Windows 2000 DHCP Server Scope Full (Need to constantly reconcile only one subnet)

Posted on 2006-04-11
Last Modified: 2010-07-27
Brief Description:

We have a Windows 2000 Server with DHCP, DNS and Active Directory running on the same box.  The server has multiple Scopes defined for various VLANs within the site.  One of the many scopes defined consistently runs out of IP addresses.  There are aprx. 100 clients in the subnet with a Adress Pool of 201 IPs.  Aproximately every week we need to reconcile the scope and "recover" the lost IP leases.


I've checked around as much as i could and ended up finding this article which describes the problem exactly, but does not provide a resolution.... :(


Scope affected includes Address Pool of X.X.3.25 to X.X.3.225
Reservations: Only 2 exist in the scope
Scope options: 003 Router = X.X.3.1; 006 DNS Servers = X.X.2.10, X.X.2.11; 015 DNS Domain Name =

After completing a "reconcile" process against the scope, the addresses are returned to the address Leases list with the following details.
NOTE!!! This is a sample taken from the above link to preserve confidentiality of IP Information and does not reflect exact information.
Client IP Address:
Unique ID:             3139322e3136382e312e313437000
Type:                    DHCP
Lease Expiration:   (This is set at time of reconcile and given date/time + lease expiry (4 Days))

As I said above, the problem does re-occur after time.  I have noticed that aproximately every 4-6 hours another lease disapears and can be reconciled.

The Unique ID is extremely odd because it should represent a MAC address, however, as SunBow recognized in the above link, it is actually HEX for the IP address.
There are no relevant entries in the event logs on the DHCP server that would indicate problems.

Given the fact that a IP dissapears every 4-6 hours, I believe it is likely a rouge device hidden under someones desk some place or some weird application.  The problem with my theory is that the details retained in the DHCP server do not provide any help tracking the device (NO MAC!!!) I am also not comfortable with a sniffer or ethereal, etc.

Obvious question....      How do I stop this?
Secondary question....  What's the best way to track a device like this?  Sniffer against the server port? Sniffer in the affected subnet? What would I look for?

I plan to have an outage this weekend in which I will be deleting the scope and re-creating it to confirm it is not a corupt database.

Thanks for any and all sugestions, Dave

Question by:Dave_Hunt

    Author Comment

    Sorry, forgot to mention, we do not have a RRAS server.
    LVL 8

    Accepted Solution


    I had a look at the EX page you referenced and agree with a comment on that page regarding some suspect piece of equipment.  I expect that it will either be a defective NIC or a poorly designed print server like device.

    The problem is how to track it down.  In your description you mention the device at 192..168.1.147 and show the Address, Name, and ASCII numbered sequence that all match.  Do other leases have this same format?  Most DHCP servers I've worked on have the NETBIOS name in the Name field and the Unique ID is the MAC address, not the ASCII version of the IP Address.  If your DHCP server is the same, it should be pretty easy to track down the item.

    Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them.  Once you have the active IP address of the device, get on a pc in that subnet and ping the device.  If you get a reply, then do an ARP -a to resolve the MAC address in your local address resolution table.  Once you have the MAC address go here ( or or somewhere else that google suggests) and lookup the manufacturer of the device.  Keep in mind that this will be the manufacturer of the ethernet part of the device, and may not match the manufacturer or brand name of the entire device.

    Hope this helps,

    Author Comment

    great points.

    It's a windows 2000 DHCP server and you are correct.  Under normal circumstances, the device name is it's computer name and the Unique ID is supposed to be the MAC Adress.  I agree, it would be easy to track down if i can find the MAC

    Do other leases have this same format? <-- No, "good" workstation leases are properly updating their MAC and Device Name after obtaining an Address.

    Reconcile your scope, then monitor it and watch for the strange lease, and try to catch it before there are lots of them.  <-- Great idea, i am going to try this this morning, in fact, I will only remove one or two of the Reconciled IPs to narrow things down.  I had assumed that if it didnt "hold" the IP assigned to it, then it wouldnt use the IP.  I may even export the scope and write a quick batch file to hit all the "bad" IP Addresses before I remove any.

    Thanks for the tip!

    I will keep you posted.

    Author Comment

    Murphy's law!

    I've been checking every 30 minutes or so all day and no a IP was lost...

    I also added a sniffer on the segment that has the problem in the hopes that i would catch the DHCP broadcast request, but now whatever it was has stopped.  I'm going to try and leave the sniffer up all weekend and try to catch the problem.

    This weekend i will also be coming in to re-create the DHCP Scope.

    Let's cross our fingers and hope it comes back... I can't stand it when something occurs and it can not be explained...

    Will keep you posted,

    Author Comment

    I believe the suspect device left for the Easter long weekend (4 days)... I haven't lost a single IP over the weekend.  I did delete and re-create the scope, i will continue monitoring.

    I also setup a sniffer in the suspect VLAN monitoring for UPD ports 67 and 68.  The more research i did, it seems, unless i mirror the server port, I will only see the broadcast side of the conversation.  If the problem re-occurs, hopefully this is enough to see who's doing it and will show me the mac address of the offending device.


    Author Comment

    Well, I have not seen the issue in almost 2 weeks so I am closing the question as "unsolved mystories".

    Just to recap for anyone reviewing the question later, I was unable to confirm that deleting and re-creating the suspect scope solved the problem because the problem ceased a few days prior to any changes.

    I have not seen anything too "odd" on my sniffer, but I am not a trained professional experienced in the art of "sniffing"

    Points will be awarded to saw as he was the only one with any sugestions/comments...

    LVL 8

    Expert Comment

    Hi Dave,

    Thanks for the points.

    I'm a bit bummed that a true resolution wasn't obtainable.

    I've had some thoughts that you might not have thought about that may be important.

    The problem may have been the DHCP server that was just having problems, but your recount of the history does not really lend to this very well.

    The problem may have been some rouge device that was present while some contractor or other "LAN guest" was present, and has since gone away, but maybe not forever.

    Lastly, and more seriously, do you have any wireless gear?  Do you know for sure where all of your network ports terminate?  Could this have been assigned by a VPN server?  I'm thinking that if I were trying access (break into) your network but not be discoverable by you, I might try to alter my MAC address to keep you from knowing that I was using an IBM Laptop or Palm handheld system.  If I wasn't very good at it, which I'm not, I might accidentally do something that would confuse the DHCP server, or my network card.  I might eventually see my mistake and correct for it.  If this is all true, then I just might still be present.   I'm not trying to frighten you and  I realize that all of this is a stretch, but the whole thing still sounds a bit odd and the ol' security flag is waving in my head.  On the other hand, I can be a bit paranoid at times...

    Hopefully the problem will stay gone and you can just chalk it up to the alignment of the planets or something.

    Good luck,

    Author Comment

    I can not agree with you more!  When something happens that can't be explained it bugs me to no end...

    I don't believe it was the DHCP server, the problem disapeared without/before intervention.

    I truely expect that it may return and that one day i will be able to tell everyone it was simply a rouge / bad device (be it a laptop or router or worse... a wireless access point; who knows)

    We do not allow wireless, policy obviously does not prevent it, but it's something I will check for in the future if the problem occurs again.

    If it took someone almost a month to realize that type of mistake, I probably don't have much to worry about :p LOL

    I too own a "Tin-Foil hat" and an internal attack was the first thing that came to mind!  Don't feel alone!

    Hmmm, come to think about it I did watch a few Alien and UFO shows on Discovery last month, maybe they are messing with me.?.!.?.!

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now