locked
DHCP WMI Event Classes RRS feed

  • Question

  • Hello, I posed the following scenario in the DHCP forum and it was recommended by a moderator to post it in this forum as well...

    I'm working towards creating instrumentation to auto-remediate DHCP BAD_ADDRESS issues that can occur for a variety of reasons and which can result in scope exhaustion in some circumstances if not addressed.

    There are PowerShell CmdLets to help identify and clean up BAD_ADDRESSES (Get-DhcpServerv4Lease -BadLeases and Remove-DhcpServerv4Lease -BadLeases), however, I've been searching for a more event-driven approach in order to respond more rapidly and also so that the automation isn't constantly hammering DHCP to search for bad addresses.

    Usually WMI is a good source to leverage for event-driven activities and although I did find that there's a WMI class (PS_DhcpServer4Lease) to perform the equivalent of the PowerShell CmdLets above (finding/removing bad addresses), I'm not finding any WMI Event Classes that might allow me to create a subscription in order for an event notification to trigger remediation.

    I've scanned WMI on a DHCP server to identify all existing WMI Providers, Namespaces, and related Classes that I could identify. 'DhcpServerPSProvider' appears to be the only WMI Provider related to DHCP, and the following is the namespace that appears to be associated with it: 'ROOT\Microsoft\Windows\DHCP'

    The Provider Classes are clearly documented here.

    I attempted to look for any DHCP related Event Classes using the following query within both the 'ROOT\Microsoft\Windows\DHCP' and 'root\cimv2' namespaces but no luck.

    Get-WmiObject -Namespace ROOT\Microsoft\Windows\DHCP -Query "SELECT * FROM meta_class WHERE __This ISA '__Event'" | sort | select name

    Would really appreciate some help here with identifying whether a WMI Event class exists that I might be able to subscribe to for BAD_ADDRESS events. There's quite a bit of other similar instrumentation I'd like to work on as well so if there are DHCP related WMI Event classes at all that can be subscribed to then I'd appreciate a reference. Thanks!

    Thursday, September 21, 2017 5:51 PM

All replies

  • Just use the new instance event to detect when a new instance is created.  Alternately it would be easier to write and event script for the DHCP events in the event log.  Look at the DHCP log to see what event is recorded for bad address


    \_(ツ)_/

    Thursday, September 21, 2017 5:58 PM
  • Appreciate the reply JRV.

    I did look through the DHCP server Event logs and didn't notice anything related.

    Regarding creation of a new instance event, I launched WBEMTEST, connected to the 'ROOT\Microsoft\Windows\DHCP' Namespace and allowed the following async Notification Query to run for hours with no results:

    SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'PS_DhcpServerv4Lease'

    Is that similar to what you had in mind? Otherwise perhaps examples plz.

    Thanks again,

    Ted

    Thursday, September 21, 2017 10:58 PM
  • DHCP apparently has no eventing provider.    Not much you can do about that.


    \_(ツ)_/

    Thursday, September 21, 2017 11:53 PM
  • That's what I'm also inclined to believe, just wanted to hear someone with more insight more or less confirm. Thanks.
    Friday, September 22, 2017 4:08 AM
  • DHCP server is a work in progress.  Have you tried this on 2016? 

    What is the exact message you are getting when the address is bad?  How can DHCP give out a bad address?  Is it because the address is in use already but is not assigned by DHCP?


    \_(ツ)_/

    Friday, September 22, 2017 4:20 AM
  • Currently using Server 2012 Core and haven't tried in 2016.

    A duplicate/already in use IP is one reason. There are a number of reasons it can happen, this forum question has some good background info and you can search the web for more. This example is similar to what we see occasionally.

    Friday, September 22, 2017 10:14 PM
  • Those events are only registered at the client.  DHCP just hands out the IP.  If the scope is set up incorrectly then this can happen.  You need to find the event log entries on the PCs that show dupes but his is hard because the PC will not be reachable remotely.


    \_(ツ)_/

    Friday, September 22, 2017 10:56 PM
  • Actually WS2008r2 and later appear to log dupe events as event 13 in the DHCP log.  If they are not being logged then the dupe is not from a DHCP lease but from some other source.

    Here: Microsoft>Windows>DHCP-Server>Microsoft-Windows-DHCP Server Events/Operational

    https://technet.microsoft.com/en-us/library/dd759178(v=ws.11).aspx


    \_(ツ)_/

    Friday, September 22, 2017 11:02 PM
  • Appreciate your extra effort in helping find an appropriate mechanism here.

    I'm familiar with the DHCP logs and the fact that duplicate IPs are logged. It doesn't really help facilitate an event-driven solution since we'd have to continuously parse or tail that log file. Additionally a duplicate IP is unfortunately only 1 cause of a bad_address.

    I shared a link above to another cause but I realize it was a bit obscure, since the issue we observe is down more in the comments related to clients behind wireless bridge or with bridged adapters. Also I really didn't want to get into detail on the issues causing Bad_addresses because I didn't want to convolute the discussion here.

    This forum describes the issue much better. Basically we have wireless controllers configured to convert broadcast traffic to unicast. As that forum points out, 'This can impact DHCP discover/requested packets for clients behind a wireless bridge and virtual clients on VMware devices.' The reason for that configuration on our network is to combat broadcast storms which led to wireless controller issues. Anyhow, the result is that certain Virtual clients under certain conditions on our wireless network experience this issue which results in those clients not getting IPs and more importantly, DHCP scopes being quickly exhausted with bad addresses.

    Point is that an event-driven solution would have been ideal to quickly respond to this and those logs won't be helpful for that, so I'll just have to create a recurring job to probe DHCP for bad addresses using the PowerShell CmdLets mentioned early-on.

    Really appreciate your help and persistence digging in!!

    Thanks

    Ted

    Monday, September 25, 2017 5:29 PM
  • Hi,

    I'm checking how the issue is going, was your issue resolved?

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 29, 2017 6:19 AM