Windows 2000 DHCP Server Scope Full (Need to constantly reconcile only one subnet)

Brief Description:

We have a Windows 2000 Server with DHCP, DNS and Active Directory running on the same box.  The server has multiple Scopes defined for various VLANs within the site.  One of the many scopes defined consistently runs out of IP addresses.  There are aprx. 100 clients in the subnet with a Adress Pool of 201 IPs.  Aproximately every week we need to reconcile the scope and "recover" the lost IP leases.


I've checked around as much as i could and ended up finding this article which describes the problem exactly, but does not provide a resolution.... :(


Scope affected includes Address Pool of X.X.3.25 to X.X.3.225
Reservations: Only 2 exist in the scope
Scope options: 003 Router = X.X.3.1; 006 DNS Servers = X.X.2.10, X.X.2.11; 015 DNS Domain Name =

After completing a "reconcile" process against the scope, the addresses are returned to the address Leases list with the following details.
NOTE!!! This is a sample taken from the above link to preserve confidentiality of IP Information and does not reflect exact information.
Client IP Address:
Unique ID:             3139322e3136382e312e313437000
Type:                    DHCP
Lease Expiration:   (This is set at time of reconcile and given date/time + lease expiry (4 Days))

As I said above, the problem does re-occur after time.  I have noticed that aproximately every 4-6 hours another lease disapears and can be reconciled.

The Unique ID is extremely odd because it should represent a MAC address, however, as SunBow recognized in the above link, it is actually HEX for the IP address.
There are no relevant entries in the event logs on the DHCP server that would indicate problems.

Given the fact that a IP dissapears every 4-6 hours, I believe it is likely a rouge device hidden under someones desk some place or some weird application.  The problem with my theory is that the details retained in the DHCP server do not provide any help tracking the device (NO MAC!!!) I am also not comfortable with a sniffer or ethereal, etc.

Obvious question....      How do I stop this?
Secondary question....  What's the best way to track a device like this?  Sniffer against the server port? Sniffer in the affected subnet? What would I look for?

I plan to have an outage this weekend in which I will be deleting the scope and re-creating it to confirm it is not a corupt database.

Thanks for any and all sugestions, Dave

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave_HuntAuthor Commented:
Sorry, forgot to mention, we do not have a RRAS server.

I had a look at the EX page you referenced and agree with a comment on that page regarding some suspect piece of equipment.  I expect that it will either be a defective NIC or a poorly designed print server like device.

The problem is how to track it down.  In your description you mention the device at 192..168.1.147 and show the Address, Name, and ASCII numbered sequence that all match.  Do other leases have this same format?  Most DHCP servers I've worked on have the NETBIOS name in the Name field and the Unique ID is the MAC address, not the ASCII version of the IP Address.  If your DHCP server is the same, it should be pretty easy to track down the item.

Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them.  Once you have the active IP address of the device, get on a pc in that subnet and ping the device.  If you get a reply, then do an ARP -a to resolve the MAC address in your local address resolution table.  Once you have the MAC address go here ( or or somewhere else that google suggests) and lookup the manufacturer of the device.  Keep in mind that this will be the manufacturer of the ethernet part of the device, and may not match the manufacturer or brand name of the entire device.

Hope this helps,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave_HuntAuthor Commented:
great points.

It's a windows 2000 DHCP server and you are correct.  Under normal circumstances, the device name is it's computer name and the Unique ID is supposed to be the MAC Adress.  I agree, it would be easy to track down if i can find the MAC

Do other leases have this same format? <-- No, "good" workstation leases are properly updating their MAC and Device Name after obtaining an Address.

Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them.  <-- Great idea, i am going to try this this morning, in fact, I will only remove one or two of the Reconciled IPs to narrow things down.  I had assumed that if it didnt "hold" the IP assigned to it, then it wouldnt use the IP.  I may even export the scope and write a quick batch file to hit all the "bad" IP Addresses before I remove any.

Thanks for the tip!

I will keep you posted.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Dave_HuntAuthor Commented:
Murphy's law!

I've been checking every 30 minutes or so all day and no a IP was lost...

I also added a sniffer on the segment that has the problem in the hopes that i would catch the DHCP broadcast request, but now whatever it was has stopped.  I'm going to try and leave the sniffer up all weekend and try to catch the problem.

This weekend i will also be coming in to re-create the DHCP Scope.

Let's cross our fingers and hope it comes back... I can't stand it when something occurs and it can not be explained...

Will keep you posted,
Dave_HuntAuthor Commented:
I believe the suspect device left for the Easter long weekend (4 days)... I haven't lost a single IP over the weekend.  I did delete and re-create the scope, i will continue monitoring.

I also setup a sniffer in the suspect VLAN monitoring for UPD ports 67 and 68.  The more research i did, it seems, unless i mirror the server port, I will only see the broadcast side of the conversation.  If the problem re-occurs, hopefully this is enough to see who's doing it and will show me the mac address of the offending device.

Dave_HuntAuthor Commented:
Well, I have not seen the issue in almost 2 weeks so I am closing the question as "unsolved mystories".

Just to recap for anyone reviewing the question later, I was unable to confirm that deleting and re-creating the suspect scope solved the problem because the problem ceased a few days prior to any changes.

I have not seen anything too "odd" on my sniffer, but I am not a trained professional experienced in the art of "sniffing"

Points will be awarded to saw as he was the only one with any sugestions/comments...

Hi Dave,

Thanks for the points.

I'm a bit bummed that a true resolution wasn't obtainable.

I've had some thoughts that you might not have thought about that may be important.

The problem may have been the DHCP server that was just having problems, but your recount of the history does not really lend to this very well.

The problem may have been some rouge device that was present while some contractor or other "LAN guest" was present, and has since gone away, but maybe not forever.

Lastly, and more seriously, do you have any wireless gear?  Do you know for sure where all of your network ports terminate?  Could this have been assigned by a VPN server?  I'm thinking that if I were trying access (break into) your network but not be discoverable by you, I might try to alter my MAC address to keep you from knowing that I was using an IBM Laptop or Palm handheld system.  If I wasn't very good at it, which I'm not, I might accidentally do something that would confuse the DHCP server, or my network card.  I might eventually see my mistake and correct for it.  If this is all true, then I just might still be present.   I'm not trying to frighten you and  I realize that all of this is a stretch, but the whole thing still sounds a bit odd and the ol' security flag is waving in my head.  On the other hand, I can be a bit paranoid at times...

Hopefully the problem will stay gone and you can just chalk it up to the alignment of the planets or something.

Good luck,
Dave_HuntAuthor Commented:
I can not agree with you more!  When something happens that can't be explained it bugs me to no end...

I don't believe it was the DHCP server, the problem disapeared without/before intervention.

I truely expect that it may return and that one day i will be able to tell everyone it was simply a rouge / bad device (be it a laptop or router or worse... a wireless access point; who knows)

We do not allow wireless, policy obviously does not prevent it, but it's something I will check for in the future if the problem occurs again.

If it took someone almost a month to realize that type of mistake, I probably don't have much to worry about :p LOL

I too own a "Tin-Foil hat" and an internal attack was the first thing that came to mind!  Don't feel alone!

Hmmm, come to think about it I did watch a few Alien and UFO shows on Discovery last month, maybe they are messing with me.?.!.?.!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.