How to Set Up DHCP Server on Windows Server 2019
Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default gateways, DNS server addresses, and other network configuration parameters to clients on a network. Without DHCP, every device on a network would require manual IP configuration. Windows Server 2019 includes a robust DHCP server role supporting IPv4 and IPv6, failover, split scopes, policies, and integration with Active Directory and DNS.
Installing the DHCP Server Role
Install the DHCP Server role using PowerShell. The management tools include the DHCP console, DHCP PowerShell module, and command-line utilities:
Install-WindowsFeature -Name DHCP -IncludeManagementTools
# Verify the installation
Get-WindowsFeature -Name DHCP
# Start and configure the DHCP service
Start-Service DHCPServer
Set-Service DHCPServer -StartupType AutomaticAuthorizing the DHCP Server in Active Directory
In an AD domain environment, DHCP servers must be authorized in Active Directory to prevent rogue DHCP servers from distributing incorrect network settings. Only a Domain Admin or Enterprise Admin can authorize a DHCP server:
# Authorize the DHCP server in AD
Add-DhcpServerInDC -DnsName "dhcp01.corp.example.com" -IPAddress 192.168.1.5
# Verify authorization
Get-DhcpServerInDC
# Complete DHCP post-install configuration
Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINESOFTWAREMicrosoftServerManagerRoles12 `
-Name ConfigurationState -Value 2After authorization, the DHCP server will begin responding to DHCP Discover broadcasts on the network. Unauthorized DHCP servers in an AD environment will detect the authorized server and stop responding to client requests.
Creating IPv4 Scopes
A DHCP scope defines a range of IP addresses that the DHCP server can lease to clients on a specific subnet. Each subnet requires its own scope. The scope must not include the network address, broadcast address, or addresses reserved for servers and network equipment:
# Create a scope for the 192.168.1.0/24 subnet
Add-DhcpServerv4Scope `
-Name "Main Office - VLAN 10" `
-Description "DHCP scope for main office workstations" `
-StartRange 192.168.1.100 `
-EndRange 192.168.1.250 `
-SubnetMask 255.255.255.0 `
-State Active `
-LeaseDuration (New-TimeSpan -Days 8)
# Verify the scope was created
Get-DhcpServerv4ScopeConfiguring Scope Exclusions and Reservations
Exclusions remove specific ranges from being leased — useful for static IP ranges within the scope’s pool. Reservations bind a specific IP address to a specific MAC address, ensuring a device always receives the same IP while still being managed by DHCP:
# Exclude a range from the scope (e.g., for servers and printers with static IPs)
Add-DhcpServerv4ExclusionRange `
-ScopeId 192.168.1.0 `
-StartRange 192.168.1.1 `
-EndRange 192.168.1.50
# Create a reservation (IP bound to MAC address)
Add-DhcpServerv4Reservation `
-ScopeId 192.168.1.0 `
-IPAddress 192.168.1.200 `
-ClientId "00-11-22-33-44-55" `
-Name "Printer-HP-LaserJet" `
-Description "HP LaserJet in Conference Room A" `
-Type Both
# List all reservations in a scope
Get-DhcpServerv4Reservation -ScopeId 192.168.1.0Configuring Scope Options
Scope options deliver additional configuration to clients alongside their IP address. The most important options are option 3 (default gateway), option 6 (DNS servers), and option 15 (DNS domain name). Options can be set at the server level (apply to all scopes), scope level (apply to a specific scope), or reservation level (apply to a specific device):
# Set scope-level options
Set-DhcpServerv4OptionValue `
-ScopeId 192.168.1.0 `
-DnsDomain "corp.example.com" `
-DnsServer 192.168.1.10, 192.168.1.11 `
-Router 192.168.1.1
# Set option 42 (NTP server)
Set-DhcpServerv4OptionValue `
-ScopeId 192.168.1.0 `
-OptionId 42 `
-Value 192.168.1.10
# Set option 66 (PXE boot server / TFTP server) for PXE boot
Set-DhcpServerv4OptionValue `
-ScopeId 192.168.1.0 `
-OptionId 66 `
-Value "192.168.1.15"
# Set option 67 (PXE boot filename)
Set-DhcpServerv4OptionValue `
-ScopeId 192.168.1.0 `
-OptionId 67 `
-Value "bootx64wdsmgfw.efi"
