An SBS DHCP server will not operate in the presence of another active DHCP server.
Event Type: Error
Event Source: DhcpServer
Event Category: None
Event ID: 1053
Date: 07/04/2009
Time: 11:37:01
User: N/A
Computer: XXXXX
Description:
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with IP Address, 192.168.100.17, belonging to the domain: .
Suddenly, I have started above mentioned error message due to one of desktop inthe network. That Desktop is not a server/domian but just stand alone windows 2000 Pro PC.
Also it has changed my network's behaviour in a way that all browser request goes to different different sites on that computer.I have IPCOP as firewall and some wiered DNS address are being alloted to pc's from outside.
I have tried stopping SERVER service on that Desktop pc though no luck on SBS to start DHCP.
Kindly guide me what i can do in this case.
Event Source: DhcpServer
Event Category: None
Event ID: 1053
Date: 07/04/2009
Time: 11:37:01
User: N/A
Computer: XXXXX
Description:
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with IP Address, 192.168.100.17, belonging to the domain: .
Suddenly, I have started above mentioned error message due to one of desktop inthe network. That Desktop is not a server/domian but just stand alone windows 2000 Pro PC.
Also it has changed my network's behaviour in a way that all browser request goes to different different sites on that computer.I have IPCOP as firewall and some wiered DNS address are being alloted to pc's from outside.
I have tried stopping SERVER service on that Desktop pc though no luck on SBS to start DHCP.
Kindly guide me what i can do in this case.
ASKER
No, luck.
I did everything but nothing has happend.
I did everything but nothing has happend.
Either this workstation is infected with a virus (or malware) or you have a poweruser trying to do some man in the middle attacks. If I were you I would reimage that workstation and lock it down so the users do not have admin privilages.
so when you shut it down, the sbs still recognises a dhcp server somewhere?
and what is on the ip 192.168.100.17 ?
and what is on the ip 192.168.100.17 ?
If you restart the server (unless you have changed some settings) and do not have another DHCP server actively in play (make sure you check to make sure your router is not giving out DHCP) everything should return to normal. You may have to take everything down, restart server and bring 1 workstation at a time back up until you determine the issue.
ASKER
the only thing i can see is my IPCOP firewall becomes DHCP kind of thing in IPConfig table
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
DHCP Server . . . . . . . . . . . : 192.168.100.100
DNS Servers . . . . . . . . . . . : 69.42.88.21 69.42.88.22
Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25
but dont understand DNS server logic....from where its picking it up......and that is using 100.100 as dhcp...... its quiet complicated.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
DHCP Server . . . . . . . . . . . : 192.168.100.100
DNS Servers . . . . . . . . . . . : 69.42.88.21 69.42.88.22
Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25
but dont understand DNS server logic....from where its picking it up......and that is using 100.100 as dhcp...... its quiet complicated.
ASKER
"so when you shut it down, the sbs still recognises a dhcp server somewhere?
and what is on the ip 192.168.100.17 ?"
192.168.100.17 is Windows 2K pro. and it after shutting it down it takes the role as an dhcp. that what i have tried earlier.
I have scanned it using endpoint protection but no luck so far, i also have used some antispywares as well but no luck.
and what is on the ip 192.168.100.17 ?"
192.168.100.17 is Windows 2K pro. and it after shutting it down it takes the role as an dhcp. that what i have tried earlier.
I have scanned it using endpoint protection but no luck so far, i also have used some antispywares as well but no luck.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
DHCP Server . . . . . . . . . . . : 192.168.100.100
DNS Servers . . . . . . . . . . . : 69.42.88.21
69.42.88.22
Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25
Is this information from the server? If it is then your router (gateway) has become a DHCP server. Maybe the router went back to default settings which is to be a DHCP server. Usually SBS by default wants to use 192.168.16.x subnet (but could be changed).
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
DHCP Server . . . . . . . . . . . : 192.168.100.100
DNS Servers . . . . . . . . . . . : 69.42.88.21
69.42.88.22
Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25
Is this information from the server? If it is then your router (gateway) has become a DHCP server. Maybe the router went back to default settings which is to be a DHCP server. Usually SBS by default wants to use 192.168.16.x subnet (but could be changed).
