We have a Windows 2000 Server with DHCP, DNS and Active Directory running on the same box. The server has multiple Scopes defined for various VLANs within the site. One of the many scopes defined consistently runs out of IP addresses. There are aprx. 100 clients in the subnet with a Adress Pool of 201 IPs. Aproximately every week we need to reconcile the scope and "recover" the lost IP leases.
I've checked around as much as i could and ended up finding this article which describes the problem exactly, but does not provide a resolution.... :(
Scope affected includes Address Pool of X.X.3.25 to X.X.3.225
Reservations: Only 2 exist in the scope
Scope options: 003 Router = X.X.3.1; 006 DNS Servers = X.X.2.10, X.X.2.11; 015 DNS Domain Name = XXXXX.com
After completing a "reconcile" process against the scope, the addresses are returned to the address Leases list with the following details.
NOTE!!! This is a sample taken from the above link to preserve confidentiality of IP Information and does not reflect exact information.
Client IP Address: 192.168.1.147
Unique ID: 3139322e3136382e312e313437
Lease Expiration: (This is set at time of reconcile and given date/time + lease expiry (4 Days))
As I said above, the problem does re-occur after time. I have noticed that aproximately every 4-6 hours another lease disapears and can be reconciled.
The Unique ID is extremely odd because it should represent a MAC address, however, as SunBow recognized in the above link, it is actually HEX for the IP address.
There are no relevant entries in the event logs on the DHCP server that would indicate problems.
Given the fact that a IP dissapears every 4-6 hours, I believe it is likely a rouge device hidden under someones desk some place or some weird application. The problem with my theory is that the details retained in the DHCP server do not provide any help tracking the device (NO MAC!!!) I am also not comfortable with a sniffer or ethereal, etc.
Obvious question.... How do I stop this?
Secondary question.... What's the best way to track a device like this? Sniffer against the server port? Sniffer in the affected subnet? What would I look for?
I plan to have an outage this weekend in which I will be deleting the scope and re-creating it to confirm it is not a corupt database.
Thanks for any and all sugestions, Dave