DNS value automatically changing on XP system

We have a few computers that run DHCP from our DC and most of the time they run fine, but every so often we will get a call that they cannot access the internet. I do an ipconfig /all and the DNS Server values have changed to an IP address that doesn't exist on our network. Also noticed that, at least on one occasion that DNS Suffix Search List removed one of ours and replaced it with mshome.net. If we reboot the machines they are back to working normally. I also didn't notice anything running on one of the machines that would tip me off to the cause.
judsoncollegeAsked:
Who is Participating?
 
cantorisConnect With a Mentor Commented:
Does one of your subnets have a PC running on it that is acting as a rogue DHCP Server?  ie Has someone enabled Internet Connection Sharing on their LAN Interface?  When such a PC is on it could be handing out 192.168.0.z IP addresses to PCs on that network segment when they boot.

Or here's another possibility: Server 2003's NAT's DHCP Allocator has become activated.  See below article for a clear description, screenshots and solution.
http://msmvps.com/blogs/bradley/archive/2004/04/24/5452.aspx
0
 
ChiefITCommented:
This is a DHCP scope option. You will find the rogue DNS server under DHCP snapin>>options.

prefered DNS server configurations are passed down to DHCP clients from the DHCP server.
0
 
judsoncollegeAuthor Commented:
We have 20+ DHCP scopes and the scope for this vlan is fine. If we reboot these machines they pickup everything correctly. It's just at some point their network settings provided by DHCP change, but only a couple. The rest stay the same. There was an addional field that changed I didn't notice. So... while they are working and everyhting is fine their DNS server values go from 2 valid IP addresses to a single one that doens't exist. Also mshome.net is added to the "DNS Suffix Search List" and mshome.net has become the value in "Connection-spcific DNS Suffix". It supposidly changes without them doing anything out of the norm. One lady was telling me she was working in a Word document. The is happening on a single vlan and only to a few people out of about 20. It happens to the same people over and over, but may happen a few times a day or may happen every few days or so.

Also, RRAS is not runnign on any of our Domain Controllers or on the computers this is happening to. It is disabled on each.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
cantorisCommented:
Sounds as though the VLAN in question has a rogue DHCP Server on it.  Next time it happens, go to the affected PC and use  ipconfig /all  to check the listed Default Gateway which I presume will have changed (if none is listed you should see the address of the rogue DHCP server listed).  Perhaps it'll be 192.168.0.1.  Give it a ping.  Then use
nbtstat -A <IP address>
to get the machine's hostname - that should help you work out what is going on.  If you cannot resolve the hostname, use
arp -a
to view the ARP cache and find the MAC of the device with that IP address.  Perhaps you can then find which port on your Network Switch sees a device with that MAC connected to it and thus trace it to a PC or just disable that switch port (as long as you know it's not a port to your DC or something!) and see who squeals!
0
 
judsoncollegeAuthor Commented:
Thanks cantoris, but that is the weird thing. I would have expected the same thing, but the DHCP server listed is correct, the Gateway is also correct. Everything looks !00% correct except that the DNS server has changed from the 2 we have listed to just 1 that isn't even valid and the mshome.net entry for DNS Suffix.
0
 
ChiefITCommented:
Is your router supplying DHCP?
0
 
ChiefITCommented:
You might try DHCPloc.exe when this happens. It looks like you have  a rogue DHCP server.

OR, you could have multiple Network connections, one for home and the other for the LAN.
0
 
judsoncollegeAuthor Commented:
DHCP is not supplying DHCP. We have a 2003 server doing that. I grabbed DCHPloc.exe, ran it, but don't see anything right now. It doesn't always happen so I can only guess that someone is turning something on and then off at random times. I will continue to test this and see if i can find anything.
0
 
cantorisCommented:
Any DHCP-related events in the event log of your 2003 server that is holding the DHCP role?
0
 
ChiefITCommented:
judsoncollege:

We havn't heard from you on cantoris' question. How are things going?
0
 
judsoncollegeAuthor Commented:
Sorry guys. I tried something and was waiting to see if it worked. We haven't had the problem for a few weeks so I think we figured it out. We never turned off Internet Connection Sharing company wide and it looks like that is what was causing the problem. I setup a Group Policy to turn it off on all company computers and it hasn't been a problem since. Thanks for all the responses.
0
 
cantorisCommented:
ICS was the first thing I mentioned...   ;)
Glad you've apparently sorted it.
0
 
judsoncollegeAuthor Commented:
Sorry cantoris, I totally missed that. Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.