CRITICAL - DHCP now shows mshome.net
Never seen this one before, and unfortunately it's happening here...lol.
Here's an IPCONFIG /ALL from my workstation:
Windows IP Configuration
Host Name . . . . . . . . . . . . : EID6246
Primary Dns Suffix . . . . . . . : company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.com
mshome.net
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : mshome.net
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.10.6.90
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.6.1
DHCP Server . . . . . . . . . . . : 10.10.10.42
DNS Servers . . . . . . . . . . . : 192.168.0.1
Primary WINS Server . . . . . . . : 10.10.10.42
Secondary WINS Server . . . . . . : 10.10.10.3
Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 8:48:21 AM
Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 8:48:21 AM
Obviously it SHOULDN'T be showing MSHOME.NET at all, and the DNS server of 192.168.0.1 is incorrect, DHCP is supposed to set DNS to 10.10.10.41 and 42.
This just started happening this morning, and apparently is affecting most if not everyone.
I know from looking that mshome.net is the default for ICS, but obviously we are a company and aren't using ICS.
On the DHCP serverI'm getting:
event id 1202 for SCeCLI - Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
event id 3000 in DNS log - the DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events,
examine the DNS server event log entries that precede this event.
event id 4004 in DNS log - The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use
information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning
properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
WORKAROUND - If a client does an ipconfig /release and /renew then everything is back to normal.
Any help is very much appreciated...this is really odd...and I know management is going to want to know why it happened.
Here's an IPCONFIG /ALL from my workstation:
Windows IP Configuration
Host Name . . . . . . . . . . . . : EID6246
Primary Dns Suffix . . . . . . . : company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.com
mshome.net
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : mshome.net
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.10.6.90
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.6.1
DHCP Server . . . . . . . . . . . : 10.10.10.42
DNS Servers . . . . . . . . . . . : 192.168.0.1
Primary WINS Server . . . . . . . : 10.10.10.42
Secondary WINS Server . . . . . . : 10.10.10.3
Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 8:48:21 AM
Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 8:48:21 AM
Obviously it SHOULDN'T be showing MSHOME.NET at all, and the DNS server of 192.168.0.1 is incorrect, DHCP is supposed to set DNS to 10.10.10.41 and 42.
This just started happening this morning, and apparently is affecting most if not everyone.
I know from looking that mshome.net is the default for ICS, but obviously we are a company and aren't using ICS.
On the DHCP serverI'm getting:
event id 1202 for SCeCLI - Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.
event id 3000 in DNS log - the DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events,
examine the DNS server event log entries that precede this event.
event id 4004 in DNS log - The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use
information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning
properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
WORKAROUND - If a client does an ipconfig /release and /renew then everything is back to normal.
Any help is very much appreciated...this is really odd...and I know management is going to want to know why it happened.
NJComputerNetworks
is you internal DNS server running? check your server and scope options...
ASKER
Yeah, running fine, other than the above mentioned events.
Right now DNS is AD integrated but has "allow nonsecure and secure updates" enabled...because we have printers and other non-AD devices that use DNS.
Hasn't ever happened before and just started this morning.
Right now DNS is AD integrated but has "allow nonsecure and secure updates" enabled...because we have printers and other non-AD devices that use DNS.
Hasn't ever happened before and just started this morning.
ASKER
Just noticed something strange though in DNS:
I see an A record for:
(same as parent folder) - 169.254.121.106
with updated associated PTR record checked
I'm guessing that it is saying that the DNS server at one point got an auto-private IP? Can this just be deleted? May not even be associated with the problem...but still.
I see an A record for:
(same as parent folder) - 169.254.121.106
with updated associated PTR record checked
I'm guessing that it is saying that the DNS server at one point got an auto-private IP? Can this just be deleted? May not even be associated with the problem...but still.
Is all the other info in the ipconfig (except the domain) correct?
Just to eliminate - is it possible you have a rogue dhcp server in or outside your network?
One way to test is to temporarily disable dhcp. then release/renew on a workstation & see if you get an ip
Just to eliminate - is it possible you have a rogue dhcp server in or outside your network?
One way to test is to temporarily disable dhcp. then release/renew on a workstation & see if you get an ip
In the forward lookup zone do you have the (same as parent folder) - xx.xx.xx.xx Where xx.xx.xx.xx is the proper IP address? If so, I would delete the 169.254.x.x address...
Is .41 and .42 both DC's/DNS's/DHCP's?
I know this is probably a very basic step...but if you look at the client machine, in TCP/IP settings, is the 192.168.0.1
and dns suffix manually set?
Is .41 and .42 both DC's/DNS's/DHCP's?
I know this is probably a very basic step...but if you look at the client machine, in TCP/IP settings, is the 192.168.0.1
and dns suffix manually set?
Are any of the DNS servers multihomed?
(I don't think Rogue server in this case...because of the DHCP server IP giving the lease seems to be the proper IP....this is why I was suspecting scope option or server options on the DHCP Windows server itself)
DHCP Server . . . . . . . . . . . : 10.10.10.42
DHCP Server . . . . . . . . . . . : 10.10.10.42
ASKER
No rogue servers that I can tell, like NJ just said.
