Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, June 13, 2011 10:41 AM
Event ID 76 shows additions to a DHCP scope but i need to track deletions. Why is there no event for deletions? or is there?
All replies (4)
Tuesday, June 14, 2011 3:41 AM
Hi Smudgerz,
Thanks for posing here.
It will help you to trace the information of deleted and expired lease by checking the event ID 16 or 17 entry in DHCP log file:
How to Monitor the DHCP Log File
http://support.microsoft.com/kb/298367
DHCP Server Events Tool is also a good utility you may try:
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Tuesday, June 14, 2011 7:21 AM
Thanks for the tip Tiger Li, I like the MMC snapin!
....but still i don't see my scope option deletion in either log environment. See below for example. Here i have added scope option 3 @ 07:58, deleted it @ 08:05 and added it again @ 08:15. I'm missing the deletion event.
CORP\s-smithn [[10.64.72.0]DHCP TEST VLAN] Scope: [[10.64.72.0]DHCP TEST VLAN] for IPv4 is Updated with Option Settings: [3 - Router] by CORP\s-smithn 14/06/2011 08:15:06
CORP\s-smithn [[10.64.72.0]DHCP TEST VLAN] Scope: [[10.64.72.0]DHCP TEST VLAN] for IPv4 is Updated with Option Settings: [3 - Router] by CORP\s-smithn 14/06/2011 07:58:46
Tuesday, June 21, 2011 8:41 AM
Hi Smudgerz,
Thanks for update.
Base on my test, the deletion event should be record as expected , please confirm that you are referring the correct DHCP log :
More About DHCP Audit and Event Logging
http://technet.microsoft.com/en-us/library/dd759178.aspx
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Tuesday, June 21, 2011 10:19 AM
I'm using the following event log to track any scope option changes
Microsoft-Windows-DHCP Server Events/Operational
last two entries from today, i deleted the option setting @ 11:03:00 and added it back straight after.
CORP\s-smithn [[10.64.72.0]DHCP TEST VLAN] Scope: [[10.64.72.0]DHCP TEST VLAN] for IPv4 is Updated with Option Settings: [3 - Router] by CORP\s-smithn 21/06/2011 11:03:32
CORP\s-sahus [[10.50.42.0]User 14] Reservation: [[10.50.42.185]] for IPv4 is Configured under Scope [[10.50.42.0]User 14] by CORP\s-sahus. 21/06/2011 10:05:23
And have also been checking the relevant log file for the current day from C:\WINDOWS\System32\dhcp\DhcpSrvLog-Tue
This is todays log for the period above when i deleted the scope setting
11,06/21/11,11:01:52,Renew,10.50.42.35,HEN301IT217W2.corp.xxx.net,00163575DC5D,,3881654418,0,,,
11,06/21/11,11:02:17,Renew,10.64.169.58,LON101IT147W1.corp.xxx.net,00215A2CF936,,2807739272,0,,,
12,06/21/11,11:02:53,Release,10.32.64.26,T001365FFD531.corp.xxx.net,001365FFD531,,2012003268,0,,,
10,06/21/11,11:02:54,Assign,10.32.0.116,T001365FFD531.corp.xxx.net,001365FFD531,,3085155268,0,,,
11,06/21/11,11:02:54,Renew,10.32.0.116,T001365FFD531.corp.xxx.net,001365FFD531,,3085155268,0,,,
12,06/21/11,11:02:54,Release,10.32.0.116,T001365FFD531.corp.xxx.net,001365FFD531,,3051600836,0,,,
10,06/21/11,11:02:55,Assign,10.32.64.26,T001365FFD531.corp.xxx.net,001365FFD531,,3588733892,0,,,
11,06/21/11,11:02:55,Renew,10.32.64.26,T001365FFD531.corp.xxx.net,001365FFD531,,3588733892,0,,,
15,06/21/11,11:04:07,NACK,10.64.157.85,,5C260A2649B4,,0,6,,,
10,06/21/11,11:04:09,Assign,10.64.169.77,LON002279524.corp.xxx.net,5C260A2649B4,,1619667783,0,,,
DHCP auditing is switched on as detailed in the link the provided.
Can you tell me which log you are seeing your deletion in & what event number it shows? Could you paste the line in here?