Windows 2003 Server: How can I see DHCP lease history?

By barth.travis ·
I need to be able to see who had what IP address at any given time in the past. Currently the only logging I see are a week's worth of errors, if any.

Is there a setting I'm missing?

If I get bittorrent activity in my proxy log from the previous day, and it's associated with IP x, the DHCP server only tells me who has IP x *currently*. If the lease changed to a different owner, how do I see who it was the day before?



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by bart777 In reply to Windows 2003 Server: How ...

Whne a PC gets an address form a DHCP server it won't change IPs unless something happens to the box.

Check your lease times on the DHCP server. If thye are the default 8 days then odds are the machine that has the address today had it yesterday.

The way DHCP works the PC will try to renew the same address when the 1/2 way point is reached in the lease. I've seen PCs have the same address for months.

I hope you catch the person killing your systems.

Best of luck.

Collapse -

Are wireless clients handled differently?

by barth.travis In reply to Normally...

The leases are set for 14 days for the very reason that I want to be able to assume that IP activity 3 days ago is probably the same person that has that IP today. However it seems that every time I go to look at the active clients, their lease expiration dates are 12-14 days from the current day... as though the lease is renewing every time they connect.

I'd never looked for DHCP lease histories anywhere because I'd been assuming the length of the lease would be good enough, but apparently they are changing IP's somewhat frequently.

Collapse -

Never looked at that.

by bart777 In reply to Are wireless clients hand ...

Wireless may behave differently to a point.

The SHOULD still get the same address when the connect. I suspect what may be happening is these users go home and fire up their machines on another network like a home cable connection. This gives them a different IP address. When tehy come back to the office they send a NEW request since the home address won't work.

It might take a bit of experimentation but I think you will find that the lease still behaves the same way. DHCP compares the MAC to the lease it was previously assigned and give it back again resetting the lease time.

Collapse -

bart777 reply

by kondurik In reply to Normally...

I agree with bart777

Collapse -

Extend DHCP logging?

by barth.travis In reply to Windows 2003 Server: How ...

Is there a way to get the DHCP server to log more than a week's worth of activity? This would help enormously.

It will be very disappointing (on top of a million other Windows disappointments) if it can't be done without having to screw around.

Collapse -


by davidhhutton In reply to Windows 2003 Server: How ...

The DHCP should be logging evnts on a daily basis for a week when it begins to overwrite the first one. Is this happening with your logs?

Related Discussions

Related Forums