We help IT Professionals succeed at work.

Frequent DHCP Request Broadcasts

759 Views
Last Modified: 2010-05-18
I am running a Windows 2003 R2 server that is also my DHCP server.  I have about 53 Windows workstations that use 1 subnet in a non-routed network.  The DHCP lease time for the subnet is 8 days.  I see in the DHCP MMC that the lease was assigned for a particular address and the expiration time is 8 days at a certain hour.  I have confirmed the lease time by looking at the workstation's registry.  According to my understanding of how DHCP works, I should not see any broadcasts for this workstation for 4 days.  However, I am seeing frequent DHCP broadcasts, not to the DHCP server, but to the broadcast address of 255.255.255.255 port 67.  The workstations only have one network card.  
What could be causing the extra broadcasts?
Comment
Watch Question

scan your systems for viruses/ spyware

Author

Commented:
I am running Trend Micro Antivirus and it is up to date.  All users do not have admin rights on their workstations and I see no evidence of viruses on the computers.
Something's not right. You are correct that an 8 day lease should not try to renew for 4 days.
CERTIFIED EXPERT
Top Expert 2004

Commented:
Shooting in the dark...

Have you verified the MAC address for the offending workstation?
If you assign it a static address, does it still broadcast?
Do you show any other entries with 'ipconfig /all'?
Have you tried disabling APIPA?  http://www.windowsitpro.com/Article/ArticleID/15007/15007.html
Any wireless networking?

Author

Commented:
routinet,  Thanks for the suggestions.

Have you verified the MAC address for the offending workstation?  
Yes.

If you assign it a static address, does it still broadcast?
Will try on one of them.

Do you show any other entries with 'ipconfig /all'?
No.

Have you tried disabling APIPA?  http://www.windowsitpro.com/Article/ArticleID/15007/15007.html
No, because It has a specified address to assign from and I don't think it would broadcast.  Also, wouldn't it only work if no other address were available?

Any wireless networking?
Not on internal workstations.
CERTIFIED EXPERT
Top Expert 2004

Commented:
>>> Will try on one of them.

Is more than one workstation exhibiting this behavior?  Can you find any differences between workstations that do and workstations that don't?

APIPA is SUPPOSED to take over when no other DHCP server is found, but I've seen stranger things.  Like I said, shooting in the dark.  :)

Author

Commented:
Yes, there are several workstations.  One difference I see is the 1394 adapter.  What is it's function?
CERTIFIED EXPERT
Top Expert 2004

Commented:
1394 is Firewire.  It is the direct competitor to USB, and originated on Macs.  It is not a network device, though, and should not have any impact on DHCP.

Author

Commented:
Well, I guess its time to get out the shotgun and shoot in the dark.  I can't find anything that would cause this.  Just in the past 4 hours of monitoring, 29 workstations from different locations inside the building have sent out 2 DHCP requests each with no reply from either DHCP server.  I am concentrating on 5 workstations now.  I mostly see 6 requests from each except for one that has 4 requests and 1 that has sent 27.
Could faulty or noisy network cables possibly cause this?
CERTIFIED EXPERT
Top Expert 2004

Commented:
My only other idea is to use some kind of packet monitoring (like Ethereal) to watch the traffic.  Eventually, you may find some sort of pattern that leads you to the cause of the behavior.  

I would not think that faulty cables would do this.  At least, not without responses from the server.  If a faulty cable caused a disconnect, then the client would send out a new discover request in an effort to reacquire its lease.  Even if the fault was momentary, triggering the discover request should also trigger the rest of the DORA sequence between the client and server.

Do you have any of your workstations set to automatically search for network shares?
Have you traced the DHCP's server handling of these broadcast requests?
Have you inspected the individual broadcasts to verify they are, in fact, DHCP requests?

Author

Commented:
I originally found this issue with Ethereal.  I finally got a good capture of one of the computers that has this problem.  The computer with a static address sends out a broadcast, it's MAC address is confirmed, to the broadcast MAC address of ff:ff:ff:ff:ff:ff.  There are 290 bytes in the frame, protocols in the frame eth:ip:udp:bootp.  At the bottom of the packet that I printed from Ethereal, it mentions Option 53:  DHCP Message Type = DHCP Inform and Option 43:  Vendor-Specific Information (2 bytes).  The DHCP server responds with an ACK, then the originating computer responds with an ACK.  The first packet's source port is 68.  The second and third are 67.
CERTIFIED EXPERT
Top Expert 2004
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
That explains it.  I will see what I can do to tweak the driver or set the option.  Thanks!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.