Weekend Scripter: Parsing the DHCP Database? No Way!

Summary: Microsoft Scripting Guy, Ed Wilson, talks about a Windows PowerShell function from the DHCPServer module that permits parsing the DHCP database.

Microsoft Scripting Guy, Ed Wilson, is here. Give us enough time, and eventually we get it right. Yes, it is now possible to use Windows PowerShell to parse the DHCP server database of IPv4 leases (you can also parse the IPv6 lease database as well). Why is this good news? Well, first of all, DHCP uses an .mdb file format and, as most people know, that is a “standard jet database” format. Microsoft Access used to use an .mdb file format, and so one should be able to query the DHCP database by using standard database types of tools. Well, actually until Windows Server 2012 that was not supported.

Note   This is the fourth article in a series of Hey, Scripting Guy! Blog posts where I talk about using Windows PowerShell to work with Microsoft DHCP servers. I began the series with Use PowerShell to Query AD DS for DHCP Servers, in which I talked about using the Get-ADObject cmdlet to query for DHCP servers. I followed this with Use PowerShell Functions to Authorize DHCP Servers. In this blog post, I talked about using several Windows PowerShell functions from the DHCPServer module. I query for DHCP servers, authorize DHCP servers, and deauthorize DHCP servers in this article. Yesterday, I wrote Weekend Scripter: DHCP Address Conflict Detection in which I talked about making changes to the DHCP server configuration. Today’s post builds on these articles, and I recommend you read them in order as I am not level-setting in each article.

Query the DHCP IPv4 lease database

Well, why would one want to query DHCP? For one thing, on a really small network that might not really be necessary. I might just as well use the DHCP tool. The DHCP tool is shown here.

 Image of DHCP tool

Of course, there are a couple of problems with using the DHCP tool. First, it is slow to make the connection. Next, it requires a decent amount of mousing around, and last of all, it always prompts to save changes (even if I have made no changes and cannot tell what it really does with this prompt anyway).

Now with Windows PowerShell, it is fast—I do not even need to load the DHCPServer module because with Windows PowerShell 3.0, it auto-loads.

There are a number of occasions when querying the DHCP server IPv4 lease database makes sense, as listed here.

  1. To check on IP address use.
  2. To check IP lease expiration.
  3. To map MAC addresses to IP addresses.

There are other pieces of information available as well, such as NAP status, DHCP policy enforcement, DNS registration info, and even end-time of probation period.

First find the available scopes

The first thing I need to know is what DHCP IPv4 scopes reside on the DHCP server. To find this information, I use the Get-DhcpServerv4Scope function and specify the computer name. To query a specific DHCP server, use the server name or IP address. The ComputerName parameter is not a default parameter, and therefore, when not present, the function attempts to query the local computer. Also the ComputerName parameter is not positional, and therefore, when left off, an error arises. Luckily, the ComputerName parameter has an alias of CN, and therefore, I can avoid typing the long parameter name, as shown here.

PS C:\> Get-DhcpServerv4Scope -cn wds1

ScopeId         SubnetMask      Name           State    StartRange      EndRange

——-         ———-      —-           —–    ———-      ——–   lan            Active   WireLess       Active   Autodeploy     Active     192.168.3…

Query the DHCP server lease database

Now that I know what scopes reside on the DHCP server, I can query for lease assignments by scope. This is shown here.

PS C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0

IPAddress       ScopeId         ClientId             HostName             AddressSta


———       ——-         ——–             ——–             ———-     c4-3d-c7-a2-87-eb                         Active     00-1d-7e-62-29-78    Router1.iammred.net  Active     f0-de-f1-7d-97-7c    edLT.iammred.net     Active     e0-69-95-36-4e-e5    Hyperv3.iammred.net  Active     c0-3f-0e-3b-58-b6                         Active     00-21-86-52-f0-d6    EDWILSON_LT.north… Active     00-24-e8-3e-99-2a    hyperv2.iammred.net  Active     00-15-5d-00-2d-16    Web1.iammred.net     Active

Now, if I am interested in a specific computer, I can use regular Windows PowerShell filtering techniques. I do not need to type the entire DNS host name—I can use the match operator to filter out part of the host name, as shown here.

PS C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 | ?

 hostname -match edlt

IPAddress       ScopeId         ClientId             HostName             AddressSta


———       ——-         ——–             ——–             ———-     f0-de-f1-7d-97-7c    edLT.iammred.net     Active

If I want to see full lease information for the edLT computer, I pipe the results of the previous command to the Format-Table cmdlet (fl is the alias for this cmdlet). The command and the associated information returned by the command appear in the image that follows.

Image of command output

If I want to look at the DHCP lease expiration dates, I select the LeaseExpiryTime property. The following command selects the IP address, the host name, and the lease expiration time, and then sorts the results by expiration time in ascending fashion.

15:16 C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 |

select ipaddress, hostname, leaseExpiryTime | sort leaseExpiryTime

IPAddress                    hostname                    leaseExpiryTime

———                    ——–                    —————                 Hyperv3.iammred.net         1/17/2013 1:59:53 PM                                             1/17/2013 2:10:22 PM                                             1/17/2013 4:47:30 PM                 Web1.iammred.net            1/18/2013 3:25:44 AM                 Router1.iammred.net         1/18/2013 11:17:34 AM                 hyperv2.iammred.net         1/18/2013 9:47:54 PM                 edLT.iammred.net            1/19/2013 9:38:18 AM                 EDWILSON_LT.northamerica… 1/19/2013 9:40:15 AM

One more cool thing today, and then I need to leave for the airport for my trip to Redmond. At times, I need to work with a class of machines that all came from the same maker at the same time. In all likelihood, these machines will have similar MAC addresses because the first three hexadecimal numbers identify the maker. For example, a MAC prefix of 00-15-5d belongs to the Microsoft Corporation and might be found in use by a virtual machine. The following illustrates this technique.

15:19 C:\> Get-DhcpServerv4Lease -ComputerName wds1 -AllLeases -ScopeId 192.168.0 |

? clientID -match ‘^00-15-5d’

IPAddress       ScopeId         ClientId             HostName             AddressSta


———       ——-         ——–             ——–             ———-     00-15-5d-00-2d-16    Web1.iammred.net     Active

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy