DNS value automatically changing on XP system

This is a DHCP scope option. You will find the rogue DNS server under DHCP snapin>>options.

prefered DNS server configurations are passed down to DHCP clients from the DHCP server.

We have 20+ DHCP scopes and the scope for this vlan is fine. If we reboot these machines they pickup everything correctly. It's just at some point their network settings provided by DHCP change, but only a couple. The rest stay the same. There was an addional field that changed I didn't notice. So... while they are working and everyhting is fine their DNS server values go from 2 valid IP addresses to a single one that doens't exist. Also mshome.net is added to the "DNS Suffix Search List" and mshome.net has become the value in "Connection-spcific DNS Suffix". It supposidly changes without them doing anything out of the norm. One lady was telling me she was working in a Word document. The is happening on a single vlan and only to a few people out of about 20. It happens to the same people over and over, but may happen a few times a day or may happen every few days or so.

Also, RRAS is not runnign on any of our Domain Controllers or on the computers this is happening to. It is disabled on each.

Sounds as though the VLAN in question has a rogue DHCP Server on it.  Next time it happens, go to the affected PC and use  ipconfig /all  to check the listed Default Gateway which I presume will have changed (if none is listed you should see the address of the rogue DHCP server listed).  Perhaps it'll be 192.168.0.1.  Give it a ping.  Then use
nbtstat -A <IP address>
to get the machine's hostname - that should help you work out what is going on.  If you cannot resolve the hostname, use
arp -a
to view the ARP cache and find the MAC of the device with that IP address.  Perhaps you can then find which port on your Network Switch sees a device with that MAC connected to it and thus trace it to a PC or just disable that switch port (as long as you know it's not a port to your DC or something!) and see who squeals!

Thanks cantoris, but that is the weird thing. I would have expected the same thing, but the DHCP server listed is correct, the Gateway is also correct. Everything looks !00% correct except that the DNS server has changed from the 2 we have listed to just 1 that isn't even valid and the mshome.net entry for DNS Suffix.

Is your router supplying DHCP?

You might try DHCPloc.exe when this happens. It looks like you have  a rogue DHCP server.

OR, you could have multiple Network connections, one for home and the other for the LAN.

DHCP is not supplying DHCP. We have a 2003 server doing that. I grabbed DCHPloc.exe, ran it, but don't see anything right now. It doesn't always happen so I can only guess that someone is turning something on and then off at random times. I will continue to test this and see if i can find anything.

Any DHCP-related events in the event log of your 2003 server that is holding the DHCP role?

judsoncollege:

We havn't heard from you on cantoris' question. How are things going?

Sorry guys. I tried something and was waiting to see if it worked. We haven't had the problem for a few weeks so I think we figured it out. We never turned off Internet Connection Sharing company wide and it looks like that is what was causing the problem. I setup a Group Policy to turn it off on all company computers and it hasn't been a problem since. Thanks for all the responses.

ICS was the first thing I mentioned...   ;)
Glad you've apparently sorted it.

Sorry cantoris, I totally missed that. Thanks for the help.