Scope options and server options are what they should be.
It's really odd, didn't happen to everybody, but when things happen to my workstation and a few others in IT along with normal users, I get concerned.
NJ,
Yes, DNS has (same as parent folder) with proper IP addresses. So I deleted the autoaddress.
and no manual settings in TCP/IP properties on the local machines...Nothing in GPO's either.
and yes, .41 and .42 are both DC/DNS, but only .42 is DHCP for this site.
Scope options and server options are what they should be.
It's really odd, didn't happen to everybody, but when things happen to my workstation and a few others in IT along with normal users, I get concerned.
NJ,
Yes, DNS has (same as parent folder) with proper IP addresses. So I deleted the autoaddress.
and no manual settings in TCP/IP properties on the local machines...Nothing in GPO's either.
and yes, .41 and .42 are both DC/DNS, but only .42 is DHCP for this site.
ASKER
Mazaraat,
Interesting that you should ask that, because although NO neither are multi-homed, both have Dual Intel GB nics. On the .42 server the second NIC is disabled, on the .41 the second nic just said "cable unplugged". So I went ahead and tried to disable it, and it says "It is not possible to disable this connection at this time. The connection may be using one or more protocols that do not support plug and play, or it may be initiated by another user or system account."
I'm figuring this is because of the Intel Proset software installed, but I'll have to check and be sure.
But again, I come back to the idea that these settings haven't been changed in a long time...so strange for something to happen just now.
Interesting that you should ask that, because although NO neither are multi-homed, both have Dual Intel GB nics. On the .42 server the second NIC is disabled, on the .41 the second nic just said "cable unplugged". So I went ahead and tried to disable it, and it says "It is not possible to disable this connection at this time. The connection may be using one or more protocols that do not support plug and play, or it may be initiated by another user or system account."
I'm figuring this is because of the Intel Proset software installed, but I'll have to check and be sure.
But again, I come back to the idea that these settings haven't been changed in a long time...so strange for something to happen just now.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the second NIC had to be disabled in Intel Proset, so no worries there...that made sense.
No RRAS enabled on either DC/DNS.
No RRAS enabled on either DC/DNS.
ASKER
NJ, yes....ipconfig /release then /renew got it working just fine although still slightly strange...for reference here's my updated ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : EID6246
Primary Dns Suffix . . . . . . . : company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.com
company.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : company.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.10.6.90
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.6.1
DHCP Server . . . . . . . . . . . : 10.10.10.42
DNS Servers . . . . . . . . . . . : 10.10.10.41
10.10.10.42
Primary WINS Server . . . . . . . : 10.10.10.3
Secondary WINS Server . . . . . . : 10.10.10.42
Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 12:06:07 PM
Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 12:06:07 PM
What seems strange to me is that the DNS suffix search list has 2 entries for my domain now...
Windows IP Configuration
Host Name . . . . . . . . . . . . : EID6246
Primary Dns Suffix . . . . . . . : company.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.com
company.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : company.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.10.6.90
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.6.1
DHCP Server . . . . . . . . . . . : 10.10.10.42
DNS Servers . . . . . . . . . . . : 10.10.10.41
10.10.10.42
Primary WINS Server . . . . . . . : 10.10.10.3
Secondary WINS Server . . . . . . : 10.10.10.42
Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 12:06:07 PM
Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 12:06:07 PM
What seems strange to me is that the DNS suffix search list has 2 entries for my domain now...
ASKER
I checked WINS too, and no entries in there that were strange.
ASKER
OK guys, I think I've figured out the "culprit" although the *why* still evades me.
I kept doing an IPCONFIG /RELEASE and /RENEW and ended up eventually getting an IP from 192.168.0.1.
Turns out that it is a Sales guys laptop and his wireless NIC had the ICS turned on.
So that part makes sense in the idea that this probably caused the issue. But as far as why my clients allowed/accepted the ICS connection is beyond me.
Is there any explanation you know of? Or possibly a GPO setting I can run to make sure this doesn't happen again?
I kept doing an IPCONFIG /RELEASE and /RENEW and ended up eventually getting an IP from 192.168.0.1.
Turns out that it is a Sales guys laptop and his wireless NIC had the ICS turned on.
So that part makes sense in the idea that this probably caused the issue. But as far as why my clients allowed/accepted the ICS connection is beyond me.
Is there any explanation you know of? Or possibly a GPO setting I can run to make sure this doesn't happen again?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The explaination is that the clients will first try to renew the existing address, then take the first DHCP offer they get.
If their lease has expired, and the dhcp server isn't responding quickly enough, or the pc was shutdown while it expired, then whichever server answers fastest wins.
Certainly we can look at dhcp server settings, but the answer is still to have him turn off ics.
If their lease has expired, and the dhcp server isn't responding quickly enough, or the pc was shutdown while it expired, then whichever server answers fastest wins.
Certainly we can look at dhcp server settings, but the answer is still to have him turn off ics.
ASKER
I did turn off the ICS, but how does that explain the "combined" info from the first post?
