CRITICAL - DHCP now shows mshome.net

Never seen this one before, and unfortunately it's happening here...lol.

Here's an IPCONFIG /ALL from my workstation:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : EID6246
        Primary Dns Suffix  . . . . . . . : company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : company.com
                                                      mshome.net

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : mshome.net
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.10.6.90
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.6.1
        DHCP Server . . . . . . . . . . . : 10.10.10.42
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        Primary WINS Server . . . . . . . : 10.10.10.42
        Secondary WINS Server . . . . . . : 10.10.10.3
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 8:48:21 AM
        Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 8:48:21 AM


Obviously it SHOULDN'T be showing MSHOME.NET at all, and the DNS server of 192.168.0.1 is incorrect, DHCP is supposed to set DNS to 10.10.10.41 and 42.


This just started happening this morning, and apparently is affecting most if not everyone.

I know from looking that mshome.net is the default for ICS, but obviously we are a company and aren't using ICS.


On the DHCP serverI'm getting:

                     event id 1202 for SCeCLI - Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

                     event id 3000 in DNS log - the DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events,
                     examine the DNS server event log entries that precede this event.

                     event id 4004 in DNS log - The DNS server was unable to complete directory service enumeration of zone ..  This DNS server is configured to use
                     information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning
                     properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.


WORKAROUND - If a client does an ipconfig /release and /renew then everything is back to normal.

Any help is very much appreciated...this is really odd...and I know management is going to want to know why it happened.
LVL 23
TheCleanerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NJComputerNetworksCommented:
is you internal DNS server running?  check your server and scope options...
0
TheCleanerAuthor Commented:
Yeah, running fine, other than the above mentioned events.

Right now DNS is AD integrated but has "allow nonsecure and secure updates" enabled...because we have printers and other non-AD devices that use DNS.

Hasn't ever happened before and just started this morning.
0
TheCleanerAuthor Commented:
Just noticed something strange though in DNS:

I see an A record for:

(same as parent folder) - 169.254.121.106
with updated associated PTR record checked

I'm guessing that it is saying that the DNS server at one point got an auto-private IP?  Can this just be deleted?  May not even be associated with the problem...but still.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

artthegeekCommented:
Is all the other info in the ipconfig (except the domain) correct?

Just to eliminate - is it possible you have a rogue dhcp server in or outside your network?
One way to test is to temporarily disable dhcp. then release/renew on a workstation & see if you get an ip
0
NJComputerNetworksCommented:
In the forward lookup zone do you have the (same as parent folder) - xx.xx.xx.xx  Where xx.xx.xx.xx is the proper IP address?   If so, I would delete the 169.254.x.x address...



Is .41 and .42 both DC's/DNS's/DHCP's?


I know this is probably a very basic step...but if you look at the client machine, in TCP/IP settings, is the 192.168.0.1
and dns suffix manually set?
0
MazaraatCommented:
Are any of the DNS servers multihomed?
0
NJComputerNetworksCommented:
(I don't think Rogue server in this case...because of the DHCP server IP giving the lease seems to be the proper IP....this is why I was suspecting scope option or server options on the DHCP Windows server itself)

DHCP Server . . . . . . . . . . . : 10.10.10.42
0
TheCleanerAuthor Commented:
No rogue servers that I can tell, like NJ just said.

Scope options and server options are what they should be.

It's really odd, didn't happen to everybody, but when things happen to my workstation and a few others in IT along with normal users, I get concerned.

NJ,

Yes, DNS has (same as parent folder) with proper IP addresses.  So I deleted the autoaddress.

and no manual settings in TCP/IP properties on the local machines...Nothing in GPO's either.

and yes, .41 and .42 are both DC/DNS, but only .42 is DHCP for this site.
0
TheCleanerAuthor Commented:
Mazaraat,

Interesting that you should ask that, because although NO neither are multi-homed, both have Dual Intel GB nics.  On the .42 server the second NIC is disabled, on the .41 the second nic just said "cable unplugged".  So I went ahead and tried to disable it, and it says "It is not possible to disable this connection at this time.  The connection may be using one or more protocols that do not support plug and play, or it may be initiated by another user or system account."

I'm figuring this is because of the Intel Proset software installed, but I'll have to check and be sure.

But again, I come back to the idea that these settings haven't been changed in a long time...so strange for something to happen just now.
0
MazaraatCommented:
I was asking because I have seen a similar issue with multihomed DC's when one of the connections get reset (169.x.x.), though their entire DHCP was corrupted and had to be reconciled to get it working again.

Does the server have RRAS enabled also?  
0
NJComputerNetworksCommented:
do you get the proper settings on the client after doing an

IPconfig /release
IPCONFIG /renew

0
TheCleanerAuthor Commented:
the second NIC had to be disabled in Intel Proset, so no worries there...that made sense.


No RRAS enabled on either DC/DNS.
0
TheCleanerAuthor Commented:
NJ, yes....ipconfig /release then /renew got it working just fine although still slightly strange...for reference here's my updated ipconfig:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : EID6246
        Primary Dns Suffix  . . . . . . . : company.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : company.com
                                                      company.com

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : company.com
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
        Physical Address. . . . . . . . . : 00-0D-60-DA-1D-31
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.10.6.90
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.6.1
        DHCP Server . . . . . . . . . . . : 10.10.10.42
        DNS Servers . . . . . . . . . . . : 10.10.10.41
                                                   10.10.10.42
        Primary WINS Server . . . . . . . : 10.10.10.3
        Secondary WINS Server . . . . . . : 10.10.10.42
        Lease Obtained. . . . . . . . . . : Thursday, April 20, 2006 12:06:07 PM
        Lease Expires . . . . . . . . . . : Thursday, April 27, 2006 12:06:07 PM


What seems strange to me is that the DNS suffix search list has 2 entries for my domain now...
0
TheCleanerAuthor Commented:
I checked WINS too, and no entries in there that were strange.
0
TheCleanerAuthor Commented:
OK guys, I think I've figured out the "culprit" although the *why* still evades me.

