How to Set Up DHCP Server on Windows Server 2025

How to Set Up DHCP Server on Windows Server 2025

Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateways, and DNS server addresses to network clients, eliminating the administrative burden of static IP management at scale. Windows Server 2025 includes a powerful, feature-rich DHCP Server role that integrates with Active Directory for authorization security, supports IPv4 and IPv6, and provides comprehensive audit logging for compliance and troubleshooting. This guide takes you from role installation through scope creation, option assignment, reservations, and audit configuration — everything you need to operate a production DHCP server in your organization.

Prerequisites

• Windows Server 2025 with a static IP address assigned to the network adapter
• Administrator or Domain Admin privileges
• Active Directory Domain Services available on the network (required for DHCP authorization)
• PowerShell 5.1 or later running as Administrator
• Network adapter connected to the subnet(s) you plan to serve

Step 1: Install the DHCP Server Role

Install the DHCP Server role using the Install-WindowsFeature cmdlet. The -IncludeManagementTools flag adds both the DHCP Manager MMC console and the DhcpServer PowerShell module. A restart is typically not required after this installation.

# Install DHCP Server role with management tools
Install-WindowsFeature -Name DHCP -IncludeManagementTools

# Verify the installation succeeded
Get-WindowsFeature -Name DHCP | Select-Object Name, InstallState

# Verify the DHCP Server service is running
Get-Service -Name DHCPServer

# Set the service to start automatically (should already be set)
Set-Service -Name DHCPServer -StartupType Automatic
Start-Service -Name DHCPServer

After installation, Windows Server 2025 displays a post-deployment warning in Server Manager prompting you to complete DHCP configuration by adding security groups and authorizing the server in Active Directory. The following two steps handle these requirements via PowerShell.

Step 2: Add DHCP Security Groups

The DHCP installation creates two local security groups: DHCP Administrators and DHCP Users. These groups control who can manage the DHCP service and who can view DHCP information. The Add-DhcpServerSecurityGroup cmdlet creates these groups if they do not already exist and configures the necessary ACLs on the DHCP service.

# Create the DHCP security groups (DHCP Administrators and DHCP Users)
Add-DhcpServerSecurityGroup -ComputerName "DHCPSRV01"

# Verify the groups were created
Get-LocalGroup | Where-Object { $_.Name -like "DHCP*" }

# Optionally add a domain user to the DHCP Administrators group
Add-LocalGroupMember `
    -Group "DHCP Administrators" `
    -Member "CORPDHCPAdmin_Service"

# Restart the DHCP service to apply security group changes
Restart-Service -Name DHCPServer

Step 3: Authorize the DHCP Server in Active Directory

In an Active Directory environment, rogue or misconfigured DHCP servers can cause serious network outages by handing out incorrect IP addresses. Windows Server 2025 requires DHCP servers to be explicitly authorized in Active Directory before they will begin serving leases. An unauthorized DHCP server will detect authorized servers on the network and refuse to activate its scopes.

# Authorize the DHCP server in Active Directory
# The IPAddress parameter should be the server's static IP
Add-DhcpServerInDC -DnsName "DHCPSRV01.corp.example.com" -IPAddress "192.168.10.20"

# Verify the server is now authorized
Get-DhcpServerInDC

# If using a workgroup server (not domain-joined), skip authorization
# and suppress the AD check — note this reduces security in AD environments

After authorization, the DHCP service will automatically detect that it is authorized and begin activating configured scopes. You can verify the service state with Get-Service -Name DHCPServer.

Step 4: Create a DHCP Scope

A DHCP scope defines the pool of IP addresses the server can assign for a particular subnet, along with the subnet mask, lease duration, and optional descriptive name. The Add-DhcpServerv4Scope cmdlet creates the scope — the StartRange and EndRange define the full address pool before any exclusions are applied.

# Create a scope for the 192.168.10.0/24 subnet
Add-DhcpServerv4Scope `
    -Name "Corporate LAN - Building A" `
    -StartRange "192.168.10.1" `
    -EndRange "192.168.10.254" `
    -SubnetMask "255.255.255.0" `
    -LeaseDuration "8.00:00:00" `
    -State Active `
    -PassThru

# Create a scope for a wireless subnet with a shorter lease
Add-DhcpServerv4Scope `
    -Name "Guest WiFi - 192.168.50.0/24" `
    -StartRange "192.168.50.1" `
    -EndRange "192.168.50.254" `
    -SubnetMask "255.255.255.0" `
    -LeaseDuration "0.04:00:00" `
    -Description "Guest wireless network - 4 hour lease" `
    -State Active `
    -PassThru

# List all configured scopes
Get-DhcpServerv4Scope | Select-Object ScopeId, Name, StartRange, EndRange, LeaseDuration, State

Step 5: Configure Exclusion Ranges

Exclusion ranges carve out portions of the scope’s address pool that the DHCP server will never assign dynamically. Use exclusions for addresses already assigned statically to servers, printers, network equipment, and other devices that require fixed IP addresses. Always plan your exclusion ranges before activating a scope.

# Exclude the first 20 addresses (reserved for static infrastructure)
Add-DhcpServerv4ExclusionRange `
    -ScopeId "192.168.10.0" `
    -StartRange "192.168.10.1" `
    -EndRange "192.168.10.20" `
    -PassThru

# Exclude additional addresses used by network equipment
Add-DhcpServerv4ExclusionRange `
    -ScopeId "192.168.10.0" `
    -StartRange "192.168.10.240" `
    -EndRange "192.168.10.254" `
    -PassThru

# View current exclusion ranges
Get-DhcpServerv4ExclusionRange -ScopeId "192.168.10.0"

# Remove an exclusion range if needed
Remove-DhcpServerv4ExclusionRange `
    -ScopeId "192.168.10.0" `
    -StartRange "192.168.10.240" `
    -EndRange "192.168.10.254" `
    -Force

Step 6: Configure DHCP Scope Options

DHCP options are additional configuration parameters sent to clients along with their IP address. The most important options for IPv4 scopes are the default gateway (option 3), DNS server addresses (option 6), and DNS domain name (option 15). Options can be set at server level (applying to all scopes), scope level (applying to a specific scope), or reservation level (applying to a specific client).

# Set scope-level options for the Corporate LAN scope
Set-DhcpServerv4OptionValue `
    -ScopeId "192.168.10.0" `
    -Router "192.168.10.1" `
    -DnsServer "192.168.10.10", "192.168.10.11" `
    -DnsDomain "corp.example.com" `
    -PassThru

# Set the NTP server option (option 42) at the server level (applies to all scopes)
Set-DhcpServerv4OptionValue `
    -OptionId 42 `
    -Value "192.168.10.10" `
    -PassThru

# Set WINS server (option 44) if legacy NetBIOS applications are present
Set-DhcpServerv4OptionValue `
    -ScopeId "192.168.10.0" `
    -OptionId 44 `
    -Value "192.168.10.15" `
    -PassThru

# View all configured options for a scope
Get-DhcpServerv4OptionValue -ScopeId "192.168.10.0" | 
    Select-Object OptionId, Name, Value

Step 7: Create DHCP Reservations

Reservations bind a specific IP address to a client’s MAC address (ClientId), ensuring that device always receives the same address from DHCP. This is preferred over static assignment for devices that need a predictable address but should still receive DHCP options automatically. The ClientId is the MAC address of the network adapter, formatted as a hyphen-separated string.

