Dave_Hunt
asked on
Windows 2000 DHCP Server Scope Full (Need to constantly reconcile only one subnet)
Brief Description:
We have a Windows 2000 Server with DHCP, DNS and Active Directory running on the same box. The server has multiple Scopes defined for various VLANs within the site. One of the many scopes defined consistently runs out of IP addresses. There are aprx. 100 clients in the subnet with a Adress Pool of 201 IPs. Aproximately every week we need to reconcile the scope and "recover" the lost IP leases.
Research:
I've checked around as much as i could and ended up finding this article which describes the problem exactly, but does not provide a resolution.... :(
https://www.experts-exchange.com/questions/21638864/Windows-Server-2000-DHCP-scope-100-percent-full.html
Details:
Scope affected includes Address Pool of X.X.3.25 to X.X.3.225
Reservations: Only 2 exist in the scope
Scope options: 003 Router = X.X.3.1; 006 DNS Servers = X.X.2.10, X.X.2.11; 015 DNS Domain Name = XXXXX.com
After completing a "reconcile" process against the scope, the addresses are returned to the address Leases list with the following details.
NOTE!!! This is a sample taken from the above link to preserve confidentiality of IP Information and does not reflect exact information.
Client IP Address: 192.168.1.147
Unique ID: 3139322e3136382e312e313437
Type: DHCP
Name: 192.168.1.147
Lease Expiration: (This is set at time of reconcile and given date/time + lease expiry (4 Days))
As I said above, the problem does re-occur after time. I have noticed that aproximately every 4-6 hours another lease disapears and can be reconciled.
Note:
The Unique ID is extremely odd because it should represent a MAC address, however, as SunBow recognized in the above link, it is actually HEX for the IP address.
There are no relevant entries in the event logs on the DHCP server that would indicate problems.
Assumptuions:
Given the fact that a IP dissapears every 4-6 hours, I believe it is likely a rouge device hidden under someones desk some place or some weird application. The problem with my theory is that the details retained in the DHCP server do not provide any help tracking the device (NO MAC!!!) I am also not comfortable with a sniffer or ethereal, etc.
Obvious question.... How do I stop this?
Secondary question.... What's the best way to track a device like this? Sniffer against the server port? Sniffer in the affected subnet? What would I look for?
I plan to have an outage this weekend in which I will be deleting the scope and re-creating it to confirm it is not a corupt database.
Thanks for any and all sugestions, Dave
We have a Windows 2000 Server with DHCP, DNS and Active Directory running on the same box. The server has multiple Scopes defined for various VLANs within the site. One of the many scopes defined consistently runs out of IP addresses. There are aprx. 100 clients in the subnet with a Adress Pool of 201 IPs. Aproximately every week we need to reconcile the scope and "recover" the lost IP leases.
Research:
I've checked around as much as i could and ended up finding this article which describes the problem exactly, but does not provide a resolution.... :(
https://www.experts-exchange.com/questions/21638864/Windows-Server-2000-DHCP-scope-100-percent-full.html
Details:
Scope affected includes Address Pool of X.X.3.25 to X.X.3.225
Reservations: Only 2 exist in the scope
Scope options: 003 Router = X.X.3.1; 006 DNS Servers = X.X.2.10, X.X.2.11; 015 DNS Domain Name = XXXXX.com
After completing a "reconcile" process against the scope, the addresses are returned to the address Leases list with the following details.
NOTE!!! This is a sample taken from the above link to preserve confidentiality of IP Information and does not reflect exact information.
Client IP Address: 192.168.1.147
Unique ID: 3139322e3136382e312e313437
Type: DHCP
Name: 192.168.1.147
Lease Expiration: (This is set at time of reconcile and given date/time + lease expiry (4 Days))
As I said above, the problem does re-occur after time. I have noticed that aproximately every 4-6 hours another lease disapears and can be reconciled.
Note:
The Unique ID is extremely odd because it should represent a MAC address, however, as SunBow recognized in the above link, it is actually HEX for the IP address.
There are no relevant entries in the event logs on the DHCP server that would indicate problems.
