Disabled machine still getting dhcp address?

Good Morning Experts,

I am hoping you can help me with this, I am stuck.

I have a system that was in our active directory that has been turned off and I thought was no longer here (there is a lot of them, a lot of people left and the systems are gone).

Recently this system was turned on and I see it hitting Active Directory tying to authenticate.  I can ping it but can't reach it to do anything, it's been over 90 days so AD isn't letting it.  

DHCP is?   Why and how can I stop it?  I could not figure out why it was getting a address so I created a ipsec policy and blocked that ip, that worked but it renewed last night and was able to obtain another address.

Why on earth would DHCP continue to lease out a ip address if the machine is disabled and how can I stop this?  It's driving me bonkers.  

Thank you,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
DHCP does not require any authentication. That is by design. So it'll hand out an address to any device that asks for one. The device does not even need to be in AD.
klsphotosAuthor Commented:
That is crazy to me...at least I know now you can't, I have been looking.  How can I block this system from our network then?
Joseph MoodyBlogger and wearer of all hats.Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

the best thing is to go retrieve the machine and properly retire it. You can user MAC address filtering as suggested above. You can create a bogus DHCP reservation for the MAC of the machine...but there is nothing from preventing someone from hard-coding a valid address. Not sure what type of environment you are in, but this is definitely a security risk having an un-managed workstation connected to your network.
Neil RussellTechnical Development LeadCommented:
"That is crazy to me"
DHCP is not a function of Windows, rather it is a service that windows allows you to run on one of its servers. Windows/AD/DHCP are not functionally related to each other.
klsphotosAuthor Commented:
ok, I am on the tech net article and I do not have filters?  I could do a mac address filtering but unless I Need to get more coffee, I  am not seeing Filters anywhere in DHCP?

I am unable to locate this system to do it properly that is why I am really concerned and want to shut it down.  We recently leased out space that we previously used and I am thinking it may have been one left behind and turned on there, or worse.  Going to this business to find out is not a option, I want to do it from within.

Thank you,

klsphotosAuthor Commented:
ok, apprarently I need the mac filtering call out tool.  I am on Server 2008, not R2.  It's no longer available.  Ugh!
as pointed out before, simply preventing the machine from obtaining an IP address is really not buying you anything from a security point of view. If in fact this machine is in a space that you have leased to another company, that is an even bigger reason to retrieve the machine...unless security in your environment is not important...just my opinion :-)
klsphotosAuthor Commented:
Going over there is not a option.  From what I just saw if I used mac filtering through DHCP and selected all the current systems and added them to the allow, added this one to the deny, wouldn't that resolve the issue?   I want to lock this down for good.
no, that will only prevent the workstation in question from obtaining a valid IP address from your DHCP server. That doesn't prevent someone from manually entering a valid IP address...then they have free reign to run whatever they want. That workstation will be unmanaged (unpatched for vulnerabilities)...if someone happened to plug in an infected USB device or browse to a malicious site...then the malware also has free-reign on your network.  Obviously that is worst-case scenario, but you never know.
klsphotosAuthor Commented:
ok, now I have figure out what to do now.
do you (or someone from your company) manage the network switch that this device is connected to? If so, at minimum I would disable that switch port...but if there are other switch ports in that location that are somehow able to access your environment then you need to address that (in my opinion).
klsphotosAuthor Commented:
Yes it was all set up prior to my arrival here.  I unplugged all the ports at the switch prior to them taking over the space but there were 2 I couldn't find.   I did not have any documentation on any port management and still don't.  I am concerned.
perhaps a few obvious points, but:

 if you have 2 missing ports... can I assume that you mean you see more connected IPs than you can find cables or users??

- have you checked for a rogue wifi network?  maybe this was a laptop that was/is connecting to an AP in a closet or behind a dropped ceiling or somewhere... there are several phone apps that will show signal strength and other info to help track it down without walking around with a laptop.
- there may be an unmanaged switch under someones desk or in a closet (or even sitting hidden in your wire closet ) with an extra cpu connected that no-one is actually using or even thinking about but may have been recently plugged in/turned on by the cleaning crew.
- Do you have any backup log errors?  I suppose the previous admin may have had a separate server that sat powered down except for periodic backups?  
- Or, perhaps there is a dual-NIC file server that had one NIC unplugged and someone saw the loose cable and put it back in... that would probably be a best-case scenario: then you could re-authenticate it and get 2x throughput.

Unauthorized physical access to the network (wired or wireless) is a problem that needs tracking down.  Time to make your own network map and label everything.

Good luck
klsphotosAuthor Commented:
I am really embarrassed to say that this system was a system that was in my office.  I did check that system and it was asleep and I thought it was turned off.  It was a older one I was working on that got away from me.

So embarrassed and sorry for the trouble but I was relieved that I located the source.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.