The audit logging behavior discussed in this section applies only to the DHCP service provided with Windows Server 2003 and replaces the previous DHCP logging behavior used in earlier versions of Windows NT Server.
DHCP server logs are comma-delimited text files with each log entry representing a single line of text. The fields and the order in which they appear in the log file are:
1. DHCP Server Logs-Fields
The audit logging behavior discussed in this section applies only to the DHCP service provided with Windows Server 2003 and replaces the previous DHCP logging behavior used in earlier versions of Windows NT Server.
DHCP server logs use special event ID codes to indicate specific information that is being captured:
2. DHCP Server Logs-Event IDs
| Event ID | Description |
| 0 | The log was started. |
| 1 | The log was stopped. |
| 2 | The log was temporarily paused due to low disk space. |
| 10 | A new IP address was leased to a client. |
| 11 | A lease was renewed by a client. |
| 12 | A lease was released by a client. |
| 13 | An IP address was found to be in use on the network. |
| 14 | A lease request could not be satisfied because the scope's address pool was exhausted. |
| 15 | A lease was denied. |
| 16 | A lease was deleted. |
| 17 | A lease was expired. |
| 20 | A BOOTP address was leased to a client. |
| 21 | A dynamic BOOTP address was leased to a client. |
| 22 | A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. |
| 23 | A BOOTP IP address was deleted after checking to see it was not in use. |
| 24 | IP address cleanup operation has begun. |
| 25 | IP address cleanup statistics. |
| 30 | DNS update request to the named DNS server. |
| 31 | DNS update failed. |
| 32 | DNS update successful. |
| 50+ | Codes above 50 are used for Rogue Server Detection information. |
DHCP servers are of critical importance in most environments. Monitoring the performance of servers can help when troubleshooting cases where server performance degradation occurs.
For Windows 2003 Server, the DHCP service includes a set of performance counters that can be used to monitor various types of server activity. By default, these counters are available after the DHCP service is installed. To access these counters, use System Monitor (formerly Performance Monitor). The DHCP server counters can monitor the following:
Table 3. DHCP Server Logs-Metrics
| Metric | Description |
| Active queue length | The current length of the internal message queue of the DHCP server. This number equals the number of unprocessed messages received by the server. A large number may indicate heavy server traffic. |
| Conflict check queue length | The current length of the conflict check queue for the DHCP server. This queue holds messages not responded to while the DHCP server performs address conflict detection. A large value here may indicate heavy lease traffic at the server or that Conflict Detection Attempts has been set too high. |
| Discovers/sec | The number of DHCPDiscover messages received per second by the server. A sudden or abnormal increase indicates that a large number of clients are probably attempting to initialize and obtain an IP address lease from the server, such as when a number of client computers are started at one time. |
| Duplicates dropped/sec | The number of duplicated packets per second dropped by the DHCP server. A large number indicates clients are probably timing out too fast or the server is not responding very fast. |
| Milliseconds per packet (Avg.) | The average time, in milliseconds, used by the DHCP server to process each packet it receives. This number can vary depending on the server hardware and its I/O subsystem. A sudden or unreasonable increase may indicate trouble, possibly with the I/O subsystem getting slower or because of some intrinsic processing overhead on the server computer. |
| Packets expired/sec | The number of packets per second that expire and are dropped by the DHCP server. Packets expire because they are in the server's internal message queue for too long. A large number here indicates either that the server is either taking too long to process some packets while other packets are queued or that traffic on the network is too high for the DHCP server to handle. |
| Packets received/sec | The number of message packets received per second by the DHCP server. A large number indicates heavy DHCP-related message traffic to the server. |
| Offers/sec | The number of DHCPOffer messages sent per second by the DHCP server to clients. A sudden or abnormal increase in this number indicates heavy traffic on the server. |
| Requests/sec | The number of DHCPRequest messages received per second by the DHCP server from clients. A sudden or abnormal increase in this number indicates that a large number of clients are probably trying to renew their leases with the DHCP server. This may indicate scope lease times are too short. |
| Informs/sec | The number of DHCPInform messages received per second by the DHCP server. DHCPInform messages are used when the DHCP server queries the directory service for the enterprise root and when dynamic updates are being done on behalf of clients by the DNS server. |
| Acks/sec | The number of DHCP acknowledgement messages sent per second by the DHCP server to clients. A sudden or abnormal increase in this number indicates that a large number of clients are being renewed by the DHCP server. This may indicate scope lease times are too short. |
| Nacks/sec | The number of DHCP negative acknowledgment messages sent per second by the DHCP server to clients. A very high value might indicate potential network trouble, either misconfiguration of clients or of the server. Where servers can be misconfigured, one possible cause is a deactivated scope. For clients, a very high value could be caused by computers (such as laptops or other mobile devices) moving between subnets. |
| Declines/sec | The number of DHCPDecline messages received per second by the DHCP server from clients. A high value indicates that several clients have found their address to be in conflict, possibly indicating network trouble. In this situation, it may help to enable conflict detection on the DHCP server. If used on the server, conflict detection should only be used temporarily. Once the situation returns to normal, it should be turned off. |