W2k8 DHCP server gets a couple of bad address entries every day

Posted on 2013-11-05
Medium Priority
1 Endorsement
Last Modified: 2016-11-23
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.

Question by:olaf_joerk
  • 5
  • 2
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623910
Did you verify whether or not any hosts are using static IP configurations?  The same would hold true for VM instances, etc.  Perhaps ping/port scan the bad address(es) to verify.  This condition suggests IP address conflicts.


Author Comment

ID: 39624004
Thanks for your answer. No, there is no computer with a static IP configuration. We pinged the addresses but we did it with a delay (as we had to look for bad address entries from time to time), so I think we were to late. We got no answer every time. We already set the IP address conflict detection to 2. We also set the subnet delay to 5 ms. No changes so far.

LVL 15

Expert Comment

by:Giovanni Heward
ID: 39624007
Do your end points have software firewalls?  Ping requests will of course timeout if ICMP is blocked, this is typical for many BYOD's.  Consider checking the arp table on your router/switch stack to be sure. Are all internal hosts configured to use internal AD/DNS servers?  If so, any DNS entries for the offending IP address(es)?  DHCP dynamically updating DNS records?  What is your DNS scavenging setting?  Are any of these event ID's present?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 39624068
We use the windows firewall, but all our clients answer ICMP. When checking the ARP tables at the switches we never found the IP at any access port, only on trunk ports.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.

Author Comment

ID: 39630350
I found out something more: the clients fire an event 4199 that says, that the ip address got a conflict with the system having mac address ....
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.

Any ideas? Thanks.


Accepted Solution

olaf_joerk earned 0 total points
ID: 39650470
I found the solution. In IOS15 the device tracking feature is switched on by default. This feature may cause problems with DHCP servers as it use ARP probes as well. We introduced a delay for the ARP probes and solved the problem.

ip device tracking probe delay 10

If it doesn't help, Cisco recommends using the switch virtual interface:

ip device tracking probe use-svi

For those, who might have the same trouble


Author Closing Comment

ID: 39658943
I simply found the solution myself.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question