Assumptuions:
Given the fact that a IP dissapears every 4-6 hours, I believe it is likely a rouge device hidden under someones desk some place or some weird application. The problem with my theory is that the details retained in the DHCP server do not provide any help tracking the device (NO MAC!!!) I am also not comfortable with a sniffer or ethereal, etc.
Obvious question.... How do I stop this?
Secondary question.... What's the best way to track a device like this? Sniffer against the server port? Sniffer in the affected subnet? What would I look for?
I plan to have an outage this weekend in which I will be deleting the scope and re-creating it to confirm it is not a corupt database.
Thanks for any and all sugestions, Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
great points.
It's a windows 2000 DHCP server and you are correct. Under normal circumstances, the device name is it's computer name and the Unique ID is supposed to be the MAC Adress. I agree, it would be easy to track down if i can find the MAC
Do other leases have this same format? <-- No, "good" workstation leases are properly updating their MAC and Device Name after obtaining an Address.
Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them. <-- Great idea, i am going to try this this morning, in fact, I will only remove one or two of the Reconciled IPs to narrow things down. I had assumed that if it didnt "hold" the IP assigned to it, then it wouldnt use the IP. I may even export the scope and write a quick batch file to hit all the "bad" IP Addresses before I remove any.
Thanks for the tip!
I will keep you posted.
Dave
It's a windows 2000 DHCP server and you are correct. Under normal circumstances, the device name is it's computer name and the Unique ID is supposed to be the MAC Adress. I agree, it would be easy to track down if i can find the MAC
Do other leases have this same format? <-- No, "good" workstation leases are properly updating their MAC and Device Name after obtaining an Address.
Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them. <-- Great idea, i am going to try this this morning, in fact, I will only remove one or two of the Reconciled IPs to narrow things down. I had assumed that if it didnt "hold" the IP assigned to it, then it wouldnt use the IP. I may even export the scope and write a quick batch file to hit all the "bad" IP Addresses before I remove any.
Thanks for the tip!
I will keep you posted.
Dave
ASKER
Murphy's law!
I've been checking every 30 minutes or so all day and no a IP was lost...
I also added a sniffer on the segment that has the problem in the hopes that i would catch the DHCP broadcast request, but now whatever it was has stopped. I'm going to try and leave the sniffer up all weekend and try to catch the problem.
This weekend i will also be coming in to re-create the DHCP Scope.
Let's cross our fingers and hope it comes back... I can't stand it when something occurs and it can not be explained...
Will keep you posted,
Dave
I've been checking every 30 minutes or so all day and no a IP was lost...
I also added a sniffer on the segment that has the problem in the hopes that i would catch the DHCP broadcast request, but now whatever it was has stopped. I'm going to try and leave the sniffer up all weekend and try to catch the problem.
This weekend i will also be coming in to re-create the DHCP Scope.
Let's cross our fingers and hope it comes back... I can't stand it when something occurs and it can not be explained...
Will keep you posted,
Dave
ASKER
I believe the suspect device left for the Easter long weekend (4 days)... I haven't lost a single IP over the weekend. I did delete and re-create the scope, i will continue monitoring.
I also setup a sniffer in the suspect VLAN monitoring for UPD ports 67 and 68. The more research i did, it seems, unless i mirror the server port, I will only see the broadcast side of the conversation. If the problem re-occurs, hopefully this is enough to see who's doing it and will show me the mac address of the offending device.
Dave
I also setup a sniffer in the suspect VLAN monitoring for UPD ports 67 and 68. The more research i did, it seems, unless i mirror the server port, I will only see the broadcast side of the conversation. If the problem re-occurs, hopefully this is enough to see who's doing it and will show me the mac address of the offending device.
Dave
ASKER
Well, I have not seen the issue in almost 2 weeks so I am closing the question as "unsolved mystories".
Just to recap for anyone reviewing the question later, I was unable to confirm that deleting and re-creating the suspect scope solved the problem because the problem ceased a few days prior to any changes.
I have not seen anything too "odd" on my sniffer, but I am not a trained professional experienced in the art of "sniffing"
Points will be awarded to saw as he was the only one with any sugestions/comments...
