qvfps
asked on
WIndows DHCP Server showing Duplicate Addresses
This morning I received some calls about users receiving a popup with the message "Windows had detected an IP address conflict". I looked at our DHCP server and there are several IP address which are marked as "BAD_ADDRESS" "This address is already in use".
I went to a couple of the affected computers. I checked the DHCP server and they are pointing the correct one. I Then did an ipconfig /release and an ipconfig /renew and they acquired the same IP address and they are still marked as BAD_ADDRESSES in DHCP. The computers seem to be running fine with the exception of occasional popups.
I can ping the computers, I have run scans on the IP address from NMAP and I did an ARP scan which only finds one host per IP.
Any idea what would cause this, how to identify the duplicate IPs or how to resolve it?
I went to a couple of the affected computers. I checked the DHCP server and they are pointing the correct one. I Then did an ipconfig /release and an ipconfig /renew and they acquired the same IP address and they are still marked as BAD_ADDRESSES in DHCP. The computers seem to be running fine with the exception of occasional popups.
I can ping the computers, I have run scans on the IP address from NMAP and I did an ARP scan which only finds one host per IP.
Any idea what would cause this, how to identify the duplicate IPs or how to resolve it?
First 6 characters belong to manufactures (and you have only two) and last six should be unique for each manufacturer.
Statistically is almost impossible that you have six network cards that ends with 4512ac. Something is very wrong there.
Statistically is almost impossible that you have six network cards that ends with 4512ac. Something is very wrong there.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The duplicate IP addresses decreased all morning until noon. I checked right after noon and the number had almost tripled. Machines which are flagged as a duplicate in the DHCP server are not having any issues. I can see and connect to them just fine and they are having no issues connecting to anything else.
I tried running DHCPLOC and did not find any other DHCP servers. I ran wireshark and did not find anything unusual. If I do an ARP scan I don't find any duplicates. I ran NMAP for the whole subnet and it did not find any duplicates either.
I had one visitor who is doing some work for us who had a virtual machine with a bridged connection which he changed to use the Host IP but that is all I have found so far.
If someone has a bridged connection how do I identify the computer?
I am going to reboot the server tonight and see if that helps.
I tried running DHCPLOC and did not find any other DHCP servers. I ran wireshark and did not find anything unusual. If I do an ARP scan I don't find any duplicates. I ran NMAP for the whole subnet and it did not find any duplicates either.
I had one visitor who is doing some work for us who had a virtual machine with a bridged connection which he changed to use the Host IP but that is all I have found so far.
If someone has a bridged connection how do I identify the computer?
I am going to reboot the server tonight and see if that helps.
ASKER
The duplicate ip addresses listed in the DHCP server dropped off after 5 PM to only a couple. A lot more than could be accounted for by people shutting down their computers at the end of the day. The list started growing again in the morning.
ASKER
Yesterday the Duplicate IPs started to build up again. I tried running Wireshark and tracing all the DHCP requests to see if I could find a machine repeatedly requesting IP addresses with no luck.
This morning the issue seems to have gone away. I have no duplicate IP addresses flagged on the DHCP server. We had a whole bunch of visitors/contractors/exter
This morning the issue seems to have gone away. I have no duplicate IP addresses flagged on the DHCP server. We had a whole bunch of visitors/contractors/exter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am guessing that it was a bridged connection on one of the visitors computers which caused the issue. That seems to most closely resemble the issue I was seeing.
I will look at configuring DHCP snooping on our network although I am not sure it will help in this case since it wasn't rouge DHCP server.
Thanks for the suggestions. I may not have identified the computer but I did learn some things which will help if the issue ever reoccurs.
I will look at configuring DHCP snooping on our network although I am not sure it will help in this case since it wasn't rouge DHCP server.
Thanks for the suggestions. I may not have identified the computer but I did learn some things which will help if the issue ever reoccurs.
ASKER