ASKER
Hi, thanks.
1) No this information is not from the server.
2) Default Gaeway is IPCOP firewall and its DHCP functionality has been disabled.
3) i have doubt on NTL's modem, but it has its own physical ip address and its different from the DNS server's range.
i can't understand whats wrong?
1) No this information is not from the server.
2) Default Gaeway is IPCOP firewall and its DHCP functionality has been disabled.
3) i have doubt on NTL's modem, but it has its own physical ip address and its different from the DNS server's range.
i can't understand whats wrong?
Those DNS numbers look right. They will normally be the DNS of your provider if you are getting IPs from their devices. A normal setup though would have you getting DNS from the SBS server and then your SBS server forwarding DNS lookups to the provider. It really sounds like it is coming from somewhere else beside just the workstation.
Here is a sure way to find out. Make sure the W2kPro box (117) is turned completely off. Shut downt the SBS server. Then reboot another workstation and do an IP Config. If you get something other then 169.254.x.x (Microsoft's private addressing) then you still have yet another DHCP server somewhere in your network.
Here is a sure way to find out. Make sure the W2kPro box (117) is turned completely off. Shut downt the SBS server. Then reboot another workstation and do an IP Config. If you get something other then 169.254.x.x (Microsoft's private addressing) then you still have yet another DHCP server somewhere in your network.
where is this ipconfig info coming from then? from a client?
there should be NO external dns servers in there.
the ONLY dns server should be the SBS server itself.
in the CEICW wizard you provide the external ISP dns servers.
there should be NO external dns servers in there.
the ONLY dns server should be the SBS server itself.
in the CEICW wizard you provide the external ISP dns servers.
ASKER
Well, Those DNS are not from ISP that i am sure, and another thing is that desktop who is on 192.168.100.17's most browser querries are going to various other search listings and after several try it goes to the one which is requested.
I have gone through all steps by now... my IPCOP's DHCP is not enabled.
I have gone through all steps by now... my IPCOP's DHCP is not enabled.
ASKER
hi, to backup my statement.... report from IPCOP.
Services:
CRON server RUNNING
DHCP Server STOPPED
DNS proxy server RUNNING
Intrusion Detection System (GREEN) RUNNING
Intrusion Detection System (RED) STOPPED
Kernel logging server RUNNING
Logging server RUNNING
NTP Server STOPPED
Secure shell server RUNNING
VPN RUNNING
Web proxy STOPPED
Web server RUNNING
that makes me worring more now as from where IP's and DNS server's are being assigned.
Kindly help.
Services:
CRON server RUNNING
DHCP Server STOPPED
DNS proxy server RUNNING
Intrusion Detection System (GREEN) RUNNING
Intrusion Detection System (RED) STOPPED
Kernel logging server RUNNING
Logging server RUNNING
NTP Server STOPPED
Secure shell server RUNNING
VPN RUNNING
Web proxy STOPPED
Web server RUNNING
that makes me worring more now as from where IP's and DNS server's are being assigned.
Kindly help.
Did you try my earlier recommendation of turning everything off (including the server), turn on the server and make sure IPs look right, then 1 station at a time. This is the only way you will run this down. I know it is a pain but you have to figure out what is infected and what is not.
i am receiving this same problem, with the same rogue DNS entries on random client workstations in my domain. The DNS entries are 69.42.88.21 and 69.42.88.22. I am running Symanted Endpoint Protection on my network, the definitions are current, and full client scans pick up nothing. Yet, I googled the above IP addresses and found two strings, both posted TODAY, noting the same IP addresses. My gut tells me this is a worm, and I am getting very worried!
ASKER
I am planning to do this throughlyduring easter weekend. I hope to sort it out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
shut down that pc, and rerun the CEICW (connect to the internet wizard) to reconfigure dhcp.
also check for virus:spyware on that pc.
Regards,
suppsaws