Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


W2k8 DHCP server gets a couple of bad address entries every day

Posted on 2013-11-05
Medium Priority
1 Endorsement
Last Modified: 2016-11-23
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.

Question by:olaf_joerk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623910
Did you verify whether or not any hosts are using static IP configurations?  The same would hold true for VM instances, etc.  Perhaps ping/port scan the bad address(es) to verify.  This condition suggests IP address conflicts.


Author Comment

ID: 39624004
Thanks for your answer. No, there is no computer with a static IP configuration. We pinged the addresses but we did it with a delay (as we had to look for bad address entries from time to time), so I think we were to late. We got no answer every time. We already set the IP address conflict detection to 2. We also set the subnet delay to 5 ms. No changes so far.

LVL 15

Expert Comment

by:Giovanni Heward
ID: 39624007
Do your end points have software firewalls?  Ping requests will of course timeout if ICMP is blocked, this is typical for many BYOD's.  Consider checking the arp table on your router/switch stack to be sure. Are all internal hosts configured to use internal AD/DNS servers?  If so, any DNS entries for the offending IP address(es)?  DHCP dynamically updating DNS records?  What is your DNS scavenging setting?  Are any of these event ID's present?
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.


Author Comment

ID: 39624068
We use the windows firewall, but all our clients answer ICMP. When checking the ARP tables at the switches we never found the IP at any access port, only on trunk ports.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.

Author Comment

ID: 39630350
I found out something more: the clients fire an event 4199 that says, that the ip address got a conflict with the system having mac address ....
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.

Any ideas? Thanks.


Accepted Solution

olaf_joerk earned 0 total points
ID: 39650470
I found the solution. In IOS15 the device tracking feature is switched on by default. This feature may cause problems with DHCP servers as it use ARP probes as well. We introduced a delay for the ARP probes and solved the problem.

ip device tracking probe delay 10

If it doesn't help, Cisco recommends using the switch virtual interface:

ip device tracking probe use-svi

For those, who might have the same trouble


Author Closing Comment

ID: 39658943
I simply found the solution myself.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question