?
Solved

CRITICAL - DHCP now shows mshome.net

Posted on 2006-04-20
27
Medium Priority
?
15,802 Views
Last Modified: 2013-01-09
Never seen this one before, and unfortunately it's happening here...lol.

Here's an IPCONFIG /ALL from my workstation:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : EID6246
        Primary Dns Suffix  . . . . . . . : company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : company.com
                                                      mshome.net

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : mshome.net
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.10.6.90
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.6.1
        DHCP Server . . . . . . . . . . . : 10.10.10.42
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        Primary WINS Server . . . . . . . : 10.10.10.42
        Secondary WINS Server . . . . . . : 10.10.10.3
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 8:48:21 AM
        Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 8:48:21 AM


Obviously it SHOULDN'T be showing MSHOME.NET at all, and the DNS server of 192.168.0.1 is incorrect, DHCP is supposed to set DNS to 10.10.10.41 and 42.


This just started happening this morning, and apparently is affecting most if not everyone.

I know from looking that mshome.net is the default for ICS, but obviously we are a company and aren't using ICS.


On the DHCP serverI'm getting:

                     event id 1202 for SCeCLI - Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

                     event id 3000 in DNS log - the DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events,
                     examine the DNS server event log entries that precede this event.

                     event id 4004 in DNS log - The DNS server was unable to complete directory service enumeration of zone ..  This DNS server is configured to use
                     information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning
                     properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.


WORKAROUND - If a client does an ipconfig /release and /renew then everything is back to normal.

Any help is very much appreciated...this is really odd...and I know management is going to want to know why it happened.
0
Comment
Question by:TheCleaner
  • 13
  • 6
  • 4
  • +3
27 Comments
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16500431
is you internal DNS server running?  check your server and scope options...
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16500507
Yeah, running fine, other than the above mentioned events.

Right now DNS is AD integrated but has "allow nonsecure and secure updates" enabled...because we have printers and other non-AD devices that use DNS.

Hasn't ever happened before and just started this morning.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16500532
Just noticed something strange though in DNS:

I see an A record for:

(same as parent folder) - 169.254.121.106
with updated associated PTR record checked

I'm guessing that it is saying that the DNS server at one point got an auto-private IP?  Can this just be deleted?  May not even be associated with the problem...but still.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 3

Expert Comment

by:artthegeek
ID: 16500705
Is all the other info in the ipconfig (except the domain) correct?

Just to eliminate - is it possible you have a rogue dhcp server in or outside your network?
One way to test is to temporarily disable dhcp. then release/renew on a workstation & see if you get an ip
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16500720
In the forward lookup zone do you have the (same as parent folder) - xx.xx.xx.xx  Where xx.xx.xx.xx is the proper IP address?   If so, I would delete the 169.254.x.x address...



Is .41 and .42 both DC's/DNS's/DHCP's?


I know this is probably a very basic step...but if you look at the client machine, in TCP/IP settings, is the 192.168.0.1
and dns suffix manually set?
0
 
LVL 12

Expert Comment

by:Mazaraat
ID: 16500734
Are any of the DNS servers multihomed?
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 16500736
(I don't think Rogue server in this case...because of the DHCP server IP giving the lease seems to be the proper IP....this is why I was suspecting scope option or server options on the DHCP Windows server itself)

DHCP Server . . . . . . . . . . . : 10.10.10.42
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16500896
No rogue servers that I can tell, like NJ just said.

Scope options and server options are what they should be.

It's really odd, didn't happen to everybody, but when things happen to my workstation and a few others in IT along with normal users, I get concerned.

NJ,

Yes, DNS has (same as parent folder) with proper IP addresses.  So I deleted the autoaddress.

and no manual settings in TCP/IP properties on the local machines...Nothing in GPO's either.

and yes, .41 and .42 are both DC/DNS, but only .42 is DHCP for this site.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16500940
Mazaraat,

Interesting that you should ask that, because although NO neither are multi-homed, both have Dual Intel GB nics.  On the .42 server the second NIC is disabled, on the .41 the second nic just said "cable unplugged".  So I went ahead and tried to disable it, and it says "It is not possible to disable this connection at this time.  The connection may be using one or more protocols that do not support plug and play, or it may be initiated by another user or system account."

I'm figuring this is because of the Intel Proset software installed, but I'll have to check and be sure.

But again, I come back to the idea that these settings haven't been changed in a long time...so strange for something to happen just now.
0
 
LVL 12

Assisted Solution

by:Mazaraat
Mazaraat earned 400 total points
ID: 16500976
I was asking because I have seen a similar issue with multihomed DC's when one of the connections get reset (169.x.x.), though their entire DHCP was corrupted and had to be reconciled to get it working again.

Does the server have RRAS enabled also?  
0
 
LVL 33

Assisted Solution

by:NJComputerNetworks
NJComputerNetworks earned 400 total points
ID: 16500984
do you get the proper settings on the client after doing an

IPconfig /release
IPCONFIG /renew

0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16500991
the second NIC had to be disabled in Intel Proset, so no worries there...that made sense.


