Using Event Viewer to Monitor DHCP Activity
You can use the Event Viewer tool, located in the Administrative Tools folder, to monitor DHCP activity. Event Viewer stores events that are logged in the system log, application log, and security log. The system log contains events that are associated with the operating system. The application log stores events that pertain to applications running on the computer. Events that are associated with auditing activities are logged in the security log. All events that are DHCP-specific are logged in the System log. The DHCP system event log contains events that are associated with activities of the DHCP service and DHCP server, such as when the DHCP server started and stopped, when DHCP leases are close to being depleted, and when the DHCP database is corrupt.
A few DHCP system event log IDs are listed below:
* Event ID 1037 (Information): Indicates that the DHCP server has begun to clean up the DHCP database.
* Event ID 1038 (Information): Indicates that the DHCP server cleaned up the DHCP database for unicast addresses:
o 0 IP address leases were recovered.
o 0 records were deleted.
* Event ID 1039 (Information): Indicates that the DHCP server cleaned up the DHCP database for multicast addresses:
o 0 IP address leases were recovered.
o 0 records were deleted.
* Event ID 1044 (Information): Indicates that the DHCP server has concluded that it is authorized to start, and is currently servicing DHCP client requests for IP addresses.
* Event ID 1042 (Warning): Indicates that the DHCP service running on the server has detected the following servers on the network.
* Event ID 1056 (Warning): Indicates that the DHCP service has determined that it is running on a domain controller, and no credentials are configured for DDNS registrations.
* Event ID 1046 (Error): Indicates that the DHCP service running on the server has determined that it is not authorized to start to service DHCP clients.
Using System Monitor to Monitor DHCP Activity
The System Monitor utility is the main tool for monitoring system performance. System Monitor can track various processes on the Windows system in real time. The utility uses a graphical display that you can use to view current data, or log data. You can specify specific elements or components that should be tracked on the local computer and remote computers. You can determine resource usage by monitoring trends. System Monitor can be displayed in a graph, histogram, or report format. System Monitor uses objects, counters and instances to monitor the system
System Monitor is a valuable tool when you need to monitor and troubleshooting DHCP traffic being passed between the DHCP server and DHCP clients. Through System Monitor, you can set counters to monitor:
* The DHCP lease process.
* The DHCP queue length
* Duplicate IP address discards
* DHCP server-side conflict attempts
To start System Monitor,
1. Click Start, Administrative Tools, and then click Performance.
2. When the Performance console opens, open System Monitor
The DHCP performance counters that you can monitor to track DHCP traffic are:
* Acks/sec; indicates the rate at which DHCPACK messages are sent by the DHCP server.
* Active Queue Length; indicates how many packets are in the DHCP queue for processing by the DHCP server.
* Conflict Check Queue Length; indicates how many packets are in the DHCP queue that are waiting for conflict detection.
* Declines/sec; indicates the rate at which the DHCP server receives DHCPDECLINE messages.
* Discovers/sec; indicates the rate at which the DHCP server receives DHCPDISCOVER messages.
* Duplicated Dropped/sec; indicates the rate at which duplicated packets are being received by the DHCP server.
* Informs/sec; indicates the rate at which the DHCP server receives DHCPINFORM messages.
* Milliseconds per packet (Avg.); indicates the average time which the DHCP server takes to send a response.
* Nacks/sec; indicates the rate at which DHCPNACK messages are sent by the DHCP server.
* Packets Expired/sec; indicates the rate at which packets are expired while waiting in the DHCP server queue.
* Packets Received/sec; indicates the rate that the DHCP server is receiving packets.
* Releases/sec; indicates the rate at which DHCPRELEASE messages are received by the DHCP server.
* Requests/sec; indicates the rate at which DHCPREQUEST messages are received by the DHCP server.
Using Network Monitor to Monitor DHCP Lease Traffic
You can use Network Monitor to monitor network traffic, and to troubleshoot network issues or problems. Network Monitor shipped with Windows Server 2003 allow you to monitor network activity and use the gathered information to manage and optimize traffic, identify unnecessary protocols, and to detect problems with network applications and services. In order to capture frames, you have to install the Network Monitor application and the Network Monitor driver on the server where you are going to run Network Monitor. The Network Monitor driver makes it possible for Network Monitor to receive frames from the network adapter.
The two versions of Network Monitor are:
* The Network Monitor version included with Windows Server 2003: With this version of Network Monitor, you can monitor network activity only on the local computer running Network Monitor.
