Wednesday, November 7, 2012

How to Locate a Rogue DHCP Server on an SBS Network

If you use Windows Small Business Server, you may not realize it has an odd quirk. When the DHCP server on an SBS server see communication from another DHCP server, the DHCP server on SBs shuts down. I suspect this it an attempt to be a good network citizen and get out of the way if DHCP is not required from SBS. Basically, in case you didn't know how to configure DHCP on your network SBS gets it out of the way.

Unfortunately the times I see the DHCP server shut down in SBS is when a rogue DHCP server is introduced to the network. Typically this occurs when users bring in a home router to use as a wireless access point or a switch. They often don't realize that DHCP is enabled on these devices.

How do you identify a rogue DHCP server?

The most common symptoms of a rogue DHCP server on an SBS network are:
  1. The DHCP service on the SBS server stops.
  2. Computers are getting an incorrect IP address or DNS server

How do you find the rogue DHCP server?

If you are lucky you are aware of new devices brought into the network. Based on this information you may be able to track down the bad device. However, in most cases, you don't know about new devices. So, what steps can we follow to track this sucker down:
  1. In the System event log on the SBS server there will be an event generated when the DHCP service is stopped.  Event 1053 with the Source DHCP-Server indicates the IP address for the rogue DHCP server.
  2. Try connecting to the IP address with a web browser. If this is a home router or WAP brought into the office, it will probable have a web site for configuration. At the very least this might help you identify the brand of device and indicate what you physically need to be looking for.
  3. Try to ping the IP address of the rogue DHCP server. If you are lucky it responds back. Then use arp -a to list the MAC address of that IP address.
  4. If you have web-managed switches, you can log on to the web site for your switches and identify the port that the MAC address is attached to. That will give you the location of the offending device.
  5. If you don't have web-managed switches, you can use the MAC address to identify the vendor of the equipment causing the issues. Then at least you know what brand of equipment you are looking for.
You can lookup vendors from MAC addresses here:

2 comments:

  1. Three things:
    1. The SBS server is likely not in the same L3 (IP) subnet as the rogue DHCP server, so will not know it can ARP for it - so it will probably never show up in the SBS server's ARP table.
    2. "ipconfig /all" from any Windows client picking up a lease from the rogue DHCP server will show the address of the DHCP server. Pinging it from a DHCP client should reveal the MAC address via the ARP table.
    3. If your switch isn't managed, you can try using a packet generator (in Unix: "ping -f", in Windows try either nping [http://nmap.org/nping/] or the 32-bit-only "traffic" [http://robert.rsa3.com/traffic.html]), and then go look at your switch to see which light is blinking the most!

    ReplyDelete
  2. I found a utility today that monitors the network specifically for DHCP traffic. It will do a DHCP request and identify offers that it receives. It will also display other DHCP requests and offers that it sees on the network.

    http://www.softpedia.com/get/Network-Tools/Network-IP-Scanner/DHCP-Find.shtml

    ReplyDelete