4

Odd issue and I'm not having much luck with ole google (perhaps I'm not looking in the right direction).

Hoping to get a little help with that here from some of you.

On our network we have approx. 75 machines - all running XP SP3. They cover 3 different business operations and each business' machines are subnetted differently but come into the same switches/panels.

Lately, we have had users who pickup a different IP address entirely (from AT&T dsl) and it keeps them from being able to access the network shares they need to and keeps them from being able to use email and some other network driven software.

It's very random that it occurs - sometimes it's just 1 user who is affected. This morning it was 5 users. Just curious what could be causing these machines to not pick up their lease (which hasn't expired) from the network as they normally do and why/where they're picking up this outside IP scheme. We did use a secondary DSL line from AT&T for certain bank related activities for a while but I do not believe we utilize that anymore (although, we may - I'm looking into it).

Any other ideas on where to look and/or how to move forward and keep this from happening anymore would be appreciated!

Hanny
  • 249
  • 2
  • 11

1 Answers1

6

It sounds like you have a rogue DHCP server on your network. Check the configuration of any network devices (other than ones that you've configured) that might be providing DHCP and disable them.

When you have a misbehaving client ipconfig /all will show you the DHCP server that assigned the address. That might help in you tracking it down.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    Excellent - thank you for the input! Didn't realize ipconfig /all would show the assigner - good to know and yes, it will help! If it does turn out to be a rogue DHCP server I will be sure and mark you as the answer :) Cheers! – Hanny Nov 26 '12 at 17:23
  • 1
    @Hanny To speed the process, you could get Wireshark installed onto a machine that has been affected* and watch for DHCP offers. *I only say this as it ensures it's all on the same network – Dan Nov 26 '12 at 17:26
  • 1
    @Hanny if you want to cut through all of the extra stuff in ipconfig, `ipconfig /all | find "DHCP"` will show you just the lines with DHCP info – MDMarra Nov 26 '12 at 17:27
  • Great stuff guys! Thanks! Hadn't considered the wireshark method - although I am admittedly not very familiar with it or how to use it. @MDMarra - that command is super heplful! thanks! – Hanny Nov 26 '12 at 17:39
  • 1
    The rogue DHCP server is most likely a wireless router that someone has brought in and placed on your network... – Paul Ackerman Nov 26 '12 at 18:19
  • As it turned out - that separate DSL line we had for some banking stuff was wired incorrectly (a big thanks to the painters who were kind enough to unplug everything, then replug it incorrectly) so the modem for the extra DSL line ended up wired back into a wall port that attached to the switch attached to our main network and was occasionally handing out DHCP. You guys were spot on! Thanks for the insight! Also @Paul - Around here, I wouldn't put it past people to bring in their own... week 3 here and I'm seeing some weird things! Looks like we still use that extra DSL line - ugh! – Hanny Nov 27 '12 at 13:59
  • 1
    @Hanny if you are concerned about this happening in the future, you could look into using dot1x authentication on your access switches. This way, you could prevent a rogue AP or DSL router in this case from being active on the network if it is plugged into the wrong port. – Paul Ackerman Nov 28 '12 at 12:54