# View all options for a scope
Get-DhcpServerv4OptionValue -ScopeId 192.168.1.0Configuring DNS Dynamic Update
DHCP can automatically update DNS records when it leases an address to a client. This ensures DNS is always current without manual intervention. Configure DNS dynamic updates for both forward and reverse lookups:
# Enable DNS dynamic updates for IPv4
Set-DhcpServerv4DnsSetting `
-ScopeId 192.168.1.0 `
-DynamicUpdates Always `
-DeleteDnsRROnLeaseExpiry $true `
-UpdateDnsRRForOlderClients $true
# Configure the DHCP server's DNS credentials
# (Used to register/deregister records on behalf of clients)
Set-DhcpServerDnsCredential `
-Credential (Get-Credential "corpdhcp-dns-update")Configuring DHCP Failover
DHCP failover, introduced in Windows Server 2012, allows two DHCP servers to share responsibility for a scope, providing high availability. In Load Balance mode, both servers respond to client requests. In Hot Standby mode, one server is active and the other takes over only if the primary fails:
# Configure failover in Load Balance mode (recommended)
Add-DhcpServerv4Failover `
-Name "DHCPFailover-Main" `
-PartnerServer "dhcp02.corp.example.com" `
-ScopeId 192.168.1.0 `
-Mode LoadBalance `
-LoadBalancePercent 50 `
-MaxClientLeadTime (New-TimeSpan -Hours 2) `
-StateSwitchInterval (New-TimeSpan -Minutes 60) `
-SharedSecret "DHCPFailoverSecret123!"
# Configure failover in Hot Standby mode
Add-DhcpServerv4Failover `
-Name "DHCPFailover-HotStandby" `
-PartnerServer "dhcp02.corp.example.com" `
-ScopeId 192.168.2.0 `
-Mode HotStandby `
-ServerRole Active `
-ReservePercent 5 `
-MaxClientLeadTime (New-TimeSpan -Hours 2) `
-SharedSecret "DHCPFailoverSecret123!"
# Verify failover configuration
Get-DhcpServerv4FailoverConfiguring DHCP Policies
DHCP policies allow you to assign different options or IP ranges based on client attributes such as vendor class, user class, MAC address prefix, or relay agent information. This is useful for VoIP phones, printers, or wireless clients that need different settings:
# Create a policy for VoIP phones (using vendor class ID)
Add-DhcpServerv4Policy `
-Name "VoIP-Phones" `
-ScopeId 192.168.1.0 `
-Description "Policy for VoIP phones" `
-Condition OR `
-VendorClass EQ,"Cisco IP Phone"
# Assign a specific IP range to VoIP phones
Add-DhcpServerv4PolicyIPRange `
-ScopeId 192.168.1.0 `
-Name "VoIP-Phones" `
-StartRange 192.168.1.210 `
-EndRange 192.168.1.230
# Set VLAN/gateway option specifically for VoIP
Set-DhcpServerv4OptionValue `
-ScopeId 192.168.1.0 `
-PolicyName "VoIP-Phones" `
-OptionId 3 `
-Value 192.168.1.254Monitoring DHCP Leases and Statistics
Monitor DHCP lease utilization and troubleshoot client connectivity issues:
# View all active leases in a scope
Get-DhcpServerv4Lease -ScopeId 192.168.1.0
# View scope statistics (addresses in use, available, etc.)
Get-DhcpServerv4ScopeStatistics -ScopeId 192.168.1.0
# View server-level statistics
Get-DhcpServerv4Statistics
# Find a lease by IP address
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.IPAddress -eq "192.168.1.125"}
# Find a lease by hostname
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.HostName -like "*workstation*"}
# Export DHCP configuration for backup
Export-DhcpServer -File "C:BackupDHCPExport.xml" -LeasesDHCP Audit Logging
DHCP audit logs record all lease assignments, renewals, and releases. They are stored in C:Windowssystem32dhcp by default. Enable and review audit logs for security and troubleshooting:
# Verify audit logging is enabled
Get-DhcpServerAuditLog
# Enable audit logging if needed
Set-DhcpServerAuditLog -Enable $true -Path "C:DHCPLogs" -MaxMBFileSize 70 -DiskCheckInterval 50 -MinMBDiskSpace 20
# View recent log entries
Get-Content "C:Windowssystem32dhcpDhcpSrvLog-Mon.log" | Select-Object -Last 50A well-maintained DHCP server ensures reliable network connectivity for all clients. Review scope utilization regularly to prevent address exhaustion, keep the DHCP server authorized in AD, and maintain failover configuration to eliminate DHCP as a single point of failure in your network infrastructure.