I got a DHCP address from 10.10.10.42, but it appended not only the ICS gateway but the DNS connection suffix of the ICS.
Very weird. I can understand if it was one DHCP server or the other, but not a combo of both.
I got a DHCP address from 10.10.10.42, but it appended not only the ICS gateway but the DNS connection suffix of the ICS.
Very weird. I can understand if it was one DHCP server or the other, but not a combo of both.
Weird is the word.
Is the PC is a member of the domain?
If so, no matter where it gets the ip, it will hang on to the local domain suffix.
(that explains why both when the ip is comming from ICS)
When renewed after ics is turned off, the suffix will cache even if it gets the ip from the local dhcp server. (which can explain if both are there when ics is turned off)
It 'should' go away if you do a complete release or reboot.
Is the PC is a member of the domain?
If so, no matter where it gets the ip, it will hang on to the local domain suffix.
(that explains why both when the ip is comming from ICS)
When renewed after ics is turned off, the suffix will cache even if it gets the ip from the local dhcp server. (which can explain if both are there when ics is turned off)
It 'should' go away if you do a complete release or reboot.
ASKER
Yeah the PC is a member of the domain...
What's strange is I'm not referring to the PC in my last comment, I'm referring to MY machine.
Basically what happened is that any client on the domain in this subnet that would try to access the internet, would all of a sudden have their DHCP/ipconfig info merged with the ICS "server/computer" information (mshome.net, etc.)
I'm thinking I may burn a MS incident on this one simply because I really want to know the *why*. My thought would be that the DHCP clients should have rejected any ICS offers, but maybe not.
What's strange is I'm not referring to the PC in my last comment, I'm referring to MY machine.
Basically what happened is that any client on the domain in this subnet that would try to access the internet, would all of a sudden have their DHCP/ipconfig info merged with the ICS "server/computer" information (mshome.net, etc.)
I'm thinking I may burn a MS incident on this one simply because I really want to know the *why*. My thought would be that the DHCP clients should have rejected any ICS offers, but maybe not.
Yea -
Once it received the other suffix once from ICS, it'll remain. The issue is refreshing it.
Let's test something - make sure any ics machines (or other rogues) are off/disconnected, set a manual ip on yours (including manual domain suffix), save it - then reset it to dhcp.
If it comes back, then we have to look at whackier causes.
Once it received the other suffix once from ICS, it'll remain. The issue is refreshing it.
Let's test something - make sure any ics machines (or other rogues) are off/disconnected, set a manual ip on yours (including manual domain suffix), save it - then reset it to dhcp.
If it comes back, then we have to look at whackier causes.
ASKER
It's all gone at this point...once ICS was gone from that machine, it hasn't returned. It showed up only on DHCP clients, and only if they tried to access the internet and had "automatically detect settings" in their proxy settings.
My guess is it somehow went like this:
1. Client tried to get on the internet
2. IE looked for the autosettings
3. ICS from that pc responded back and set "I'm your gateway you want and use my dns suffix of mshome.net"
4. Client said, "sure thing"
5. problems ensued
weird to say the least. I just would think my domain computers would say, "no way man...I've already got a gateway and dns suffix"...
My guess is it somehow went like this:
1. Client tried to get on the internet
2. IE looked for the autosettings
3. ICS from that pc responded back and set "I'm your gateway you want and use my dns suffix of mshome.net"
4. Client said, "sure thing"
5. problems ensued
weird to say the least. I just would think my domain computers would say, "no way man...I've already got a gateway and dns suffix"...
No, that would only make sense:)
They will keep their suffix, but they'll pull everything else from DHCP just like Lemmings to the see.
I guess that's why they call it 'rogue'.
Cheers!
They will keep their suffix, but they'll pull everything else from DHCP just like Lemmings to the see.
I guess that's why they call it 'rogue'.
Cheers!
ASKER
Well, I never bothered with it, chalk it up to strange...
Points for assisting me...thanks.
Points for assisting me...thanks.
This post was extremely helpful.
time to make a GPO to disable ICS.
time to make a GPO to disable ICS.
Thanks this thread helped a bunch.. My issue wasn't ICS though.. i was getting a similar problem with a Treadnet TW100-ss2 that someone had connected the LAN side to my network. I have seen this before, but as was stated above it usually will intercept the entire DHCP Request and change the whole connection not just the DNS.
P.S. I wish i could send rogue seeking missles through my network when this happens and just blow them off the face of my network!
P.S. I wish i could send rogue seeking missles through my network when this happens and just blow them off the face of my network!
ASKER
BTW Steve262, I found it happened AGAIN last fall, but this time it was a stupid little Trendnet as well, one of their wireless bridges. It turned out that the device would sometimes reset itself on its own and the default setting was to run a builtin DHCP server that wasn't even listed in the GUI. It only lasts until the unit is configured (the idea is to hook a computer up to it directly and the unit gives the computer an IP and then you can open a browser and configure it) to be a bridge.
Fought that one for almost a week until my PC Tech told me that was the only change he was aware of.
Hope that helps someone else as well.
Fought that one for almost a week until my PC Tech told me that was the only change he was aware of.
Hope that helps someone else as well.