4

We recently had to perform a disaster-recovery fail-over from our main site, which involved changing the IPs at which our main office Domain Controllers (which also serve DNS) reside. It went off well enough, considering, but in the process we discovered something very weird about one of our sites. (We have a primarily hub-and-spoke site layout, for what it's worth.)

At this one site, and only this one site, all our client machines retained the old DC IPs for their DNS servers. Doing an ipconfig /renew would fetch the updated DNS settings, but after an hour or so, or the next reboot, the machines would come up with the old DNS servers again.

They're mostly XP machines, though there's a Windows 7 box that behaved the same way (all HP desktops), and of course, they were set to obtain their DNS servers through DHCP. This site has a split-scope DHCP (all Windows DHCP serves), with one local server and one back at the main office, in addition to having a DC on site, which would also serve up DNS if any of the clients were set to point at it.

I checked for any GPOs that might be assigning the old DHCP addresses, made sure that none of our DHCP servers were offering up the old addresses, and even went so far as to uninstall and reinstall the DHCP roles, just in case something was causing the old settings to be served out by DHCP.

After a lot of not being able to figure out what the hell was going on, I resorted to manually setting the DNS servers on the clients at that site to what they should be, so the users would be able function on the network. And because I hadn't figured out the cause, I isolated a client no one was using that I could use to track down the root cause of this issue with. I set it back to get its DNS servers from DHCP, rebooted, and was about to begin some serious troubleshooting, except that it didn't revert to the old addresses anymore. I did the same thing on a couple other machines, in case it was a fluke, and it wasn't.

So after manually assigning DNS servers, these machines stopped reverting to the old DNS servers when told to obtain DHCP automatically.

So after manually assigning DNS servers, these machines stopped reverting to the old DNS servers when told to obtain DHCP automatically, for a day or two. I just caught one reverting about an hour ago. During the reversion, I was running this rouge DHCP server checker at five minute intervals, which found nothing. It sure seems like a rogue DHCP server, but I can't find one, and the clients in question still list their DHCP server as the correct one, even when their DNS changes back.

Anyone have any idea what would cause this behavior?

Bryan
  • 7,628
  • 15
  • 69
  • 94
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • 3
    Sounds to me like it's almost certainly a GPO assigning the addresses. Did you run RSOP.msc on an affected machine and check in `Computer Configuration -> Administrative Templates -> Network -> DNS Client`? – Chris McKeown Jul 06 '12 at 14:30
  • Sure did, no joy. (And I thought it *had to be* a GPO at first too.) The only things under `Computer Configuration -> Administrative Templates -> Network` are `BITS`, `SNMP` and `Network Connections` (for Windows firewall settings). – HopelessN00b Jul 06 '12 at 14:45
  • 1
    Tried [scanning](http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx) for rogue DHCP servers? – Chris McKeown Jul 06 '12 at 14:49
  • Yup, no joy there either. And the clients were all listing their DHCP server as one of the two DHCP servers for that site, so I'm pretty sure that rules out that. :/ – HopelessN00b Jul 06 '12 at 14:50
  • Could it be your antivirus software forcing the DNS addresses? – Bad Dos Jul 06 '12 at 17:30
  • @BadDos: that's a good thought, I've taken a quick look, and that doesn't appear to be it, but I guess I'll try pulling out the AV and see if that makes a difference. – HopelessN00b Jul 06 '12 at 18:37
  • I'm curious, what is your DHCP lease time? – Mike Pennington Jul 06 '12 at 19:29
  • @ Mike Pennington: 8 days wired, less on wireless (but these are all wired clients getting DHCP over a wire.) – HopelessN00b Jul 06 '12 at 20:09
  • Are you running the rouge DHCP checker from the same broadcast domain as the clients in question? DHCP uses UDP broadcasts which generally don't traverse routers, unless configured to do so. – John Homer Jul 06 '12 at 21:39
  • @John Homer: Sure am. The test client machine I mentioned in my post has been running that rogue DHCP checker every five minutes for many, many hours now. No joy. I'm thinking maybe the last guy was dumb enough to force DNS with one of his ungodly VB scripts linked to a GPO, so I've been combing through those, but sill nothing. – HopelessN00b Jul 06 '12 at 21:51
  • To further test the GPO suspicion: Is the error provoked by GPUPDATE /FORCE ? – Hagen von Eitzen Jan 03 '13 at 22:27

3 Answers3

2

We had a similar situation with both dns and domain suffix from dhcp reverting... please note that this only affected win7 machines, the error could not be reproduced on win8, ubuntu, ios nor android.

Long story short, this was solved by a simple reconfiguration at the dhcp:

Faulty:

subnet 10.20.6.0 netmask 255.255.254.0 {
        pool {
                allow members of "SomeGroup";
                range 10.20.6.10 10.20.7.254;
                option domain-name-servers 10.1.1.10, 10.1.1.11;
                option domain-name "domain.lan";
                option routers 10.20.6.1;
                }
}

Working

subnet 10.20.6.0 netmask 255.255.254.0 {
        option domain-name-servers 10.1.1.10, 10.1.1.11;
        option domain-name "domain.lan";
        pool {
                allow members of "SomeGroup";
                range 10.20.6.10 10.20.7.254;
                option routers 10.20.6.1;
                }
}
Robert
  • 64
  • 4
2

I just ran into this situation and scoured unsuccessfully for an answer until now.

Old Server: Server 2003 with DC(domain1 active), DHCP(disabled), DNS(disabled and role removed)

New Server: Server 2008 R2 with NEW DC(domain2 active), NEW DHCP(active), NEW DNS(active)

Clients are XP and Win7.

Clients were all set to dynamic DNS and DHCP. Ipconfig /renew would grab correct DNS settings, but only for a short time or a reboot, then revert to old server. I checked and re-checked everything, but no joy. I will say that not all clients had the issue, but many did.

Ultimately removing the DHCP role completely from the old server is what fixed the problem. I don't know why, since there is literally no setting telling the clients to think that the old server is a DNS server anymore.

Nate
  • 31
  • 1
  • 4
1

I'm a little late to the party here, but thought I'd drop this off in case someone searching this issue gets to this site. I've been researching this problem to try to get a better understanding of how this works.

I found this problem at one of my remote sites, the DHCP server in ipconfig was correct, but issuing the wrong DNS servers. No GPO, no local policy, no login script, no other active DHCP servers on-site.

We had replaced the DHCP/DNS server on-site (a 2003 server), disabled the old scope, and un-authorized the server. The new server (2008) was happily issuing DHCP leases, but occasionally I'd see the old DNS servers in the client leases. This caused some problems.

Without going into the long troubleshooting process, I'll just drop the answer. It seems that disabling and un-authorizing a 2003 (possibly also 2000 server if you still have one) server's DHCP scope and server aren't enough. For some reason, the old scope options are still issued somehow from the new DHCP server even if you've never set those options on the new server.

I can't tell you how that happens, and you'll see no DHCP traffic on your network from the old server. It's just weird, but completely removing the DHCP role from the old server fixed this issue in my network and, as I've found in my research, others have had success with this solution as well.

Good Luck!

ITOgre
  • 11
  • 1