• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

DNS server changing automatically on workstations

Recently, from time to time, throughout the work day certain workstations are automatically changing  their DNS server. This will happen at any time with no  explanation. It will change the workstations DNS server from our DNS server to 10.1.0.1. Internal apps/email/websites will continue to work. Outside internet will not. A release/renew will fix the issue but is inconvenient for the end user. This has been happening on and off for about 2 weeks, and the address does not ping or return a nslookup. I can not find this address anywhere in our infrastructure as a legacy address either. Our current ip schema is 172.x.x.x

Thank you in advance for any help you can provide.

David
0
josh_martin
Asked:
josh_martin
  • 9
  • 6
  • 3
  • +2
1 Solution
 
BillBondoCommented:
Only the dns is changing? IP stays the same? Sounds like a dhcp server only handing out dns info. I have had people bring in linksis or netgear so they could hook up a laptop, and drive me crazy till I found the thing.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You do not have a rouge DHCP Server issuing IP Address and DNS?

next time it happens, check the DHCP server IP Address?
0
 
smckeown777Commented:
Few questions...

1) I assume its not a manual change? I mean when you look at the TCP/IP properties page is 'Automatically get DNS' option still selected?

2) Nothing else changes? IP/Default Gateway are still the 172.0.0.0 range?
3) When you run ipconfig/all on the machine during the time its changed - can you post here?

Possible reasons are either there is another router somewhere on the network and workstations are getting IP from there...or something has changed on your DHCP settings on server - this is a DC running DHCP yes?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
josh_martinAuthor Commented:
smckeown,

Correct, our DC is running DHCP. It is not a maual change. IP/Default Gateway are still 172.x.x.x

I attached the ipconfig /all

Thanks
ipconfig.docx
0
 
smckeown777Commented:
Ok, well based on that its saying

DHCP Server - 172.20.4.34
Its handing out DNS 10.1.0.1

Have you checked the scope? To see what DNS is in it?
Have you the same output from a working station?
0
 
smckeown777Commented:
That ip - 172.20.4.34 - do you recognise this as your DHCP server? Same as your DC?
0
 
smckeown777Commented:
Also I notice that IP isn't in the same subnet as the IP of the station itself

Workstation - 172.20.20.194 (255.255.255.0)
DHCP - 172.20.4.34 - this isn't the same subnet

Which says to me someone has configured another DHCP server on the network and isn't handing out the correct DNS server
0
 
josh_martinAuthor Commented:
I have checked all scopes of all DNS servers. They only have 172.x.x.x servers listed (which are the correct servers)

Our DC is running and handling the DHCP requests.

We have two DC's at this site (multiple satelite locations as well) Both DC's are DNS servers (primary and secondary). and both DC share the DHCP scopes. Split scopes half of the addresses are on one server and half on another.

Does this information help?
0
 
smckeown777Commented:
Well depends...this IP - 172.20.4.34 - can you access this? Is this one of your DC's?
0
 
Gajendra RathodCommented:
Please reset TCP/IP on machine having the problem

Hotfix
0
 
josh_martinAuthor Commented:
correct, this is one of our DC's.
0
 
smckeown777Commented:
Ok, this is a new one!

Right, lets check this first...

On the workstation with the issue - ping that DC
Then run

arp -a

From the listing, check the mac-address that corresponds to the DC's IP

Can you then check the server's network card(run ipconfig/all on server) and see if the mac-addresses match?

If not you have a rogue DHCP router somewhere with the same IP as the DC(I know this one is a stretch, but based on the output from ipconfig that is reporting the correct DHCP server IP this is the only thing I can think of...)
0
 
josh_martinAuthor Commented:
Mac addresses do not match. So you think it is a Rogue DHCP router? any thoughts on how to track this down?
0
 
smckeown777Commented:
Have you managed switches? If so log into it and check the mac-address table(most will have this function)

Check the table for the mac-address that shows up on the workstation
It will hopefully show you what port on the switch its associated with, which you can then trace...

What type of switches? Multiple?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if you have a MAC address, you can track a MAC address on a network switch port!

and find the device or unplug the cable or port!
0
 
josh_martinAuthor Commented:
Mac address and ip that comes back from the arp -a command is the Router.
0
 
smckeown777Commented:
Ok, you are obviously hopping through the router to the DC, so in this case that's why the mac is different(sorry didn't ask your topology first)

So the DC is obviously on a seperate subnet yes? Passing through your router?

Or...is DHCP running on the router? What type is the router?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
do you have a managed switch, you can search the switch for the port the mac address is on?

HP, Ciscomand Juniper you can.
0
 
smckeown777Commented:
If the mac address is returning as the router mac this means its normal(if the subnets are different)

Since traffic has to pass through the router to get to the other subnet...
Harder to locate the issue in this case...

But...if you can login to the router(has it a command line) you can also ping the DC - see if the mac returned matches the DC...if not then you can start to locate the rogue, if it does match then we are back to square one...
0
 
josh_martinAuthor Commented:
Found the Rogue DNS server. Was an unmanaged router. Thanks for your help.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 9
  • 6
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now