Solved

DHCP server not leasing addresses

Posted on 2008-10-29
16
437 Views
Last Modified: 2011-10-19
My server 2003 is not leasing addresses for my domain.  The server name listed on the DHCP mmc is similar to: activedirectory.<companyname>.local.  It used to say the server name like: Server[192.168.100.253].  I've tried uninstalling and re-installing but still nothing.  Anyone have any ideas about what it could be?  Thanks.
0
Comment
Question by:Charbroiled
  • 9
  • 5
16 Comments
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Did you authorize it as a DHCP server?
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Yes it is Authorized.  It's almost as if DHCP doesn't realize that it should lease addresses.  If I add the correct server name (e.g. Server[192.168.100.253] to the mmc, it will revert back to activedirectory.<companyname>.local[192.168.100.253] after a few hours.

What's also weird is that netsh shows the correct name for the DHCP server but on the MMC it's wrong.  Very strange.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Download DHCPloc.exe onto an XP machine and look for a rogue DHCP server.

A rogue DHCP server is one with the same address pool and scope as your server. If your DHCP server sees a rogue, it will shut down. Since you have to authorize Microsoft DHCP servers, most likely the rogue is a mass storage device, or router. They can be supplying DHCP.
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Thanks Chief for the comment but I tried DHCPloc last week and found nothing.  I'm thinking it's more of an Active Directory misconfiguration or DNS.  Unfortunately I don't know enough about DHCP to know where it gets it's information from.  I did check ADSIedit after following instructions from some other web sites and it looked ok but I can't be sure.  Thanks again.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Have you unistalled and reinstalled the service?
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Yes several times.  Every time I reinstall it immediately names itself activedirectory.<myCompany>.local.  It's even named that in ADSIedit.  Just for fun I tried pinging activedirecory.<company>.local (from the same computer) and it replied with my servers IP.  I looked in DNS and could not find any record for that.  It's almost like DHCP doesn't know its part of a domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
The DHCP service doesn't know it is a part of the domain. DHCP is its own entity. It's sole purpose in life is to provide an IP to clients and servers that request one. It doesn't discriminate between domain computers and workgroup computers unless you specifically tell it to. To tell it to, you have to use 802.1 or some other access based enumeration protocol:

Info on 802.1:
http://en.wikipedia.org/wiki/802.1x

The fact that your DHCP server isn't supplying IPs, is still a mystery. Usuall it is the result of a Rogue DHCP server. Rogues are usually mass storage devices or routers that are supplying DHCP. So, you may want to double check the LAN for those nodes.

Your issue can also be caused by non authorization, which we already covered.  

Now, if you can ping it, you should be getting a DHCP address from it. So, we have to retarget out troubleshooting.

Now, I have a couple more ideas that may shed light on the subject, but have to ask a few questions first.

1) Have you configured ANY reservations within the DHCP scope?
2) Have you configured ANY acceptions within the DHCP scope?
3) Do you have a multihomed server, (meaning a server with two or more IPs, such as two nics)?
4) Do you have a VPN connection on this server?
5) Are you seeing your Scopes and/or address pool zero out?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Hi Chief,

Thanks for the reply.  To answer your questions:

1. No
2. No
3. No
4. No
5. Not sure what you mean.  The scope appears to be displayed normally.

To add more weirdness Exchange is installed on this server and recently a few addresses have been changed from me@domain.com to me@activedirectory.<companyname>.local.

Netmon shows dhcp discover packets reaching the server but no offers comming back.  If I check stats on the DHCP MMC it says offers where offered but I don't see any on the wire.  Thanks again for replying.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Sorry about not responding sooner: I just went through Hell week with our enterprise mail server and XP service pack three knocking down about 30% of my computers.

If the discovery packets are recieved and the offer is not sent, then you should see errors in the DHCP logs. NOT the Event logs, the DHCP log.

http://support.microsoft.com/kb/298367

If DHCP sees the discovery, it should provide the offer to the client. If it doesn't see the offer, I am going to have to ask what firewall software you have on this server. I know of two software firewalls that can knock down DHCP. One is Windows firewall and the other is ISA firewall.

I will get back to the DCHP scopes zeroing out. I am just trying to cover the most common causes of your problem with the DHCP server first.
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Hi ChiefIT,

Hope you had a great holiday last week.  I think we got hit with a touch of the SP3 issue as well and I was handling that earlier this week.  But for now back to the DHCP issue.

I checked the DHCP logs and they are clean.  By that I mean there are no errors.  Here is a sample when I unauthorized and then reauthorized my dhcp:

24,12/04/08,09:36:47,Database Cleanup Begin,,,,
25,12/04/08,09:36:47,0 leases expired and 0 leases deleted,,,,
25,12/04/08,09:36:47,0 leases expired and 0 leases deleted,,,,
01,12/04/08,10:34:25,Stopped,,,,
00,12/04/08,10:43:00,Started,,,,
56,12/04/08,10:43:01,Authorization failure, stopped servicing,,comp.org,,
55,12/04/08,10:43:31,Authorized(servicing),,comp.org,,

Before that it's just clean-up messages for the entire week.  So I'm using Netmon and I see the Discover packets coming through but no offers (using DHCP filter).  According the DHCP it is offering so they are not making it on the wire.

I don't have any firewall (that I know of) on this machine at the moment.  ISA is not installed and windows firewall is not enabled.  I also checked packet filtering on the nic and it's off.

Could you please explain scope zeroing out?  I'm not familiar with that and I'd like to make sure it's not causing this.

I've attached two pics of my DHCP MMC so you can take a look for yourself.  Notice the name of the server (activedirectory vs. MachineName).   I'm not sure but I don't think that's normal.  Thanks again Chief for taking a look at this.

DHCPpic.jpg
DHCPStats.jpg
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Something I forgot to add.  Although I don't have ISA I do have RRAS installed.  I tried disabling it though to troubleshoot.  
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
I think my dhcp database could be corrupted.  While backing up my server one of the files that could not be copied was system32/dhcp/tmp.edb.  I'm not sure how to fix it since i tried uninstalling/reinstalling DHCP but that didn't work.  Anyone have any other ideas?
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
Bump...

I know it's been a while but this has still not been resolved.  I got excited when I read: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_23457114.html
I tried what was suggested but that didn't work.  I have that same nic card but.. no go.  Anyone have any other ideas?
0
 
LVL 1

Author Comment

by:Charbroiled
Comment Utility
OK, I finally figured this out.  It turns out that IPSec was the culprit.  Although all communications were working fine, it was blocking DHCP Offers from communicating with workstations.  Apparently even though I had set IPSec to "Request" encryption, it was still blocking broadcast traffic.  The solution was to add an exception to my servers IPSec policy that allows UDP port 67 from <server> to <any>.  After that everything worked perfectly.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
Comment Utility
Question PAQ'd, 300 points refunded, and stored in the solution database.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now