No RRAS enabled on either DC/DNS.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16501017
NJ, yes....ipconfig /release then /renew got it working just fine although still slightly strange...for reference here's my updated ipconfig:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : EID6246
        Primary Dns Suffix  . . . . . . . : company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : company.com
                                                      company.com

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : company.com
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.10.6.90
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.6.1
        DHCP Server . . . . . . . . . . . : 10.10.10.42
        DNS Servers . . . . . . . . . . . : 10.10.10.41
                                                   10.10.10.42
        Primary WINS Server . . . . . . . : 10.10.10.3
        Secondary WINS Server . . . . . . : 10.10.10.42
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 12:06:07 PM
        Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 12:06:07 PM


What seems strange to me is that the DNS suffix search list has 2 entries for my domain now...
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16501096
I checked WINS too, and no entries in there that were strange.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16501300
OK guys, I think I've figured out the "culprit" although the *why* still evades me.

I kept doing an IPCONFIG /RELEASE and /RENEW and ended up eventually getting an IP from 192.168.0.1.

Turns out that it is a Sales guys laptop and his wireless NIC had the ICS turned on.

So that part makes sense in the idea that this probably caused the issue.  But as far as why my clients allowed/accepted the ICS connection is beyond me.

Is there any explanation you know of?  Or possibly a GPO setting I can run to make sure this doesn't happen again?
0
 
LVL 3

Accepted Solution

by:
artthegeek earned 1200 total points
ID: 16502620
That explains it - His laptop is the rogue DHCP server.
Unfortunately, the best way to stop this is for him to turn off ics or remove the laptop from the network.
Forcing pcs to use one dhcp server over another is not a reasonable solution you want to attempt.

If you want to turn off ICS &
If the laptop's part of the domain, you can turn off ICS via Group Policies.
0
 
LVL 3

Expert Comment

by:artthegeek
ID: 16502664
The explaination is that the clients will first try to renew the existing address, then take the first DHCP offer they get.
If their lease has expired, and the dhcp server isn't responding quickly enough, or the pc was shutdown while it expired, then whichever server answers fastest wins.

Certainly we can look at dhcp server settings, but the answer is still to have him turn off ics.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16503032
I did turn off the ICS, but how does that explain the "combined" info from the first post?

I got a DHCP address from 10.10.10.42, but it appended not only the ICS gateway but the DNS connection suffix of the ICS.

Very weird.  I can understand if it was one DHCP server or the other, but not a combo of both.
0
 
LVL 3

Expert Comment

by:artthegeek
ID: 16503455
Weird is the word.

Is the PC is a member of the domain?

If so, no matter where it gets the ip, it will hang on to the local domain suffix.
(that explains why both when the ip is comming from ICS)

When renewed after ics is turned off, the suffix will cache even if it gets the ip from the local dhcp server. (which can explain if both are there when ics is turned off)
It 'should' go away if you do a complete release or reboot.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16507323
Yeah the PC is a member of the domain...

What's strange is I'm not referring to the PC in my last comment, I'm referring to MY machine.

Basically what happened is that any client on the domain in this subnet that would try to access the internet, would all of a sudden have their DHCP/ipconfig info merged with the ICS "server/computer" information (mshome.net, etc.)

I'm thinking I may burn a MS incident on this one simply because I really want to know the *why*.  My thought would be that the DHCP clients should have rejected any ICS offers, but maybe not.
0
 
LVL 3

Expert Comment

by:artthegeek
ID: 16508153
Yea -
Once it received the other suffix once from ICS, it'll remain.  The issue is refreshing it.  
Let's test something - make sure any ics machines (or other rogues) are off/disconnected, set a manual ip on yours (including manual domain suffix), save it - then reset it to dhcp.  
If it comes back, then we have to look at whackier causes.
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16509134
It's all gone at this point...once ICS was gone from that machine, it hasn't returned.  It showed up only on DHCP clients, and only if they tried to access the internet and had "automatically detect settings" in their proxy settings.

My guess is it somehow went like this:

1.  Client tried to get on the internet
2.  IE looked for the autosettings
3.  ICS from that pc responded back and set "I'm your gateway you want and use my dns suffix of mshome.net"
4.  Client said, "sure thing"
5.  problems ensued

weird to say the least.  I just would think my domain computers would say, "no way man...I've already got a gateway and dns suffix"...
0
 
LVL 3

Expert Comment

by:artthegeek
ID: 16509416
No, that would only make sense:)
They will keep their suffix, but they'll pull everything else from DHCP just like Lemmings to the see.

I guess that's why they call it 'rogue'.

Cheers!
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 16618087
Well, I never bothered with it, chalk it up to strange...

Points for assisting me...thanks.
0
 

Expert Comment

by:Micko210
ID: 35148282
This post was extremely helpful.

time to make a GPO to disable ICS.
0
 

Expert Comment

by:Steve262
ID: 38757050
Thanks this thread helped a bunch.. My issue wasn't ICS though.. i was getting a similar problem with a Treadnet TW100-ss2 that someone had connected the LAN side to my network.  I have seen this before, but as was stated above it usually will intercept the entire DHCP Request and change the whole connection not just the DNS.  

P.S.  I wish i could send rogue seeking missles through my network when this happens and just blow them off the face of my network!
0
 
LVL 23

Author Comment

by:TheCleaner
ID: 38758873
BTW Steve262, I found it happened AGAIN last fall, but this time it was a stupid little Trendnet as well, one of their wireless bridges.  It turned out that the device would sometimes reset itself on its own and the default setting was to run a builtin DHCP server that wasn't even listed in the GUI.  It only lasts until the unit is configured (the idea is to hook a computer up to it directly and the unit gives the computer an IP and then you can open a browser and configure it) to be a bridge.

Fought that one for almost a week until my PC Tech told me that was the only change he was aware of.

Hope that helps someone else as well.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question