Dave
Just to recap for anyone reviewing the question later, I was unable to confirm that deleting and re-creating the suspect scope solved the problem because the problem ceased a few days prior to any changes.
I have not seen anything too "odd" on my sniffer, but I am not a trained professional experienced in the art of "sniffing"
Points will be awarded to saw as he was the only one with any sugestions/comments...
Dave
Hi Dave,
Thanks for the points.
I'm a bit bummed that a true resolution wasn't obtainable.
I've had some thoughts that you might not have thought about that may be important.
The problem may have been the DHCP server that was just having problems, but your recount of the history does not really lend to this very well.
The problem may have been some rouge device that was present while some contractor or other "LAN guest" was present, and has since gone away, but maybe not forever.
Lastly, and more seriously, do you have any wireless gear? Do you know for sure where all of your network ports terminate? Could this have been assigned by a VPN server? I'm thinking that if I were trying access (break into) your network but not be discoverable by you, I might try to alter my MAC address to keep you from knowing that I was using an IBM Laptop or Palm handheld system. If I wasn't very good at it, which I'm not, I might accidentally do something that would confuse the DHCP server, or my network card. I might eventually see my mistake and correct for it. If this is all true, then I just might still be present. I'm not trying to frighten you and I realize that all of this is a stretch, but the whole thing still sounds a bit odd and the ol' security flag is waving in my head. On the other hand, I can be a bit paranoid at times...
Hopefully the problem will stay gone and you can just chalk it up to the alignment of the planets or something.
Good luck,
Alan
Thanks for the points.
I'm a bit bummed that a true resolution wasn't obtainable.
I've had some thoughts that you might not have thought about that may be important.
The problem may have been the DHCP server that was just having problems, but your recount of the history does not really lend to this very well.
The problem may have been some rouge device that was present while some contractor or other "LAN guest" was present, and has since gone away, but maybe not forever.
Lastly, and more seriously, do you have any wireless gear? Do you know for sure where all of your network ports terminate? Could this have been assigned by a VPN server? I'm thinking that if I were trying access (break into) your network but not be discoverable by you, I might try to alter my MAC address to keep you from knowing that I was using an IBM Laptop or Palm handheld system. If I wasn't very good at it, which I'm not, I might accidentally do something that would confuse the DHCP server, or my network card. I might eventually see my mistake and correct for it. If this is all true, then I just might still be present. I'm not trying to frighten you and I realize that all of this is a stretch, but the whole thing still sounds a bit odd and the ol' security flag is waving in my head. On the other hand, I can be a bit paranoid at times...
Hopefully the problem will stay gone and you can just chalk it up to the alignment of the planets or something.
Good luck,
Alan
ASKER
I can not agree with you more! When something happens that can't be explained it bugs me to no end...
I don't believe it was the DHCP server, the problem disapeared without/before intervention.
I truely expect that it may return and that one day i will be able to tell everyone it was simply a rouge / bad device (be it a laptop or router or worse... a wireless access point; who knows)
We do not allow wireless, policy obviously does not prevent it, but it's something I will check for in the future if the problem occurs again.
If it took someone almost a month to realize that type of mistake, I probably don't have much to worry about :p LOL
I too own a "Tin-Foil hat" and an internal attack was the first thing that came to mind! Don't feel alone!
Hmmm, come to think about it I did watch a few Alien and UFO shows on Discovery last month, maybe they are messing with me.?.!.?.!
I don't believe it was the DHCP server, the problem disapeared without/before intervention.
I truely expect that it may return and that one day i will be able to tell everyone it was simply a rouge / bad device (be it a laptop or router or worse... a wireless access point; who knows)
We do not allow wireless, policy obviously does not prevent it, but it's something I will check for in the future if the problem occurs again.
If it took someone almost a month to realize that type of mistake, I probably don't have much to worry about :p LOL
I too own a "Tin-Foil hat" and an internal attack was the first thing that came to mind! Don't feel alone!
Hmmm, come to think about it I did watch a few Alien and UFO shows on Discovery last month, maybe they are messing with me.?.!.?.!
ASKER