🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Windows Server 2025

📖 ~3 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

The DHCP server role on Windows Server 2025 stops assigning IP addresses to clients because the configured scope has been exhausted — all available addresses are leased or reserved. Clients display ‘APIPA’ addresses (169.254.x.x) or cannot obtain an IP at all, causing complete network connectivity loss for affected machines. The symptoms appear suddenly as the scope approaches 100% utilization, affecting new connections and renewals when existing leases expire and are re-acquired by different devices. In AD environments this cascades to domain join failures, Group Policy processing errors, and Kerberos authentication failures for any host that loses its IP.

Environment & Reproduction

Affects DHCP server role on Windows Server 2025. Reproducible by configuring a /24 scope (253 available IPs), adding 250+ clients, and watching new clients receive APIPA. Also triggered by DHCP starvation attacks (a rogue machine rapidly requesting hundreds of leases) or by not configuring exclusion ranges properly.

# Check scope utilization
Get-DhcpServerv4ScopeStatistics | Select ScopeId,PercentageInUse,Available,InUse,Reserved
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.AddressState -eq 'Active'} | Measure-Object | Select Count
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Sort LeaseExpiry | Select -First 20

Root Cause Analysis

DHCP scope exhaustion happens when the number of active leases plus reservations equals the total number of addresses in the scope’s pool (range minus exclusions). Causes: (1) Scope range too small for the number of clients. (2) Lease duration too long — leases for decommissioned hosts persist until expiry. (3) DHCP starvation: malicious or misconfigured client requests many addresses. (4) Exclusion range not set for static IPs (servers, printers) occupying addresses within the dynamic range.

Quick Triage

Confirm DHCP scope exhaustion before checking for starvation or lease anomalies.

# Scope health in 2 minutes
Get-DhcpServerv4ScopeStatistics
Get-DhcpServerv4Scope | Select ScopeId,StartRange,EndRange,SubnetMask,State
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Group-Object AddressState | Select Name,Count

Step-by-Step Diagnosis

Review scope statistics to confirm exhaustion. Check for duplicate MAC addresses (DHCP starvation indicator). Identify leases for hosts that no longer exist by correlating the lease table against Active Directory computer accounts or a recent network scan. Look for unusually short lease request intervals.

Get-DhcpServerv4ScopeStatistics -ScopeId 192.168.1.0
# Check for starvation: many leases from same MAC prefix
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Group-Object {$_.ClientId.Substring(0,8)} | Sort Count -Desc | Select -First 10
# Find expired leases still counting as active
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.AddressState -eq 'ActiveReservation'} | Measure-Object
Illustrative mockup for windows-server-2025 — network_config
DHCP scope utilization near 100% — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Immediate relief: remove stale leases, increase scope range, or reduce lease duration. Long-term: implement proper scope sizing with exclusion ranges for static devices.

Still having issues? Our Network Design team can diagnose and resolve this for you. Get in touch for a free consultation.

# Remove stale leases for decommissioned hosts
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 | Where-Object {$_.HostName -notmatch 'CORP'} | Remove-DhcpServerv4Lease

# Extend scope range (if address space allows)
Set-DhcpServerv4Scope -ScopeId 192.168.1.0 -EndRange 192.168.1.250

# Reduce lease duration to 4 hours for dense environments
Set-DhcpServerv4Scope -ScopeId 192.168.1.0 -LeaseDuration (New-TimeSpan -Hours 4)

# Add exclusion for static device range
Add-DhcpServerv4ExclusionRange -ScopeId 192.168.1.0 -StartRange 192.168.1.1 -EndRange 192.168.1.20
Illustrative mockup for windows-server-2025 — event_or_log_viewer
Event Viewer DHCP server errors — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Alternative 1: Add a second scope with a different subnet and configure DHCP superscope to serve multiple subnets from one server. Alternative 2: Enable DHCP failover with a partner server for load balancing, which also splits the address pool between two servers improving availability. Alternative 3: Implement DHCP snooping and 802.1X to prevent starvation attacks at the switch level.

# Configure DHCP failover
Add-DhcpServerv4Failover -Name 'scope-failover' -ScopeId 192.168.1.0 -PartnerServer 'dhcp2.corp.local' -Mode LoadBalance -LoadBalancePercent 50 -SharedSecret 'ComplexSecretHere'

Verification & Acceptance Criteria

DHCP scope utilization below 80%. New clients successfully receive IP addresses. Event log shows no Event ID 1020 (scope full) or 1023 (no more addresses). Monitor for 24 hours post-fix.

Get-DhcpServerv4ScopeStatistics
# Alert threshold: trigger alert if PercentageInUse > 80
$stats = Get-DhcpServerv4ScopeStatistics
if ($stats.PercentageInUse -gt 80) { Write-Warning 'DHCP scope above 80% — action required' }

Rollback Plan

Removing leases is permanent but recoverable if the affected hosts re-request. Restoring deleted exclusion ranges: `Add-DhcpServerv4ExclusionRange`. If scope range was extended incorrectly, narrow it with `Set-DhcpServerv4Scope -EndRange `. DHCP database can be restored from backup: `Restore-DhcpServer -Path C:DhcpBackup`.

# Restore DHCP from backup
Restore-DhcpServer -Path 'C:WindowsSystem32dhcpbackup'

Prevention & Hardening

DHCP scope management best practices: (1) Set alert threshold at 80% utilization via DHCP console or PowerShell monitoring script. (2) Size scopes for 150% of expected peak client count. (3) Use exclusion ranges for all static IPs — never rely on ‘they won’t try that IP’. (4) Enable DHCP audit logging to detect starvation early. (5) Implement DHCP failover for all production scopes.

# Monitor scope and alert
$threshold = 80
Get-DhcpServerv4ScopeStatistics | ForEach-Object {
    if ($_.PercentageInUse -gt $threshold) {
        Send-MailMessage -To '[email protected]' -Subject "DHCP Scope $($_.ScopeId) at $($_.PercentageInUse)%" -SmtpServer smtp.corp.local
    }
}

Related: APIPA addresses assigned to clients (indicates DHCP server unreachable, not necessarily scope exhaustion — check DHCP service status first), DNS deregistration failures after IP address change (downstream of DHCP issues), Kerberos authentication failure after IP change (new IP not yet in DNS).

Related tutorial: View the step-by-step tutorial for Windows Server 2025.

View all Windows Server 2025 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft DHCP Server documentation at learn.microsoft.com/windows-server/networking/technologies/dhcp. RFC 2131 (DHCP protocol specification). Windows Server DHCP failover guide. Microsoft KB2751940 covers DHCP scope exhaustion in high-density deployments.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.