W2k8 DHCP server gets a couple of bad address entries every day

Posted on 2013-11-05
1 Endorsement
Last Modified: 2016-11-23
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.

Question by:olaf_joerk
  • 5
  • 2
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39623910
Did you verify whether or not any hosts are using static IP configurations?  The same would hold true for VM instances, etc.  Perhaps ping/port scan the bad address(es) to verify.  This condition suggests IP address conflicts.


Author Comment

ID: 39624004
Thanks for your answer. No, there is no computer with a static IP configuration. We pinged the addresses but we did it with a delay (as we had to look for bad address entries from time to time), so I think we were to late. We got no answer every time. We already set the IP address conflict detection to 2. We also set the subnet delay to 5 ms. No changes so far.

LVL 14

Expert Comment

by:Giovanni Heward
ID: 39624007
Do your end points have software firewalls?  Ping requests will of course timeout if ICMP is blocked, this is typical for many BYOD's.  Consider checking the arp table on your router/switch stack to be sure. Are all internal hosts configured to use internal AD/DNS servers?  If so, any DNS entries for the offending IP address(es)?  DHCP dynamically updating DNS records?  What is your DNS scavenging setting?  Are any of these event ID's present?
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.


Author Comment

ID: 39624068
We use the windows firewall, but all our clients answer ICMP. When checking the ARP tables at the switches we never found the IP at any access port, only on trunk ports.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.

Author Comment

ID: 39630350
I found out something more: the clients fire an event 4199 that says, that the ip address got a conflict with the system having mac address ....
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.

Any ideas? Thanks.


Accepted Solution

olaf_joerk earned 0 total points
ID: 39650470
I found the solution. In IOS15 the device tracking feature is switched on by default. This feature may cause problems with DHCP servers as it use ARP probes as well. We introduced a delay for the ARP probes and solved the problem.

ip device tracking probe delay 10

If it doesn't help, Cisco recommends using the switch virtual interface:

ip device tracking probe use-svi

For those, who might have the same trouble


Author Closing Comment

ID: 39658943
I simply found the solution myself.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now