Laptops in 2000 Windows domain get ip addresses from rogue DHCP servers
Dear experts,
I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.
In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.
How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)
Thanks!
I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.
In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.
How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for
Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).
>>Then check the ports on your switch(es) for this address.
Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.
Thanks, this was a worthy visit to EE.
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for
Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).
>>Then check the ports on your switch(es) for this address.
Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.
Thanks, this was a worthy visit to EE.
ASKER
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for
Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).
>>Then check the ports on your switch(es) for this address.
Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.
Thanks, this was a worthy visit to EE.
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for
Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).
>>Then check the ports on your switch(es) for this address.
Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.
Thanks, this was a worthy visit to EE.
ASKER
And thanks for the comments on the Microsoft side of things.
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
One way to detect a rogue DHCP server is by using a packet sniffer. This allows you to analyze data moving across the network and look for DHCP traffic. Wireshark (formerly known as Ethereal) is a good free sniffer.
http://www.wireshark.org
Note that if you aren't the head network admin then be sure to get authorization to use this kind of tool ahead of time. They can be used for malicious purposes and you wouldn't want to get fired over a misunderstanding.