Solved

Laptops in 2000 Windows domain get ip addresses from rogue DHCP servers

Posted on 2007-11-15
5
297 Views
Last Modified: 2013-12-23
Dear experts,

I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.

In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.

How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)

Thanks!
0
Comment
Question by:_Maddog_
  • 3
5 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 350 total points
ID: 20291750
A DHCP client will always take an offered DHCP address from the first DHCP server that answers.
You can only authorize a DHCP server running on Windows 2000 or later, and that only means that *this* *authorized* *server* will start to give out IP addresses. This is a Windows implementation only and will only keep a *Windows* DHCP server from starting in a domain.
This has nothing at all to do with non-Windows DHCP servers. Any DHCP server plugged into a network will be handing out IP addresses if the client accepts it. There is no way to prevent that.
The way to solve it: look at the address of the DHCP server on a client that has a bad address, ping it, check the local ARP table for the MAC address of the DHCP server. Then check the ports on your switch(es) for this address.
You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for (in your case, it would have helped immensely, because you would have identified the DHCP server as being VMWare immediately).
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 20291816
The rogue server detection in Windows only works with other Windows DHCP servers, so it's not much help if someone hooks up an unauthorized router or Linux box.

One way to detect a rogue DHCP server is by using a packet sniffer.  This allows you to analyze data moving across the network and look for DHCP traffic.  Wireshark (formerly known as Ethereal) is a good free sniffer.
http://www.wireshark.org

Note that if you aren't the head network admin then be sure to get authorization to use this kind of tool ahead of time.  They can be used for malicious purposes and you wouldn't want to get fired over a misunderstanding.
0
 
LVL 12

Author Closing Comment

by:_Maddog_
ID: 31409447
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292757
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292821
And thanks for the comments on the Microsoft side of things.
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now