josh_martin
asked on
DNS server changing automatically on workstations
Recently, from time to time, throughout the work day certain workstations are automatically changing their DNS server. This will happen at any time with no explanation. It will change the workstations DNS server from our DNS server to 10.1.0.1. Internal apps/email/websites will continue to work. Outside internet will not. A release/renew will fix the issue but is inconvenient for the end user. This has been happening on and off for about 2 weeks, and the address does not ping or return a nslookup. I can not find this address anywhere in our infrastructure as a legacy address either. Our current ip schema is 172.x.x.x
Thank you in advance for any help you can provide.
David
Thank you in advance for any help you can provide.
David
BillBondo
Only the dns is changing? IP stays the same? Sounds like a dhcp server only handing out dns info. I have had people bring in linksis or netgear so they could hook up a laptop, and drive me crazy till I found the thing.
You do not have a rouge DHCP Server issuing IP Address and DNS?
next time it happens, check the DHCP server IP Address?
next time it happens, check the DHCP server IP Address?
Few questions...
1) I assume its not a manual change? I mean when you look at the TCP/IP properties page is 'Automatically get DNS' option still selected?
2) Nothing else changes? IP/Default Gateway are still the 172.0.0.0 range?
3) When you run ipconfig/all on the machine during the time its changed - can you post here?
Possible reasons are either there is another router somewhere on the network and workstations are getting IP from there...or something has changed on your DHCP settings on server - this is a DC running DHCP yes?
1) I assume its not a manual change? I mean when you look at the TCP/IP properties page is 'Automatically get DNS' option still selected?
2) Nothing else changes? IP/Default Gateway are still the 172.0.0.0 range?
3) When you run ipconfig/all on the machine during the time its changed - can you post here?
Possible reasons are either there is another router somewhere on the network and workstations are getting IP from there...or something has changed on your DHCP settings on server - this is a DC running DHCP yes?
ASKER
smckeown,
Correct, our DC is running DHCP. It is not a maual change. IP/Default Gateway are still 172.x.x.x
I attached the ipconfig /all
Thanks
ipconfig.docx
Correct, our DC is running DHCP. It is not a maual change. IP/Default Gateway are still 172.x.x.x
I attached the ipconfig /all
Thanks
ipconfig.docx
Ok, well based on that its saying
DHCP Server - 172.20.4.34
Its handing out DNS 10.1.0.1
Have you checked the scope? To see what DNS is in it?
Have you the same output from a working station?
DHCP Server - 172.20.4.34
Its handing out DNS 10.1.0.1
Have you checked the scope? To see what DNS is in it?
Have you the same output from a working station?
That ip - 172.20.4.34 - do you recognise this as your DHCP server? Same as your DC?
Also I notice that IP isn't in the same subnet as the IP of the station itself
Workstation - 172.20.20.194 (255.255.255.0)
DHCP - 172.20.4.34 - this isn't the same subnet
Which says to me someone has configured another DHCP server on the network and isn't handing out the correct DNS server
Workstation - 172.20.20.194 (255.255.255.0)
DHCP - 172.20.4.34 - this isn't the same subnet
Which says to me someone has configured another DHCP server on the network and isn't handing out the correct DNS server
ASKER
I have checked all scopes of all DNS servers. They only have 172.x.x.x servers listed (which are the correct servers)
Our DC is running and handling the DHCP requests.
We have two DC's at this site (multiple satelite locations as well) Both DC's are DNS servers (primary and secondary). and both DC share the DHCP scopes. Split scopes half of the addresses are on one server and half on another.
Does this information help?
Our DC is running and handling the DHCP requests.
We have two DC's at this site (multiple satelite locations as well) Both DC's are DNS servers (primary and secondary). and both DC share the DHCP scopes. Split scopes half of the addresses are on one server and half on another.
Does this information help?
Well depends...this IP - 172.20.4.34 - can you access this? Is this one of your DC's?
ASKER
correct, this is one of our DC's.
Ok, this is a new one!
Right, lets check this first...
On the workstation with the issue - ping that DC
Then run
arp -a
From the listing, check the mac-address that corresponds to the DC's IP
Can you then check the server's network card(run ipconfig/all on server) and see if the mac-addresses match?
If not you have a rogue DHCP router somewhere with the same IP as the DC(I know this one is a stretch, but based on the output from ipconfig that is reporting the correct DHCP server IP this is the only thing I can think of...)
Right, lets check this first...
On the workstation with the issue - ping that DC
Then run
arp -a
From the listing, check the mac-address that corresponds to the DC's IP
Can you then check the server's network card(run ipconfig/all on server) and see if the mac-addresses match?
If not you have a rogue DHCP router somewhere with the same IP as the DC(I know this one is a stretch, but based on the output from ipconfig that is reporting the correct DHCP server IP this is the only thing I can think of...)
ASKER
Mac addresses do not match. So you think it is a Rogue DHCP router? any thoughts on how to track this down?
Have you managed switches? If so log into it and check the mac-address table(most will have this function)
Check the table for the mac-address that shows up on the workstation
It will hopefully show you what port on the switch its associated with, which you can then trace...
What type of switches? Multiple?
Check the table for the mac-address that shows up on the workstation
It will hopefully show you what port on the switch its associated with, which you can then trace...
What type of switches? Multiple?
if you have a MAC address, you can track a MAC address on a network switch port!
and find the device or unplug the cable or port!
and find the device or unplug the cable or port!
ASKER
Mac address and ip that comes back from the arp -a command is the Router.
Ok, you are obviously hopping through the router to the DC, so in this case that's why the mac is different(sorry didn't ask your topology first)
So the DC is obviously on a seperate subnet yes? Passing through your router?
Or...is DHCP running on the router? What type is the router?
So the DC is obviously on a seperate subnet yes? Passing through your router?
Or...is DHCP running on the router? What type is the router?
do you have a managed switch, you can search the switch for the port the mac address is on?
HP, Ciscomand Juniper you can.
HP, Ciscomand Juniper you can.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the Rogue DNS server. Was an unmanaged router. Thanks for your help.