Solved

An SBS DHCP server will not operate in the presence of another active DHCP server.

Posted on 2009-04-07
18
624 Views
Last Modified: 2012-06-27
Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1053
Date:            07/04/2009
Time:            11:37:01
User:            N/A
Computer:      XXXXX
Description:
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with  IP Address, 192.168.100.17, belonging to the domain: .

Suddenly, I have started above mentioned error message due to one of desktop inthe network. That Desktop is not a server/domian but just stand alone windows 2000 Pro PC.
Also it has changed my network's behaviour in a way that all browser request goes to different different sites on that computer.I have IPCOP as firewall and some wiered DNS address are being alloted to pc's from outside.
I have tried stopping SERVER service on that Desktop pc though no luck on SBS to start DHCP.

Kindly guide me what i can do in this case.
0
Comment
Question by:Om Joshi
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 21

Expert Comment

by:suppsaws
ID: 24085828
Hello ontljoshi,

shut down that pc, and rerun the CEICW (connect to the internet wizard) to reconfigure dhcp.
also check for virus:spyware on that pc.

Regards,

suppsaws
0
 

Author Comment

by:Om Joshi
ID: 24086784
No, luck.

I did everything but nothing has happend.
0
 
LVL 5

Expert Comment

by:LuvJesus2Day
ID: 24086792
Either this workstation is infected with a virus (or malware) or you have a poweruser trying to do some man in the middle attacks.  If I were you I would reimage that workstation and lock it down so the users do not have admin privilages.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 24086796
so when you shut it down, the sbs still recognises a dhcp server somewhere?
and what is on the ip 192.168.100.17 ?
0
 
LVL 5

Expert Comment

by:LuvJesus2Day
ID: 24086805
If you restart the server (unless you have changed some settings) and do not have another DHCP server actively in play (make sure you check to make sure your router is not giving out DHCP) everything should return to normal.  You may have to take everything down, restart server and bring 1 workstation at a time back up until you determine the issue.
0
 

Author Comment

by:Om Joshi
ID: 24087177
the only thing i can see is my IPCOP firewall becomes DHCP kind of thing in IPConfig table

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
   Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.100.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.100
   DHCP Server . . . . . . . . . . . : 192.168.100.100
   DNS Servers . . . . . . . . . . . : 69.42.88.21                                       69.42.88.22
   Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
   Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25

but dont understand DNS server logic....from where its picking it up......and that is using 100.100 as dhcp...... its quiet complicated.
0
 

Author Comment

by:Om Joshi
ID: 24087379
"so when you shut it down, the sbs still recognises a dhcp server somewhere?
and what is on the ip 192.168.100.17 ?"

192.168.100.17 is Windows 2K pro. and it after shutting it down it takes the role as an dhcp. that what i have tried earlier.

I have scanned it using endpoint protection but no luck so far, i also have used some antispywares as well but no luck.
0
 
LVL 5

Expert Comment

by:LuvJesus2Day
ID: 24090114
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 440x 10/100 Int
r
   Physical Address. . . . . . . . . : 00-0B-DB-29-2F-9D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.100.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.100
   DHCP Server . . . . . . . . . . . : 192.168.100.100
   DNS Servers . . . . . . . . . . . : 69.42.88.21
                                       69.42.88.22
   Lease Obtained. . . . . . . . . . : 07 April 2009 14:08:25
   Lease Expires . . . . . . . . . . : 07 April 2009 15:08:25

Is this information from the server?  If it is then your router (gateway) has become a DHCP server.  Maybe the router went back to default settings which is to be a DHCP server. Usually SBS by default wants to use 192.168.16.x subnet (but could be changed).
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Om Joshi
ID: 24091301
Hi, thanks.

1) No this information is not from the server.

2) Default Gaeway is IPCOP firewall and its DHCP functionality has been disabled.

3) i have doubt on NTL's modem, but it has its own physical ip address and its different from the DNS server's range.

i can't understand whats wrong?
0
 
LVL 5

Expert Comment

by:LuvJesus2Day
ID: 24092519
Those DNS numbers look right. They will normally be the DNS of your provider if you are getting IPs from their devices.  A normal setup though would have you getting DNS from the SBS server and then your SBS server forwarding DNS lookups to the provider.  It really sounds like it is coming from somewhere else beside just the workstation.

