Solved

Laptops in 2000 Windows domain get ip addresses from rogue DHCP servers

Posted on 2007-11-15
5
309 Views
Last Modified: 2013-12-23
Dear experts,

I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.

In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.

How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)

Thanks!
0
Comment
Question by:_Maddog_
  • 3
5 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 350 total points
ID: 20291750
A DHCP client will always take an offered DHCP address from the first DHCP server that answers.
You can only authorize a DHCP server running on Windows 2000 or later, and that only means that *this* *authorized* *server* will start to give out IP addresses. This is a Windows implementation only and will only keep a *Windows* DHCP server from starting in a domain.
This has nothing at all to do with non-Windows DHCP servers. Any DHCP server plugged into a network will be handing out IP addresses if the client accepts it. There is no way to prevent that.
The way to solve it: look at the address of the DHCP server on a client that has a bad address, ping it, check the local ARP table for the MAC address of the DHCP server. Then check the ports on your switch(es) for this address.
You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for (in your case, it would have helped immensely, because you would have identified the DHCP server as being VMWare immediately).
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 20291816
The rogue server detection in Windows only works with other Windows DHCP servers, so it's not much help if someone hooks up an unauthorized router or Linux box.

One way to detect a rogue DHCP server is by using a packet sniffer.  This allows you to analyze data moving across the network and look for DHCP traffic.  Wireshark (formerly known as Ethereal) is a good free sniffer.
http://www.wireshark.org

Note that if you aren't the head network admin then be sure to get authorization to use this kind of tool ahead of time.  They can be used for malicious purposes and you wouldn't want to get fired over a misunderstanding.
0
 
LVL 12

Author Closing Comment

by:_Maddog_
ID: 31409447
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292757
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292821
And thanks for the comments on the Microsoft side of things.
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now