Hyper-V Virtual Machine seems to be culprit behind DHCP scope filling up

Hi folks,
We have a client with a new server on which I've created a Hyper-V virtual machine from scratch. The host is Server 2008 R2, and the VM is Server 2003 Enterprise. Ever since adding the VM to the network, we have been seeing the DHCP scope filling up with addresses associated with names "minint-xxxxxxx.domain.com", where the xxx's are random characters. I had suspected a virus of some sort on the network, but during troubleshooting we disabled the network port used by the VM, and the DHCP entries ceased. They are showing up at the rate of three addresses per hour, at the :01, :03, and :05 minute marks.  The VM has a static IP address, and I recently disabled the DHCP client within the VM. And by the way, the "Unique ID" column in DHCP shows all of them starting with "00163e", which appears to be pertaining to Xensource.

Can anyone shed any light on what's going on, and how we can resolve this?

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Verify that there is no Machine name conflict in that doamin
Also make sure that the Hyper V integration tools installed on the VM
Bill LouthSystem EngineerCommented:
Couple questions:

1 - What applications and services are running in the VM?
2 - Is IP v6 bound to the virtual NIC, and to the physical server's NIC(s)
3 - Is the VM using a static IP address, a DHCP static reservation, or just regular dynamic DHCP?
4 - Are you seeing these names showing up in DNS as well, or any duplicate / strange DNS entries that might correspond to the DHCP entries.

In general, unless you need otherwise, it might be simplest to create a static IP address in the VM and unbind all extra network protocols except like IPv6.

We would possibly setup a Webex if you want me to take a quick look at the config.
ThirdEyeTechAuthor Commented:
1)There's nothing running on the VM except standard MS services, some remote monitoring tools that are on every other computer in the domain, and a database server; it's a member server and not a DC.
2)IPV6 is not active. The VM has a static IP, and the DHCP client has been turned off.
3) Nothing unusual is showing up in DNS.

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Bill LouthSystem EngineerCommented:
Are the DHCP reservations all showing the same MAC accress?  And does that MAC address correspond to the one inside the VM's virtual NIC?
What would happen if you blocked DHCP packets in the local VM's Windows Firewall?  I think those are UDP 67, 68.  The initial request for a DHCP lease is a UDP broadcast, which probably could be blocked as well.

Couple more thoughts:
The host is Server 2008 R2.  SP1 is out and contains some very substantial fixes and new features.  Hyper-V thin memory provisioning is one
Guest VM is Windows 2003.  I wonder if you might be able to service pack that.
You can also disable DHCP at the registry level.  It may require a reboot of the VM to take effect.  I think the reg entries may be the same but W2008's TCP/IP stack was rewritten from prev versions so keep that in mind when searching and comparing W2K/W2003 vs W2008 TCP/IP registry architecture.

Have an upgrade this evening so I don't have a lot of time but here are some hyperlinks to review:
ThirdEyeTechAuthor Commented:
The DHCP reservations are all showing the same first six digits; the remaining digits are different. The first six are totally different from the onboard adapter showing in the VM.

I have a feeling that there's a machine on the network that's got a rootkit or other malware, I think my next step is to try to monitor overall network traffic on ports 67 & 68. I'm assuming that the requesting machine's MAC address shows up in the DHCP request.

Bill LouthSystem EngineerCommented:
>reservations are all showing the same first six digits; the remaining digits are different
These are the MAC addresses correct?  If so it's as if the MAC address is changing.

>I have a feeling that there's a machine on the network that's got a rootkit or other malware
If whatever you disabled is dedicated to the VM and that stopped the problem then, if there really is malware somewhere, the problem is most likely on the VM.

>during troubleshooting we disabled the network port used by the VM, and the DHCP entries ceased.
Can you please clarify on the network port?  Did you remove the virtual NIC, unplug a cable from a switch, etc.

And are you using a dedicated NIC for the VMs or are you sharing the NIC on the physical server?  It's recommended that Hyper-V has it's own dedicated NIC and the physical host uses a separate NIC.

Also it might be advisable to install to install SP1 on the host and any VMs as a best practice.
ThirdEyeTechAuthor Commented:
The troubleshooting problem thus far is that we disabled the network port for the VM at the end of a business day, so it was unclear whether that action caused the quieting or if it was that a laptop left the office at around the same time. The network has a pair of managed switches, and the VM's dedicated network adapter on its host server (which has four total adapters) was in one switch's port which we disabled on the switch itself.
Hope that clarifies,
Bill LouthSystem EngineerCommented:
Hopefully it's a laptop issue and not the server.  Again, you could block the UDP ports for DHCP and completely disable DHCP on the VM.

This isn't your primary problem but there could be collateral damage in DNS coming from either the affected machine and/or DHCP.

If it is a server issue these links may be helpful in disabling automatic DNS updates.  This could be a problem if anything tries to reference the server by name since it would no longer resolve to the correct IP.  DHCP is also able to register DNS / IP records.  We've seen this happen with Jet Direct, networked copiers, and other print servers with static reservations.  I've also see this issue on Web servers with multiple NICs.  One of the NICs has a dedicated IP for a particular website but the server decides that it wants to register both NICs and IP addresses in DNS.  Then you get a 50/50 chance (DNS does round robin) when there are two name records for the same server with different IPs.

How to disable automatic DNS registration from specific NIC's
Added a registry under HKLM>System>Services>CurrentControlSet>TCPIP>Parameters>Interfaces>{network card} DisableDynamicUpdate 1

Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed...
ThirdEyeTechAuthor Commented:
It's curious -- all of a sudden the minint entries have stopped appearing in the DHCP reservation list. I made no changes to the VM. I have to conclude it's a laptop that hasn't been in the office for the last two days.

Thanks all for your help in getting to the bottom of things.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ThirdEyeTechAuthor Commented:
haven't found the culprit yet, but it's certainly not the VM.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Virtual Server

From novice to tech pro — start learning today.