Here is a sure way to find out.  Make sure the W2kPro box (117) is turned completely off. Shut downt the SBS server. Then reboot another workstation and do an IP Config.  If you get something other then 169.254.x.x (Microsoft's private addressing) then you still have yet another DHCP server somewhere in your network.
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 24095026
where is this ipconfig info coming from then? from a client?
there should be NO external dns servers in there.
the ONLY dns server should be the SBS server itself.
in the CEICW wizard you provide the external ISP dns servers.
0
 

Author Comment

by:Om Joshi
ID: 24099219
Well, Those DNS are not from ISP that i am sure, and another thing is that desktop who is on 192.168.100.17's most browser querries are going to various other search listings and after several try it goes to the one which is requested.

I have gone through all steps by now... my IPCOP's DHCP is not enabled.
0
 

Author Comment

by:Om Joshi
ID: 24099315
hi, to backup my statement.... report from IPCOP.
Services:         
      
CRON server       RUNNING
DHCP Server       STOPPED
DNS proxy server       RUNNING
Intrusion Detection System (GREEN)       RUNNING
Intrusion Detection System (RED)       STOPPED
Kernel logging server       RUNNING
Logging server       RUNNING
NTP Server       STOPPED
Secure shell server       RUNNING
VPN       RUNNING
Web proxy       STOPPED
Web server       RUNNING

that makes me worring more now as from where IP's and DNS server's are being assigned.

Kindly help.
0
 
LVL 5

Expert Comment

by:LuvJesus2Day
ID: 24101014
Did you try my earlier recommendation of turning everything off (including the server), turn on the server and make sure IPs look right, then 1 station at a time. This is the only way you will run this down. I know it is a pain but you have to figure out what is infected and what is not.

0
 
LVL 1

Expert Comment

by:cuiinc
ID: 24101785
i am receiving this same problem, with the same rogue DNS entries on random client workstations in my domain.  The DNS entries are 69.42.88.21 and 69.42.88.22.  I am running Symanted Endpoint Protection on my network, the definitions are current, and full client scans pick up nothing.  Yet, I googled the above IP addresses and found two strings, both posted TODAY, noting the same IP addresses.  My gut tells me this is a worm, and I am getting very worried!
0
 

Author Comment

by:Om Joshi
ID: 24106072
I am planning to do this throughlyduring easter weekend. I hope to sort it out.
0
 
LVL 1

Accepted Solution

by:
cuiinc earned 500 total points
ID: 24118531
This info might be helpful to you...
I confirmed that we had a rogue DHCP server intrusion, which is basically a device that gets infected with malware inside the network and falsely answers requests for IPs.  We observed several symptoms of this but the most notable symptom is that numerous other clients received bad DNS info: sometimes they had browser problems, some had fake ipconfig /all DNS server entries (like you mentioned), and some even had fake DNS entries entered directly into their network TCP/IP properties.  This sort of malware apparently can enter a network on a laptop or mobile device, which was probably our culprit.  We had proactice antivirus scanning on all our machines, but we weren't actively scanning network traffic for packets that may contain bad DNS info.  Our solution, thus far, is to install a portion of Symantec's Endpoint software called Intrusion Detection.  It runs on all client machines, notifying the client and/or admin when network settings are suspiciously changed.
Another couple thoughts are contained here:
http://ossie-group.org/blog/?m=200903

As far as finding the viral culprit, that proved more difficult.  Despite a slew of messed-up machines, I only found one instance of malware, and deleted it manually.  The rest of the machines healed themselves eventually after many dns flushes.
http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=3

I wish you the best of luck.  I'm not totally satisfied with my network security now, even with Symantec's Intrusion Prevention software, because i'm not sure *exactly* what it's doing.  I'm also not totally sure what people mean when they encourage "monitoring DNS traffic" (see the first link I posted).  I'd much prefer a way to effectively lock down the DNS info all my clients, somehow ensuring that it can't be changed unless it comes from my DHCP server, but that is a little above my head.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now