# Create a reservation for a printer
Add-DhcpServerv4Reservation `
    -ScopeId "192.168.10.0" `
    -IPAddress "192.168.10.50" `
    -ClientId "00-1A-2B-3C-4D-5E" `
    -Name "Printer-Floor2" `
    -Description "HP LaserJet Pro - 2nd floor print room" `
    -Type Both `
    -PassThru

# Create a reservation for a network camera
Add-DhcpServerv4Reservation `
    -ScopeId "192.168.10.0" `
    -IPAddress "192.168.10.51" `
    -ClientId "AA-BB-CC-DD-EE-FF" `
    -Name "IPCamera-Reception" `
    -Type Both `
    -PassThru

# List all reservations in a scope
Get-DhcpServerv4Reservation -ScopeId "192.168.10.0" |
    Select-Object IPAddress, ClientId, Name, Description

# Remove a reservation
Remove-DhcpServerv4Reservation `
    -ScopeId "192.168.10.0" `
    -IPAddress "192.168.10.51" `
    -Force

Step 8: View and Manage Active Leases

The Get-DhcpServerv4Lease cmdlet retrieves all active leases for a scope, including the client’s IP address, hostname, MAC address, and lease expiry time. This is the primary tool for identifying which clients are connected, finding the IP assigned to a specific device, and auditing DHCP usage.

# Get all active leases for a scope
Get-DhcpServerv4Lease -ScopeId "192.168.10.0" |
    Select-Object IPAddress, ClientId, HostName, LeaseExpiryTime, AddressState |
    Sort-Object IPAddress

# Find the lease for a specific MAC address
Get-DhcpServerv4Lease -ScopeId "192.168.10.0" |
    Where-Object { $_.ClientId -eq "00-1A-2B-3C-4D-5E" }

# Get leases expiring within the next 24 hours (capacity planning)
Get-DhcpServerv4Lease -ScopeId "192.168.10.0" |
    Where-Object { $_.LeaseExpiryTime -lt (Get-Date).AddHours(24) } |
    Select-Object IPAddress, HostName, LeaseExpiryTime

# Remove a specific lease (force client to renew)
Remove-DhcpServerv4Lease `
    -ScopeId "192.168.10.0" `
    -ClientId "00-1A-2B-3C-4D-5E"

# Get scope utilization statistics
Get-DhcpServerv4ScopeStatistics -ScopeId "192.168.10.0" |
    Select-Object ScopeId, Free, InUse, Reserved, PercentageInUse

Step 9: Configure DHCP Audit Logging

DHCP audit logging records all lease activity — assignments, renewals, releases, and errors — to log files stored on the server. These logs are invaluable for security investigations (tracing which device had a given IP at a specific time), troubleshooting connectivity issues, and demonstrating compliance with network access policies. By default, DHCP audit logging is enabled and writes to %SystemRoot%System32DHCP.

# Verify audit logging is enabled
Get-DhcpServerAuditLog

# Enable audit logging explicitly and configure the log path
Set-DhcpServerAuditLog `
    -Enable $true `
    -Path "D:DHCPLogs" `
    -MaxMBFileSize 70 `
    -DiskCheckInterval 50 `
    -MinMBDiskSpace 20 `
    -PassThru

# View recent DHCP log file contents (PowerShell parsing example)
$logPath = "C:WindowsSystem32DHCP"
$todayLog = Get-ChildItem -Path $logPath -Filter "DhcpSrvLog-$(Get-Date -Format 'ddd').log" |
    Select-Object -First 1

if ($todayLog) {
    Get-Content $todayLog.FullName |
        Where-Object { $_ -match "^1[0-9]," } |  # Event IDs 10-19 = lease events
        Select-Object -Last 20
}

# Set DHCP server-level settings for logging and DNS dynamic update
Set-DhcpServerv4DnsSetting `
    -ComputerName "DHCPSRV01" `
    -DynamicUpdates "Always" `
    -DeleteDnsRROnLeaseExpiry $true `
    -UpdateDnsRRForOlderClients $true `
    -PassThru

Conclusion

Setting up a robust DHCP server on Windows Server 2025 involves more than just installing the role and creating a scope. Proper DHCP deployment requires authorizing the server in Active Directory to prevent rogue server interference, carefully planning exclusion ranges to avoid conflicts with statically-assigned devices, configuring scope options so clients receive all necessary network parameters, and leveraging reservations for devices that need consistent addresses. Audit logging ties everything together for security and compliance, giving you a historical record of every IP address assignment on your network. With the configuration covered in this guide, your DHCP server is ready to serve your organization reliably and securely on Windows Server 2025.