olaf_joerk
asked on
W2k8 DHCP server gets a couple of bad address entries every day
Hi,
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.
Olaf
we have a w2k8 r2 server running a dhcp server with a scope of private ip addresses. All of them are reservations. All worked well until a fortnight ago. Since then, we got between two and five "bad address" entries every workday. We had to delete these entries and setup the reservation again. Then the clients get their address again. First we thought of a rogue dhcp server, but that isn't the case.
With wireshark we can see a DHCP DECLINE packet from the client. So the clients think, their address is already in use. But that is not true. None of our clients is multi-homed nor is the server. The only common thing we could recognize: all clients are Dell Latitudes E4300 and E6400 with Windows7 SP1 and it happens in the morning when people start work and after the lunch break. Possibly it has something to do with energy saving mode and the network interface. But we could not prove it until now.
Has anyone experienced something like that? Thanks in advance.
Olaf
ASKER
Thanks for your answer. No, there is no computer with a static IP configuration. We pinged the addresses but we did it with a delay (as we had to look for bad address entries from time to time), so I think we were to late. We got no answer every time. We already set the IP address conflict detection to 2. We also set the subnet delay to 5 ms. No changes so far.
Olaf
Olaf
Do your end points have software firewalls? Ping requests will of course timeout if ICMP is blocked, this is typical for many BYOD's. Consider checking the arp table on your router/switch stack to be sure. Are all internal hosts configured to use internal AD/DNS servers? If so, any DNS entries for the offending IP address(es)? DHCP dynamically updating DNS records? What is your DNS scavenging setting? Are any of these event ID's present?
ASKER
We use the windows firewall, but all our clients answer ICMP. When checking the ARP tables at the switches we never found the IP at any access port, only on trunk ports.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.
All host are configured to use internal DNS/AD servers. DHCP dynamically updates DNS. "Scavenge stale resource records is" checked. Both intervals are set to 7 days. None of the mentioned event IDs are present.
ASKER
I found out something more: the clients fire an event 4199 that says, that the ip address 0.0.0.0 got a conflict with the system having mac address ....
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.
Any ideas? Thanks.
Olaf
All the mentioned MACs are from our Cisco C2960 switches with recently installed IOS15. I a first attempt I couldn't find the MACs because I had no idea, that the switches increment their macs from a base MAC address. So the devices are identified. But why on earth do they interfere with DHCP? Their management interface address is a static one.
Any ideas? Thanks.
Olaf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I simply found the solution myself.
See
http://technet.microsoft.c