* The Network Monitor version (full) included with Microsoft Systems Management Server (SMS): With this version, you can monitor network activity on all devices on a network segment. You can capture frames from a remote computer, resolve device names to MAC addresses, and determine the user and protocol that is consuming the most bandwidth.
Because of these features, you can use Network Monitor to monitor and troubleshoot DHCP lease traffic. You can use the Network Monitor version included in Windows Server 2003 to capture and analyze the traffic being received by the DHCP server. Before you can use Network Monitor to monitor DHCP lease traffic, you first have to install it. The Network Monitor driver is automatically installed when you install Network Monitor.
How to install Network Monitor
1. Click Start, and then click Control Panel.
2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click the Details button.
5. On the Management and Monitoring Tools dialog box, select the Network Monitor Tools checkbox and click OK.
6. Click Next when you are returned to the Windows Components Wizard.
7. If prompted during the installation process for additional files, place the Windows Server 2003 CD-ROM into the CD-ROM drive.
8. Click Finish on the Completing the Windows Components Wizard page.
Capture filters disregard frames that you do not want to capture before they are stored in the capture buffer. When you create a capture filter, you define settings that can be used to detect the frames that you do want to capture. You can design capture filters in the Capture Window to only capture specific DHCP traffic, by selecting Filter from the Capture menu. You can also create a display filter after you have captured data. A display filter enables you to decide what is displayed.
How to start a capture of DHCP lease traffic in Network Monitor
1. Open Network Monitor.
2. Use the Tools menu to click Capture, and then click Start.
3. If you want to examine captured data during the capture, select Stop And View from the Capture menu.
Understanding DHCP Server log Files
DHCP server log files are comma-delimited text files. Each log entry represents one line of text. Through DHCP logging, you can log many different events. A few of these events are listed below:
* DHCP server events
* DHCP client events
* DHCP leasing
* DHCP rogue server detection events
* Active Directory authorization
The DHCP server log file format is depicted below. Each log file entry has the fields listed below, and in this particular order as well:
* ID: This is the DHCP server event ID code. Event codes are used to describe information on the activity which is being logged.
* Date: The date when the particular log file entry was logged on your DHCP server.
* Time: The time when the particular log file entry was logged on your DHCP server.
* Description: This is a description of the particular DHCP server event.
* IP Address: This is the IP address of the DHCP client.
* Host Name: This is the host name of the DHCP client.
* MAC Address: This is the MAC address used by the DHCP client’s network adapter.
DHCP server log files use reserved event ID codes. These event ID codes describe information on the activities being logged. The actual log file only describes event ID codes which are lower than 50.
A few common DHCP server log event ID codes are listed below:
* 00; indicates the log was started.
* 01; indicates the log was stopped.
* 02; indicates the log was temporarily paused due to low disk space.
* 10; indicates a new IP address was leased to a client.
* 11; indicates a lease was renewed by a client.
* 12; indicates a lease was released by a client
* 13; indicates an IP address was detected to be in use on the network.
* 14; indicates a lease request could not be satisfied due to the scope’s address pool being exhausted.
* 15; indicates a lease was denied.
* 16; indicates a lease was deleted
* 17; indicates a lease was expired
* 20; indicates a BootP address was leased to a client.
* 21; indicates a dynamic BOOTP address was leased to a client.
* 22; indicates a BOOTP request could not be satisfied due to the address pool of the scope for BOOTP being exhausted.
* 23; indicates a BOOTP IP address was deleted after confirming it was not being used.
* 24; indicates an IP address cleanup operation has started.
* 25; indicates IP address cleanup statistics.
* 30; indicates a DNS update request.
* 31; indicates DNS update failed.
* 32; indicates DNS update successful.
The following DHCP server log event ID codes are not described in the DHCP log file. These DHCP server log event ID codes relate to the DHCP server’s Active Directory authorization status:
* 50 – Unreachable domain: The DHCP server could not locate the applicable domain for its Active Directory installation.
* 51 – Authorization succeeded: The DHCP server was authorized to start on the network.
* 52 – Upgraded to a Windows Server 2003 operating system: The DHCP server was recently upgraded to a Windows Server 2003 OS, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled.
* 53 – Cached authorization: The DHCP server was authorized to start using previously cached information. Active Directory was not visible at the time the server was started on the network.
* 54 – Authorization failed: The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped.
