Summary: Microsoft Scripting Guy, Ed Wilson, talks about a Windows PowerShell function from the DHCPServer module that permits parsing the DHCP database.
Microsoft Scripting Guy, Ed Wilson, is here. Give us enough time, and eventually we get it right. Yes, it is now possible to use Windows PowerShell to parse the DHCP server database of IPv4 leases (you can also parse the IPv6 lease database as well). Why is this good news? Well, first of all, DHCP uses an .mdbfile format and, as most people know, that is a “standard jet database” format. Microsoft Access used to use an .mdbfile format, and so one should be able to query the DHCP database by using standard database types of tools. Well, actually until Windows Server 2012 that was not supported.
Note This is the fourth article in a series of Hey, Scripting Guy! Blog posts where I talk about using Windows PowerShell to work with Microsoft DHCP servers. I began the series with Use PowerShell to Query AD DS for DHCP Servers, in which I talked about using the Get-ADObject cmdlet to query for DHCP servers. I followed this with Use PowerShell Functions to Authorize DHCP Servers. In this blog post, I talked about using several Windows PowerShell functions from the DHCPServer module. I query for DHCP servers, authorize DHCP servers, and deauthorize DHCP servers in this article. Yesterday, I wrote Weekend Scripter: DHCP Address Conflict Detectionin which I talked about making changes to the DHCP server configuration. Today’s post builds on these articles, and I recommend you read them in order because the concepts build, and I am not level-setting in each article.
Query the DHCP IPv4 lease database
Well, why would one want to query DHCP? For one thing, on a really small network that might not really be necessary. I might just as well use the DHCP tool. The DHCP tool is shown here.
Of course, there are a couple of problems with using the DHCP tool. First, it is slow to make the connection. Next, it requires a decent amount of mousing around, and last of all, it always prompts to save changes (even if I have made no changes and cannot tell what it really does with this prompt anyway).
Now with Windows PowerShell, it is fast—I do not even need to load the DHCPServer module because with Windows PowerShell 3.0, it auto-loads.
There are a number of occasions when querying the DHCP server IPv4 lease database makes sense, as listed here.
- To check on IP address use.
- To check IP lease expiration.
- To map MAC addresses to IP addresses.
There are other pieces of information available as well, such as NAP status, DHCP policy enforcement, DNS registration info, and even end-time of probation period.
First find the available scopes
The first thing I need to know is what DHCP IPv4 scopes reside on the DHCP server. To find this information, I use the Get-DhcpServerv4Scope function and specify the computer name. To query a specific DHCP server, use the server name or IP address. The ComputerNameparameter is not a default parameter, and therefore, when not present, the function attempts to query the local computer. Also the ComputerNameparameter is not positional, and therefore, when left off, an error arises. Luckily, the ComputerNameparameter has an alias of CN, and therefore, I can avoid typing the long parameter name, as shown here.
PS C:\> Get-DhcpServerv4Scope -cn wds1
ScopeId SubnetMask Name State StartRange EndRange
------- ---------- ---- ----- ---------- --------
192.168.0.0 255.255.255.0 lan Active 192.168.0.40 192.168.0.90
192.168.2.0 255.255.255.0 WireLess Active 192.168.2.50 192.168.2.99
192.168.3.0 255.255.255.0 Autodeploy Active 192.168.3.1 192.168.3...
Query the DHCP server lease database
Now that I know what scopes reside on the DHCP server, I can query for lease assignments by scope. This is shown here.
PS C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0
IPAddress ScopeId ClientId HostName AddressSta
te
--------- ------- -------- -------- ----------
192.168.0.40 192.168.0.0 c4-3d-c7-a2-87-eb Active
192.168.0.41 192.168.0.0 00-1d-7e-62-29-78 Router1.iammred.net Active
192.168.0.42 192.168.0.0 f0-de-f1-7d-97-7c edLT.iammred.net Active
192.168.0.43 192.168.0.0 e0-69-95-36-4e-e5 Hyperv3.iammred.net Active
192.168.0.44 192.168.0.0 c0-3f-0e-3b-58-b6 Active
192.168.0.45 192.168.0.0 00-21-86-52-f0-d6 EDWILSON_LT.north... Active
192.168.0.46 192.168.0.0 00-24-e8-3e-99-2a hyperv2.iammred.net Active
192.168.0.54 192.168.0.0 00-15-5d-00-2d-16 Web1.iammred.net Active
Now, if I am interested in a specific computer, I can use regular Windows PowerShell filtering techniques. I do not need to type the entire DNS host name—I can use the match operator to filter out part of the host name, as shown here.
PS C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 | ?
hostname -match edlt
IPAddress ScopeId ClientId HostName AddressSta
te
--------- ------- -------- -------- ----------
192.168.0.42 192.168.0.0 f0-de-f1-7d-97-7c edLT.iammred.net Active
If I want to see full lease information for the edLT computer, I pipe the results of the previous command to the Format-Table cmdlet (fl is the alias for this cmdlet). The command and the associated information returned by the command appear in the image that follows.
If I want to look at the DHCP lease expiration dates, I select the LeaseExpiryTime property. The following command selects the IP address, the host name, and the lease expiration time, and then sorts the results by expiration time in ascending fashion.
15:16 C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 |
select ipaddress, hostname, leaseExpiryTime | sort leaseExpiryTime
IPAddress hostname leaseExpiryTime
--------- -------- ---------------
192.168.0.43 Hyperv3.iammred.net 1/17/2013 1:59:53 PM
192.168.0.44 1/17/2013 2:10:22 PM
192.168.0.40 1/17/2013 4:47:30 PM
192.168.0.54 Web1.iammred.net 1/18/2013 3:25:44 AM
192.168.0.41 Router1.iammred.net 1/18/2013 11:17:34 AM
192.168.0.46 hyperv2.iammred.net 1/18/2013 9:47:54 PM
192.168.0.42 edLT.iammred.net 1/19/2013 9:38:18 AM
192.168.0.45 EDWILSON_LT.northamerica... 1/19/2013 9:40:15 AM
One more cool thing today, and then I need to leave for the airport for my trip to Redmond. At times, I need to work with a class of machines that all came from the same maker at the same time. In all likelihood, these machines will have similar MAC addresses because the first three hexadecimal numbers identify the maker. For example, a MAC prefix of 00-15-5d belongs to the Microsoft Corporation and might be found in use by a virtual machine. The following illustrates this technique.
15:19 C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 |
? clientID -match '^00-15-5d'
IPAddress ScopeId ClientId HostName AddressSta
te
--------- ------- -------- -------- ----------
192.168.0.54 192.168.0.0 00-15-5d-00-2d-16 Web1.iammred.net Active
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy