Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Laptops in 2000 Windows domain get ip addresses from rogue DHCP servers

Posted on 2007-11-15
5
Medium Priority
?
367 Views
Last Modified: 2013-12-23
Dear experts,

I'm a relatively inexperienced system administrator, please help me understand the following problem.
In our Windows 2000 domain, laptops, which are members of the domain began acquiring IP addresses from a DHCP server that is not authorized in Active Directory.

In one of our departments, someone installed VMWare, with it came a DHCP service.
Today, all of a sudden, some of our laptop computers acquired ip addresses from that service instead of our own Windows DHCP server, I've verified that ours was the only one authorized.

How is that possible? How can I prevent that? Is there a way to find the "physical" source of this kind of problems? (I spent hours searching for the source of the problem today)

Thanks!
0
Comment
Question by:_Maddog_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 1400 total points
ID: 20291750
A DHCP client will always take an offered DHCP address from the first DHCP server that answers.
You can only authorize a DHCP server running on Windows 2000 or later, and that only means that *this* *authorized* *server* will start to give out IP addresses. This is a Windows implementation only and will only keep a *Windows* DHCP server from starting in a domain.
This has nothing at all to do with non-Windows DHCP servers. Any DHCP server plugged into a network will be handing out IP addresses if the client accepts it. There is no way to prevent that.
The way to solve it: look at the address of the DHCP server on a client that has a bad address, ping it, check the local ARP table for the MAC address of the DHCP server. Then check the ports on your switch(es) for this address.
You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for (in your case, it would have helped immensely, because you would have identified the DHCP server as being VMWare immediately).
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 20291816
The rogue server detection in Windows only works with other Windows DHCP servers, so it's not much help if someone hooks up an unauthorized router or Linux box.

One way to detect a rogue DHCP server is by using a packet sniffer.  This allows you to analyze data moving across the network and look for DHCP traffic.  Wireshark (formerly known as Ethereal) is a good free sniffer.
http://www.wireshark.org

Note that if you aren't the head network admin then be sure to get authorization to use this kind of tool ahead of time.  They can be used for malicious purposes and you wouldn't want to get fired over a misunderstanding.
0
 
LVL 12

Author Closing Comment

by:_Maddog_
ID: 31409447
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292757
oBdA:
>> You might want to check the rogue server's MAC address for the vendor as well, could help to determine what you're looking for

Yep, that's was I ended up doing (instinctively), I've used NMap to identify the MAC address vendor (it said VMWare, the way from there was to find out who is running it).

>>Then check the ports on your switch(es) for this address.

Our switches were kind of a black box for me until now, didn't even bother looking under the hood since I took over management of the network.
Anyway, your response prompted me to finally get to it, I've verified that I will be able to solve things like this more easily in the future.

Thanks, this was a worthy visit to EE.
0
 
LVL 12

Author Comment

by:_Maddog_
ID: 20292821
And thanks for the comments on the Microsoft side of things.
I do find it weird that there's no built-in Windows security solution to this problem - it is just because the DHCP protocol "belongs to everybody" and Microsoft can't add features like "real authorization of DHCP servers in a managed (AD) environment"?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question