* 55 – Authorization (servicing): The DHCP server was successfully authorized to start on the network
* 56 – Authorization failure: The DHCP server was not authorized to start on the network and was shut down by Windows Server 2003 OS. You must first authorize the server in the directory before starting it again.
* 57 – Server found in domain: Another DHCP server exists and is authorized for service in the same Active Directory domain.
* 58 – Server could not find domain: The DHCP server could not locate the specified Active Directory domain.
* 59 – Network failure: A network-related failure prevented the server from determining if it is authorized.
* 60 – No DC is DS enabled: No Active Directory DC was located. For detecting whether the server is authorized, a domain controller that is enabled for Active Directory is needed
* 61 – Server found that belongs to DS domain: Another DHCP server that belongs to the Active Directory domain was found on the network.
* 62 – Another server found: Another DHCP server was found on the network.
* 63 – Restarting rogue detection: The DHCP server is trying once more to determine whether it is authorized to start and provide service on the network.
* 64 – No DHCP enabled interfaces: The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service.
How to change DHCP log files location
1. Open the DHCP console.
2. Right-click the DHCP server node and select Properties from the shortcut menu.
3. The DHCP Server Properties dialog box opens.
4. Click the Advanced tab.
5. Change the audit log file location in the Audit Log File Path text box.
6. Click OK.
How to disable DHCP logging
1. Open the DHCP console.
2. Right-click the DHCP server node and select Properties from the shortcut menu.
3. The DHCP Server Properties dialog box opens.
4. On the General tab, clear the Enable DHCP Audit Logging checkbox to disable DHCP server logging.
5. Click OK.
Troubleshooting the DHCP Client Configuration
A DHCP failure usually exists when the following events occur:
* A DHCP client cannot contact the DHCP server.
* A DHCP client loses connectivity.
When these events occur, one of the first tasks you need to perform is to determine whether the connectivity issues occurred because of the actual DHCP client configuration, or whether it occurred because of some other network issue. You do this by determining the address type of the IP address of the DHCP client.
To determine the address type,
1. Use the Ipconfig command to determine if the client received an IP addresses lease from the DHCP server.
2. The client received an IP address from the DHCP server if the Ipconfig /all output displays:
* The DHCP server as being enabled
* The IP address is displayed as IP Address. It should not be displayed as Autoconfiguration IP Address.
3. You can also use the status dialog box for the network connection to determine the IP address type for the client.
4. To view this information, double-click the appropriate network connection in the Network Connections dialog box.
5. Click the Support tab.
6. The IP address type should be displayed as being Assigned By DHCP.
If after the above checks, you can conclude that the IP address was assigned to the client by the DHCP server, some other network issue is the cause of the DHCP server connectivity issues being experienced. The issue is not due to an IP addressing issue on the client.
When clients have the incorrect IP address, it was probably due to the computer not being able to contact the DHCP server. When this occurs, the computer assigns its own IP address through Automatic Private IP Addressing (APIPA).
Computers could be unable to contact the DHCP server for a number of reasons:
* A problem might exist with the hardware or software of the DHCP server.
* A data-link protocol issue could be preventing the computer from communicating with the network.
* The DHCP server and the client are on different LANs and there is no DHCP Relay Agent. A DHCP Relay Agent enables a DHCP server to handle IP address requests of clients that are located on a different LAN.
When a DHCP client is assigned an IP address that is currently being used by another client, then an address conflict has occurred.
The process that occurs to detect duplicate IP addresses is illustrated below:
1. When the computer starts, the system checks for any duplicate IP addresses.
2. The TCP/IP protocol stack is disabled on the computer when the system detects duplicate IP addresses.
3. An error message is shown that indicates the hardware address of the other system that this computer is in conflict with.
4. The computer that initially owned the duplicate IP address experiences no interruptions, and operates as normally.
5. You have to reconfigure the conflicting computer with a unique IP address so that the TCP/IP protocol stack can be enabled on that particular computer again.
When address conflicts exist, a warning message is displayed:
* A warning is displayed in the system tray
* A warning message is displayed in the System log, which you can view in Event Viewer.
Addresses conflicts usually occur under the following circumstances:
* You have competing DHCP servers in your environment: You can use the Dhcploc.exe utility to locate any rogue DHCP servers. The Dhcploc.exe utility is included with the Windows Support Tools. To solve the competing DHCP server issue, you have to locate the rogue DHCP servers, remove the necessary rogue DHCP servers, and then check that no two DHCP servers can allocate IP address leases from the same IP address range.
