Windows server 2008 r2 dhcp server logs of when an ip was leased?

Started by chamjisky, January 23, 2016, 04:19:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

chamjisky

January 23, 2016, 04:19:23 AM
Hi
I am working as it level 1 support.
I want  to delete stale reservations from dhcp.

I only have access to it through rsat mmc tools.

Is there any way to find when a particular binding was utilized?  I mean the to find the last date or the number of days an ip address was seen on network?

I will do  delete all reservations that are not used for more then 3 months as a safe limit.

Dhcp server is server 2008 r2.



Sent from my Nexus 5 using Tapatalk

deanwebb

#1
January 23, 2016, 09:35:59 AM
Usually, the DHCP MMC tool can show that information: you may need to expand the columns. Certainly, any IP address that is currently not active can be cleared without harm.

What's the reason behind the request to clear the DHCP scope? If you're running out of addresses in that scope, you may need to block traffic from a device that may be requesting more than one address.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#2
January 23, 2016, 10:16:15 AM Last Edit: January 23, 2016, 10:18:16 AM by chamjisky
Quote from: deanwebb on January 23, 2016, 09:35:59 AM
Usually, the DHCP MMC tool can show that information: you may need to expand the columns. Certainly, any IP address that is currently not active can be cleared without harm.

What's the reason behind the request to clear the DHCP scope? If you're running out of addresses in that scope, you may need to block traffic from a device that may be requesting more than one address.
I have all the fields shown in dhcp mmc.
It only shows active /inactive against a lease. It doesn't shows when it was leased last time.

It shows active if that reservation is utilized at least once. It will be shown active forever..  Even if that device has not contacted the dhcp for years after first contact.

While deleting a lease has no ill affect but it doesn't removes reservation. The reservation still stays there?

I do not want to delete a reservation blindly I want to ensure that its inactive for at least few months.


I need to find a way to identify when a particular binding was utilized last time. Or a list of times in which it was assigned.

Sent from my Nexus 5 using Tapatalk

deanwebb

#3
January 23, 2016, 10:21:14 AM
Regarding DHCP reservations... are any of those assigned, or are they all just reservations made by the device? The difference is that one assigned at the server level will be a sort of permanent arrangement, while client-established reservations should get bumped if the range is all used up and you need another address. How big is the DHCP range?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#4
January 23, 2016, 10:56:29 AM
Quote from: deanwebb on January 23, 2016, 10:21:14 AM
Regarding DHCP reservations... are any of those assigned, or are they all just reservations made by the device? The difference is that one assigned at the server level will be a sort of permanent arrangement, while client-established reservations should get bumped if the range is all used up and you need another address. How big is the DHCP range?
There are  a lot of  pools of /24.
Most are almost full.. The reservation is created manually by IT support staff. The never bothered to remove or update these leases.

A client can o ly get in network if there exists a dhcp reservation for it.

Sent from my Nexus 5 using Tapatalk

deanwebb

#5
January 23, 2016, 11:16:48 AM
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#6
January 23, 2016, 12:23:45 PM
Quote from: deanwebb on January 23, 2016, 11:16:48 AM
http://social.technet.microsoft.com/wiki/contents/articles/25089.dhcp-on-windows-servers-why-are-the-expired-ip-addresses-not-getting-re-assigned.aspx

http://social.technet.microsoft.com/wiki/contents/articles/25098.how-to-force-a-dhcp-database-cleanup-for-expired-leases-in-a-specific-scope.aspx

Both of those look like they might be able to help out. The second one includes a script for cleaning up the database.
We are using 802.1x authentication..
Reservation for Every new computer is created first on dhcp server.  Only then a client can get on network with that ip (after it authenticates using ad usernames and Password).

Duration for lease in my case is unlimited.

All above articles assumes that lease is set to expire. And it plays with grace period on dhcp server to quickly purge expired addresses.

Does windows dhcp server keeps s log of when an ip was assigned?

Sent from my Nexus 5 using Tapatalk

deanwebb

#7
January 23, 2016, 12:31:25 PM
Do not use unlimited leases. 802.1X can function just fine without unlimited leases. There should be event logging for DHCP, if I recall. But have the DHCP scope defined to time-out leases.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#8
January 23, 2016, 12:51:16 PM Last Edit: January 23, 2016, 12:57:03 PM by chamjisky
Quote from: deanwebb on January 23, 2016, 12:31:25 PM
Do not use unlimited leases. 802.1X can function just fine without unlimited leases. There should be event logging for DHCP, if I recall. But have the DHCP scope defined to time-out leases.
Lease time is a discussion for some other post..

For the time being I need to know if windows logs when what ip it leased from its reservations to a clients ip request from dhcp server.. (and do dhcp server logs of a request from Mac address for which there is no binding and hence no ip is assigned by dhcp server ?)


Does enabling dhcp audit allows for above?

Sent from my Nexus 5 using Tapatalk

deanwebb

#9
January 23, 2016, 02:21:32 PM
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#10
January 24, 2016, 11:29:49 AM
Quote from: deanwebb on January 23, 2016, 02:21:32 PM
Looks like you want audit logging.

https://technet.microsoft.com/en-us/library/ee941108(v=ws.10).aspx
Does audit logging show at least when an ip was assigned?

Sent from my Nexus 5 using Tapatalk

deanwebb

#11
January 24, 2016, 02:06:23 PM
Quote from: chamjisky on January 24, 2016, 11:29:49 AM
Quote from: deanwebb on January 23, 2016, 02:21:32 PM
Looks like you want audit logging.

https://technet.microsoft.com/en-us/library/ee941108(v=ws.10).aspx
Does audit logging show at least when an ip was assigned?

Sent from my Nexus 5 using Tapatalk



I would think that it would. Best way to find out is to turn it on. :)
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

chamjisky

#12
January 24, 2016, 08:29:30 PM Last Edit: January 24, 2016, 08:31:02 PM by chamjisky
Quote from: deanwebb on January 24, 2016, 02:06:23 PM
Quote from: chamjisky on January 24, 2016, 11:29:49 AM
Quote from: deanwebb on January 23, 2016, 02:21:32 PM
Looks like you want audit logging.

https://technet.microsoft.com/en-us/library/ee941108(v=ws.10).aspx
Does audit logging show at least when an ip was assigned?

Sent from my Nexus 5 using Tapatalk



I would think that it would. Best way to find out is to turn it on. :)
Any utility to read and properly parse that log rather then scrolling through the text file and searching through it?

I will search for such utilities once I reach home.
If anyone uses such utility please share it..

Sent from my Nexus 5 using Tapatalk
Print
Go Up Pages1
User actions