WIndows DHCP Server showing Duplicate Addresses

This morning I received some calls about users receiving a popup with the message "Windows had detected an IP address conflict".   I looked at our DHCP server and there are several IP address which are marked as "BAD_ADDRESS"  "This address is already in use".  

I went to a couple of the affected computers.  I checked the DHCP server and they are pointing the correct one.   I Then did an ipconfig /release and an ipconfig /renew and they acquired the same IP address and they are still marked as BAD_ADDRESSES in DHCP.   The computers seem to be running fine with the exception of occasional popups.

I can ping the computers, I have run scans on the IP address from NMAP and I did an ARP scan which only finds one host per IP.  

Any idea what would cause this, how to identify the duplicate IPs or how to resolve it?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

qvfpsAuthor Commented:
The Unique ID of all the BAD addresses are only 8 characters and end in 4512ac
First 6 characters belong to manufactures (and you have only two) and last six should be unique for each manufacturer.
Statistically is almost impossible that you have six network cards that ends with 4512ac. Something is very wrong there.
Check this article.
There were indicated Vista machine that had a "bridged" connection between it's wireless and wired interfaces that caused it. THis falls under the category of "multihomed" DHCP clients. You have few similar cases there.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

qvfpsAuthor Commented:
The duplicate IP addresses decreased all morning until noon.  I checked right after noon and the number had almost tripled.   Machines which are flagged as a duplicate in the DHCP server are not having any issues.   I can see and connect to them just fine and they are having no issues connecting to anything else.  

I tried running DHCPLOC and did not find any other DHCP servers.   I ran wireshark and did not find anything unusual.   If I do an ARP scan I don't find any duplicates.   I ran NMAP for the whole subnet and it did not find any duplicates either.  

I had one visitor who is doing some work for us who had a virtual machine with a bridged connection which he changed to use the Host IP but that is all I have found so far.  

If someone has a bridged connection how do I identify the computer?

I am going to reboot the server tonight and see if that helps.
qvfpsAuthor Commented:
The duplicate ip addresses listed in the DHCP server dropped off after 5 PM to only a couple.  A lot more than could be accounted for by people shutting down their computers at the end of the day.    The list started growing again in the morning.
qvfpsAuthor Commented:
Yesterday the Duplicate IPs started to build up again.  I tried running Wireshark and tracing all the DHCP requests to see if I could find a machine repeatedly requesting IP addresses with no luck.  

This morning the issue seems to have gone away.  I have no duplicate IP addresses flagged on the DHCP server.   We had a whole bunch of visitors/contractors/external employees in the past couple of days so I am guessing it was one of them.  I was just never able to identify the actual computer causing the issue.
You should probably configure DHCP snooping on your switches (at least on Cisco switches). I have no idea how that option it is called on other vendor switches.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
qvfpsAuthor Commented:
I am guessing that it was a bridged connection on one of the visitors computers which caused the issue.   That seems to most closely resemble the issue I was seeing.  

I will look at configuring DHCP snooping on our network although I am not sure it will help in this case since it wasn't rouge DHCP server.

Thanks for the suggestions.  I may not have identified the computer but I did learn some things which will help if the issue ever reoccurs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.