* A scope redeployment has occurred: You can recover from a scope redeployment through the following strategy:
o Increase the conflict attempts on the DHCP server.
o Renew your DHCP client leases
One of the following methods can be used to renew your DHCP client leases:
o Use the Ipconfig /renew command
o The Repair button of the status dialog box (Support tab) of the connection can be used to renew the DHCP client lease.
When you click the Repair button of the status dialog box (Support tab) of the connection to renew the DHCP client lease, the following process occurs:
1. A DHCPREQUEST message is broadcast on the network to renew your DHCP clients’ IP address leases.
2. The ARP cache is flushed.
3. The NetBIOS cache is flushed.
4. The DNS cache is flushed.
5. The NetBIOS name and IP address of the client is registered again with the WINS server.
6. The computer name and IP address of the client is registered again with the DNS server.
You can enable server-side conflict detection through the following process
1. Open the DHCP console
2. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu.
3. When the Server Properties dialog box opens, click the Advanced tab.
4. Set the number of times that the DHCP server should run conflict detection prior to it leasing an IP address to a client.
5. Click OK.
A few troubleshooting strategies which you can use when a DHCP client cannot obtain an IP address from the DHCP server, are summarized below:
* Use the Ipconfig /renew command or the Repair button of the status dialog box (Support tab) of the connection to refresh the IP configuration of the client.
* Following the above, verify that the DHCP server is enabled, and that a configured DHCP Relay Agent exists in the broadcast range.
* If the client still cannot obtain an IP address from the DHCP server, check that the actual physical connection to the DHCP server, or DHCP Relay Agent is operating correctly and is not broken.
* Verify the status of the DHCP server and DHCP Relay Agent.
* If the issue still persists after all the above checks have been performed, you might have an issue at the DHCP server or a scope issue might exist.
* When troubleshooting the DHCP server:
o Check that the DHCP server is installed and enabled.
o Check that the DHCP server is correctly configured
o Verify that the DHCP server is authorized.
* When troubleshooting the scope configured for the DHCP server:
o Check that the scope is enabled.
o Check whether all the available IP leases have already been assigned to clients
A few troubleshooting strategies which you can use when a DHCP client obtains an IP address from the incorrect scope are summarized below:
* First determine whether competing DHCP servers exist on your network. Use the Dhcploc.exe utility, included with the Windows Support Tools to locate rogue DHCP servers that are allocating IP addresses to clients.
* If no rogue DHCP servers are located through the Dhcploc.exe utility, your next step is to verify that each DHCP server is allocating IP address leases from unique scopes. There should be no overlapping of the address space.
* If you have multiple scopes on your DHCP server, and the DHCP server is assigning IP addresses to clients on remote subnets, verify that a DHCP Relay Agent that is used to enable communication with the DHCP server has the correct address
Troubleshooting the DHCP Server Configuration
If you have clients that cannot obtain IP addresses from the DHCP server, even though they can contact the DHCP server, verify the following:
* Verify that the DHCP Server service is running on the particular server.
* Check the actual TCP/IP configuration settings on the DHCP server.
* If you are using the Active Directory directory service, verify that the DHCP server is authorized.
* The DHCP server could be configured with the incorrect scope. Check that the scope is correct on the DHCP server, and verify that it is active.
When you need to verify the configuration of the DHCP server, use the following process:
* First check that the DHCP server is configured with the correct IP address. The network ID of the address being used must be the same for the subnet for which the DHCP server is expected to assign IP addresses to client.
* Verify the network bindings of the DHCP server. The DHCP server must be bound to the particular subnet. To check this,
1. Open the DHCP console
2. Right-click the DHCP server in the console tree, and select Properties from the shortcut menu.
3. When the Server Properties dialog box opens, click the Advanced tab.
4. Click the Bindings button.
* Check that the DHCP server is authorized in Active Directory. You have to authorize the DHCP server in Active Directory so that it can provide IP addresses to your DHCP clients. To authorize the DHCP server:
1. Open the DHCP console.
2. In the console tree, expand the DHCP server node.
3. Click the DHCP server that you want to authorize.
4. Click the Action menu, and then select Authorize.
* Verify the scope configuration associated with the DHCP server:
* Check that the scope is activated. To activate a scope,
1. Open the DHCP console
2. Right-click the scope in the console tree, and select Activate from the shortcut menu.
* Verify that the scope is configured with the correct IP address range.
* Verify that there are available IP address leases which can be assigned to your DHCP clients.
