Solved

W2k8 DHCP server gets a couple of bad address entries every day

Posted on 2013-11-05
7
2,549 Views
1 Endorsement
Last Modified: 2016-11-23
Hi,
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.

Olaf
1
Comment
Question by:olaf_joerk
  • 5
  • 2
7 Comments
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39623910
Did you verify whether or not any hosts are using static IP configurations?  The same would hold true for VM instances, etc.  Perhaps ping/port scan the bad address(es) to verify.  This condition suggests IP address conflicts.

See
http://technet.microsoft.com/en-us/library/dd183587%28v=ws.10%29.aspx
0
 

Author Comment

by:olaf_joerk
ID: 39624004
Thanks for your answer. No, there is no computer with a static IP configuration. We pinged the addresses but we did it with a delay (as we had to look for bad address entries from time to time), so I think we were to late. We got no answer every time. We already set the IP address conflict detection to 2. We also set the subnet delay to 5 ms. No changes so far.

Olaf
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39624007
Do your end points have software firewalls?  Ping requests will of course timeout if ICMP is blocked, this is typical for many BYOD's.  Consider checking the arp table on your router/switch stack to be sure. Are all internal hosts configured to use internal AD/DNS servers?  If so, any DNS entries for the offending IP address(es)?  DHCP dynamically updating DNS records?  What is your DNS scavenging setting?  Are any of these event ID's present?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:olaf_joerk
ID: 39624068
We use the windows firewall, but all our clients answer ICMP. When checking the ARP tables at the switches we never found the IP at any access port, only on trunk ports.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.
0
 

Author Comment

by:olaf_joerk
ID: 39630350
I found out something more: the clients fire an event 4199 that says, that the ip address 0.0.0.0 got a conflict with the system having mac address ....
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.

Any ideas? Thanks.

Olaf
0
 

Accepted Solution

by:
olaf_joerk earned 0 total points
ID: 39650470
I found the solution. In IOS15 the device tracking feature is switched on by default. This feature may cause problems with DHCP servers as it use ARP probes as well. We introduced a delay for the ARP probes and solved the problem.

ip device tracking probe delay 10

If it doesn't help, Cisco recommends using the switch virtual interface:

ip device tracking probe use-svi

For those, who might have the same trouble

Olaf
0
 

Author Closing Comment

by:olaf_joerk
ID: 39658943
I simply found the solution myself.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now