt, the DHCP server is found not to be authorized when it is started. This situation can happen, for example, when a new server is installed. In this example, the DHCP server is authorized in Active Directory 10 minutes after startup, after which the server is able to begin servicing clients.

ID,Date,Time,Description,IP Address,Host Name,MAC Address
00,06/08/03,22:35:10,Started,,,,
56,06/08/03,22:35:10,Authorization failure, stopped servicing,,domain1.local,,
55,06/08/03,22:45:38,Authorized(servicing),,domain1.local,,

Tip

When a DHCP server stops providing leases to clients, you should always check the DHCP log to determine whether an authorization failure has occurred.
Other -----------------
- Windows Server 2008 R2 : Configuring Operations Manager 2007 R2 (part 4) - Notifications and Subscriptions
- Windows Server 2008 R2 : Configuring Operations Manager 2007 R2 (part 3) - Agent Restart Recovery
- Windows Server 2008 R2 : Configuring Operations Manager 2007 R2 (part 2) - Active Directory Replication Monitoring Configuration
- Windows Server 2008 R2 : Configuring Operations Manager 2007 R2 (part 1) - Agent Proxy Configuration & Active Directory Client Monitoring Configuration
- Windows Server 2003 : Understanding How Clients Obtain Configuration (part 4) - DHCP ACK & DHCP NACK
- Windows Server 2003 : Understanding How Clients Obtain Configuration (part 3) - DHCP Offer & DHCP Request
- Windows Server 2003 : Understanding How Clients Obtain Configuration (part 2) - Analyzing DHCP Messages & DHCP Discover
- Windows Server 2003 : Understanding How Clients Obtain Configuration (part 1) - Initial Lease Process & Lease Renewal Process
- Windows Server 2008 R2 : Installing Operations Manager 2007 R2 (part 3) - Deploying OpsMgr Agents
- Windows Server 2008 R2 : Installing Operations Manager 2007 R2 (part 2) - Importing Management Packs
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server