* Verify the exclusions which are specified in the address pool. Confirm that all exclusions are valid and necessary. You need to verify that no IP addresses are being unnecessarily excluded.
* Verify the reservations which are specified. If you have a client that cannot obtain a reserved IP address, check whether the same address is also defined as an exclusion in the address pool. All reserved IP addresses must fall within the address range of the scope. Check too that the MAC addresses were successfully registered for all IP addresses that are reserved
* If you have DHCP servers that contain multiple scopes, check that each of these scopes is configured correctly.
Troubleshooting DHCP Database Issues
The DHCP service uses a number of database files to maintain DHCP-specific data or information on IP addresses leases, scopes, superscopes, and DHCP options. The DHCP database files that are located in the systemroot\System32\DHCP folder are listed below. These files remain open while the DHCP service is running on the server. You should therefore not change any of these files while the DHCP service is running.
* Dhcp.mdb: This is considered the main DHCP database file because it contains all scope information.
* Dhcp.tmp: This file contains a backup copy of the database file which was created during re-indexing of the DHCP database.
* J50.log: This log file contains changes prior to it being written to the DHCP database.
* J50.chk: This checkpoint file informs DHCP on those log files that still have to be recovered.
If you need to change the role of the DHCP server, and move its functions to another server, it is recommended that you migrate the DHCP database to the new DHCP server. This strategy prevents errors that occur when you manually attempt to recreate information in the DHCP database of the destination DHCP server.
To migrate an existing DHCP database to a new DHCP server,
1. Open the DHCP console.
2. Right-click the DHCP server whose database you want to move to a different server, and select Backup from the shortcut menu.
3. When the Browse For Folder dialog box opens, select the folder to which the DHCP database should be backed up. Click OK.
4. To prevent the DHCP server from allocating new IP addresses to clients once the DHCP server database is backed up, you have to stop the DHCP server.
5. Open the Services console.
6. Double-click the DHCP server.
7. When the DHCP Server Properties dialog box opens, select Disable from the Startup Type drop down list.
8. Proceed to copy the folder which contains the backup to the new DHCP server. You now have to restore the DHCP backup at the destination DHCP server.
9. Open the DHCP console.
10. Right-click the destination DHCP server for which you want to restore the DHCP database, and select Restore from the shortcut menu.
11. When the Browse For Folder dialog box opens, select the folder that contains the back up of the database that you want to restore. Click OK.
12. Click Yes when prompted to restore the database, and to stop and restart the DHCP service.
If your lease information in the DHCP database does not correspond to the actual IP addresses leased to clients on the network, you can delete your existing database files, and commence with a clean (new) database. To do this,
1. Stop the DHCP service.
2. Remove all the DHCP database files from the systemroot\system32\DHCP folder.
3. Restart the DHCP service.
4. You can rebuild the contents of the database by reconciling the DHCP scopes. The DHCP console is used for this.
When DHCP database information is inconsistent with what is on the network, corrupt, or when information is missing, you can reconcile DHCP data for the scopes to recover the database. The DHCP service stores IP addresses lease data as follows:
* Detailed IP address lease information is stored in the DHCP database.
* Summary IP address lease information is stored in the DHCP database
These sets of information are compared when scopes are reconciled. Before you can reconcile the DHCP server’s scopes, you first have to stop the DHCP service running on the server. You can repair any inconsistencies which are detected by the comparison between the contents of the DHCP database, and the contents of the Registry.
How to reconcile the DHCP database
1. Open the DHCP console
2. Right-click the DHCP server for which you want to reconcile the DHCP database, and then select Reconcile All Scopes from the shortcut menu. The Reconcile All Scopes command also appears as an Action menu item.
3. When the Reconcile All Scopes dialog box opens, click Verify to start the DHCP database reconciliation process.
4. When no inconsistencies are reported, click OK.
5. When inconsistencies are detected, select the addresses which need to be reconciled, and then click Reconcile.
6. The inconsistencies are repaired.
How to reconcile a single scope
1. Open the DHCP console
2. In the console tree, expand the DHCP server node that contains the scope which you want to reconcile.
3. Right-click the scope and then select Reconcile from the shortcut menu.
4. When the Reconcile All Scopes dialog box opens, click Verify to start the scope reconciliation process.
5. When no inconsistencies are detected, click OK.
6. When inconsistencies are detected, select the addresses which need to be reconciled, and then click Reconcile.
7. The inconsistencies are repaired.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment