Cannot locate Rogue DHCP Server

Hi, Im hoping someone out there can shed some light on this, as its
driving me to drink!

I have an old NT 4.0 domain that hasnt been fully upgraded to AD yet,
its comprised of 2 subnets connected by a router.

subnet 1
192.168.1.0 255.255.255.0
subnet 2
192.168.2.0 255.255.255.0

There is an 'authorised' DHCP server on each subnet

DHCP server subnet 1 192.168.1.8
DHCP server subnet 2 192.168.2.25

However over the last few weeks some users have been complaining that
they lose conenctivity to the internet and other resources. After
investigation this proves to be due to a rogue DHCP server repiortedly
from 192.168.1.254 handing out invalid routes / DNS settings etc.

I ran the DHCPLOC.exe util from the support tools and indeed on the .1
subnet there is a DHCP server at 1.8 and 1.254.

HOWEVER, I cannot ping/scan .254. Checking the DHCP leases ont he
network show nothing for the address.. short of checking every machine
on the network im really not sure how to track this down?

Can anyone please help?

Hi Nick,
Nick wrote:
> However over the last few weeks some users have been complaining that
> they lose conenctivity to the internet and other resources. After
> investigation this proves to be due to a rogue DHCP server repiortedly
> from 192.168.1.254 handing out invalid routes / DNS settings etc.
>
> I ran the DHCPLOC.exe util from the support tools and indeed on the .1
> subnet there is a DHCP server at 1.8 and 1.254.
>
> HOWEVER, I cannot ping/scan .254. Checking the DHCP leases ont he
> network show nothing for the address.. short of checking every machine
> on the network im really not sure how to track this down?
>
normally you would make a ping.
Following the ping run arp -A
This should show you the MAC address of this device.
And the MAC address could lead you to the maker.

But as the ping doesn't come through, your only chance may be the
hub/switch.
Pull off all devices which are offline after business hours if the most PCs
are shut down and where you don't know what they are (not sure about todays
PCs if they).
If you have a manageable switch this could give you some information through
its software.

Do you have a WLAN router in your network? This could also act as DHCP
server.

Best greetings from Germany
Olaf

"Nick" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> However over the last few weeks some users have been complaining that
> they lose conenctivity to the internet and other resources. After
> investigation this proves to be due to a rogue DHCP server repiortedly
> from 192.168.1.254 handing out invalid routes / DNS settings etc.

With that address it is probably an Internet Sharing NAT Device that you
forgot to disable the DHCP Service on it when it was deployed. Often such
devices are either the first or the last address in the subnet,...this one
is the last address.

It could also be a LAN Router but the chance of that is less.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Hi

You say the domain is not "fully upgraded to AD" what I am about to say will
relate to AD, I had this very issue with a rogue DHCP and the only way I
could remove it was using ADSIedit from the support tools

If you have never used ADSIedit before it is a bit daunting, I am assuming
the "rogue" dhcp doesnt appear in any mmc so you can remove it?

If you need help finding the dhcp servers within the directory let me know
and I will point you in right direction

from memory its CN=netservices CN=services CN=configuration DC=domain
DC=local and then in here you will see a class called DHCPclass and it is
here you will more than likely see your rogue DHCP server

Like I said this is only relevant if your DHCP was authed in AD thus creating
an LDAP location
for it

in fact forget from memory the above is right and here is a link to the issue
and subsequent solution that i experienced - i just found it

http://www.pcreview.co.uk/forums/sho...21#post5646221

Si

Thanks Si, I had a look at the AD Schema, and it only lists the correct
DHCP's.

But as we are still running an NT4 domain the unauthorized DHCP server
is able to broadcast even.

Im thinking the way to fix this is to migrate to AD fully from our NT 4
domain and then any unauthorized DHCP servers will be shut down as per
native AD security settings.