How to fix a problem with Windows 2012 R2 DHCP audit stuck in paused mode.
The DHCP service writes only a single line into the log file:
“Audit Log Paused”
A customer running Windows 2012 R2 DHCP had issues with the DHCP logging. No other lines were written than the notification that the auditing was paused.
E.g.: 02,06/12/15,14:19:38,Audit Log Paused,,,,,0,6,,,,,,,,,0
Logging was in fact enabled on the IPv4 scopes as above.
It is often very important for organizations to be able to backtrack DHCP leases to computers/devices for specific time and dates, so highly recommended to enable this setting. The DHCP logs do not go into the main Windows Event Viewer logfiles, but are text files by default placed into C:\Windows\System32\DHCP folder.
To help readability of the logfiles the logs were relocated from the default C:\Windows\System32\DHCP to a separate partition and folder, in this case D:\DHCP-logfiles.
The ACL on the DHCP log folder shows that the correct permissions has been automatically set. The DHCP service could write into the log file – so there should be no permission problem.
Still only the line with DHCP event id 02 and “audit log paused” was written. Restart of the DHCP service did not help.
A Microsoft Knowledge Base article claimed that event id 02 with paused DHCP logging could be caused by low disk space. The partition at the DHCP server had in fact large amounts of free space, but this was actually misread by the DCHP audit logging.
The reason for this was non default ACL on the root of the D: partition. The access control entries for groups like “Everyone” and “Users” had been removed earlier to increase the access security in the root folder.
This caused the DHCP service to not be able to verify the amount of free space and incorrectly assumed this was due to low disk space.
By adding the DHCP service (NT SERVICE\DHCPServer) with read access in the root of the partition the service could now determine the free space.
After this the DHCP audit logging was working correctly.