Solved

Laptops in 2000 Windows domain get ip addresses from rogue DHCP servers

Posted on 2007-11-15
5
319 Views
Last Modified: 2013-12-23
Dear experts,

I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.

In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.

How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)

Thanks!
0
Comment
Question by:_Maddog_
  • 3
5 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 350 total points
ID: 20291750
A DHCP client will always take an offered DHCP address from the first DHCP server that answers.
You can only authorize a DHCP server running on Windows 2000 or later, and that only means that *this* *authorized* *server* will start to give out IP addresses. This is a Windows implementation only and will only keep a *Windows* DHCP server from starting in a domain.
This has nothing at all to do with non-Windows DHCP servers. Any DHCP server plugged into a network will be handing out IP addresses if the client accepts it. There is no way to prevent that.
The way to solve it: look at the address of the DHCP server on a client that has a bad address, ping it, check the local ARP table for the MAC address of the DHCP server. Then check the ports on your switch(es) for this address.
You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for (in your case, it would have helped immensely, because you would have identified the DHCP server as being VMWare immediately).
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 20291816
The rogue server detection in Windows only works with other Windows DHCP servers, so it's not much help if someone hooks up an unauthorized router or Linux box.

One way to detect a rogue DHCP server is by using a packet sniffer.  This allows you to analyze data moving across the network and look for DHCP traffic.  Wireshark (formerly known as Ethereal) is a good free sniffer.
http://www.wireshark.org

Note that if you aren't the head network admin then be sure to get authorization to use this kind of tool ahead of time.  They can be used for malicious purposes and you wouldn't want to get fired over a misunderstanding.
0
 
LVL 12

Author Closing Comment

by:_Maddog_
ID: 31409447
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292757
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292821
And thanks for the comments on the Microsoft side of things.
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question