I kept doing an IPCONFIG /RELEASE and /RENEW and ended up eventually getting an IP from 192.168.0.1.

Turns out that it is a Sales guys laptop and his wireless NIC had the ICS turned on.

So that part makes sense in the idea that this probably caused the issue.  But as far as why my clients allowed/accepted the ICS connection is beyond me.

Is there any explanation you know of?  Or possibly a GPO setting I can run to make sure this doesn't happen again?
0
artthegeekCommented:
That explains it - His laptop is the rogue DHCP server.
Unfortunately, the best way to stop this is for him to turn off ics or remove the laptop from the network.
Forcing pcs to use one dhcp server over another is not a reasonable solution you want to attempt.

If you want to turn off ICS &
If the laptop's part of the domain, you can turn off ICS via Group Policies.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
artthegeekCommented:
The explaination is that the clients will first try to renew the existing address, then take the first DHCP offer they get.
If their lease has expired, and the dhcp server isn't responding quickly enough, or the pc was shutdown while it expired, then whichever server answers fastest wins.

Certainly we can look at dhcp server settings, but the answer is still to have him turn off ics.
0
TheCleanerAuthor Commented:
I did turn off the ICS, but how does that explain the "combined" info from the first post?

I got a DHCP address from 10.10.10.42, but it appended not only the ICS gateway but the DNS connection suffix of the ICS.

Very weird.  I can understand if it was one DHCP server or the other, but not a combo of both.
0
artthegeekCommented:
Weird is the word.

Is the PC is a member of the domain?

If so, no matter where it gets the ip, it will hang on to the local domain suffix.
(that explains why both when the ip is comming from ICS)

When renewed after ics is turned off, the suffix will cache even if it gets the ip from the local dhcp server. (which can explain if both are there when ics is turned off)
It 'should' go away if you do a complete release or reboot.
0
TheCleanerAuthor Commented:
Yeah the PC is a member of the domain...

What's strange is I'm not referring to the PC in my last comment, I'm referring to MY machine.

Basically what happened is that any client on the domain in this subnet that would try to access the internet, would all of a sudden have their DHCP/ipconfig info merged with the ICS "server/computer" information (mshome.net, etc.)

I'm thinking I may burn a MS incident on this one simply because I really want to know the *why*.  My thought would be that the DHCP clients should have rejected any ICS offers, but maybe not.
0
artthegeekCommented:
Yea -
Once it received the other suffix once from ICS, it'll remain.  The issue is refreshing it.  
Let's test something - make sure any ics machines (or other rogues) are off/disconnected, set a manual ip on yours (including manual domain suffix), save it - then reset it to dhcp.  
If it comes back, then we have to look at whackier causes.
0
TheCleanerAuthor Commented:
It's all gone at this point...once ICS was gone from that machine, it hasn't returned.  It showed up only on DHCP clients, and only if they tried to access the internet and had "automatically detect settings" in their proxy settings.

My guess is it somehow went like this:

1.  Client tried to get on the internet
2.  IE looked for the autosettings
3.  ICS from that pc responded back and set "I'm your gateway you want and use my dns suffix of mshome.net"
4.  Client said, "sure thing"
5.  problems ensued

weird to say the least.  I just would think my domain computers would say, "no way man...I've already got a gateway and dns suffix"...
0
artthegeekCommented:
No, that would only make sense:)
They will keep their suffix, but they'll pull everything else from DHCP just like Lemmings to the see.

I guess that's why they call it 'rogue'.

Cheers!
0
TheCleanerAuthor Commented:
Well, I never bothered with it, chalk it up to strange...

Points for assisting me...thanks.
0
Micko210Commented:
This post was extremely helpful.

time to make a GPO to disable ICS.
0
Steve262Commented:
Thanks this thread helped a bunch.. My issue wasn't ICS though.. i was getting a similar problem with a Treadnet TW100-ss2 that someone had connected the LAN side to my network.  I have seen this before, but as was stated above it usually will intercept the entire DHCP Request and change the whole connection not just the DNS.  

P.S.  I wish i could send rogue seeking missles through my network when this happens and just blow them off the face of my network!
0
TheCleanerAuthor Commented:
BTW Steve262, I found it happened AGAIN last fall, but this time it was a stupid little Trendnet as well, one of their wireless bridges.  It turned out that the device would sometimes reset itself on its own and the default setting was to run a builtin DHCP server that wasn't even listed in the GUI.  It only lasts until the unit is configured (the idea is to hook a computer up to it directly and the unit gives the computer an IP and then you can open a browser and configure it) to be a bridge.

Fought that one for almost a week until my PC Tech told me that was the only change he was aware of.

Hope that helps someone else as well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.