Duplicate IP Address?

We have been experiencing persistent connection issues with our Exchange server.  Primary suspect for cause is another device with the same IP address as our Exchange server.  Running the following commands I was able to discover the MAC address of suspected culprit:

1) arp -a <IP_Address>           (recorded results)
2) arp -d <IP_Address>
3) ping <IP_Address>
4) arp -a <IP_Address>           (compare results with #1)

Results from #1 and #4 had different MAC addresses listed.  Once connection issues were temporarily cleared up I then connected to Exchange server and checked it's MAC address.  We now have known correct address and possible culprit.  Doing MAC address lookup we know duplicate device is a Dell, but that doesn't really help as we use all Dell desktops and laptops for our ~100 users on that subnet.

On to the question...  Is there any possible way to determine what and where the device using the duplicate IP is?  Are there any options on blocking this device from accessing the network?  

The IP address is outside the scope of our DHCP server so we know it must be statically configured.  One workaround we have started using for clients with connection issues is to delete the arp record and create a static arp entry with the correct MAC address.  But this will work only for workstations; we won't be able to apply this workaround for all of our digital senders and devices configured to send alerts via SMTP.  It would be too cumbersome to change the IP address of our Exchange server, we must find this conflicting device to correct and resolve our communication issues
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No easy way.
Download Angry IP Scanner from http://angryip.org/
Take the offending IP address out of your DHCP server's allocation range.
Restart the device which has the correct IP and make sure it gets a new one - that way the only device on your network with the offending IP address is the rogue device.
Run Angry IP Scanner. Look at the results and see if that gives you any clues.
If not, you could do the following:
Start a CMD prompt.
Ping <offending address> /t
That will ping indefinitely.
Then unplug each device from your network switches one at a time for a couple of seconds while watching the pings.
When it stops pinging you have found the offending cable. Trace that back to the device.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
How many switches do you have?   You could connect to a switch and display the ARP table (on Cisco switches you run the command display MAC address-table

If you see the MAC address on an uplink port then it is on one of the other switches.  You could use the command show cdp neighbor command to to find the connected switch.  This way you could find the device with the duplicate Mac.
Another thought, once you have only the offending device on that IP address, try browsing the device in Windows Explorer by using the IP address. You may see shares which give you a hint. Also try looking for the C$ drive. If you have admin rights you may be able to read the C drive on the offending PC.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Mal OsborneAlpha GeekCommented:
After hours, send a regular ping. Check the switches for a flashing access light that matches the cadence, and try disconnecting it. Hopefully, you can get access when the office is empty and most connections are not in use.
Larry Struckmeyer MVPCommented:
I'm commenting here primarily to see the correct answer.  <g>.  I would use a brute  force technique such as turning off one switch at a time to see where the problematic device is plugged in and then eliminating the devices on that switch with a 50-50 split.

Or, knowing its IP you can determine its MAC address and the system name.  Not sure that would help, but once knowing the system name and IP you should be able to RDP to it and leave a message on the system with Notepad for the user to call you.
Walter CurtisSharePoint AEDCommented:
You should be able to block network access based on the MAC address. Most if not all switches support this.

Hope that helps...
Not sure what you are after akb provided a way to  locate the switch where the device is, once the switch is identified, you can on that switch identify the port on which that system is connected.

Sneak also covered the lockout.

Is it possible for a wireless to use that iP?
If you have Cisco switches you can temporary disable network card on exchange (if you will search over IP address, if you will search over mac address I guess you don't have to disable network card) and issue
# traceroute mac or # traceroute mac ip
That would allow you to fast find location of duplicate address device either by mac or ip address.

In my point of view you should change your setup and only use DHCP for all of your devices and PC's, and don't allow setting anything to static except maybe the device that acts as your router and DHCP server.

Then if anything requires a static IP, use your DHCP server to make reservations for those devices or PC's. This way your static IP's are all centrally managed on your DHCP server and duplicate IP's avoided in the first place. You also don't have manually setup each device as usually DHCP is the default anyway.
server/roles will run with problems as they expect the IP/network interface reflected as static, DHCP reserved IPs are not reflected as static on the system.
Segment/vlan separation for servers and clients is a way to minimize server impacting duplicate IP..

The risk of Mac locking IPs, is that over time, it might be turn around and have an adverse effect.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.