+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 20 of 20
Windows Server 2008 R2 Thread, bad_address filling up dhcp leases in Technical; Originally Posted by jjohnsoncantell Greetings, Having a weird issue thats just started in the last week. For no reason at ...
  1. #16

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,331
    Thank Post
    242
    Thanked 1,601 Times in 1,277 Posts
    Rep Power
    346
    Quote Originally Posted by jjohnsoncantell View Post
    Greetings,

    Having a weird issue thats just started in the last week. For no reason at all the dhcp leases suddenly fill up with bad addresses until the scope is full and noone can log on. The network grinds to a halt at the same time. Nothing has been changed on the dhcp side of things but a few months ago i had enabled dns scavenging, however this problem has only happened twice in the last week. It seems to happen at the time the clients renew their leases which would explain why there is a sudden flood of bad addresses but i cant think of anything that would be causing this to happen.

    Any ideas, advice are most welcomed!

    James
    If you logon locally to a workstation with a bad address, what address (if any) has it been allocated with? 169.x.x.x or something else? Generally speaking it's obvious whether or not a rogue router is the problem, as the IP might be a class C, whereas your network may be a class A for example.

    Do you have more than one official DHCP Server in your domain? If yes, try reducing this to a single DHCP Server instance, or increase conflict detection to 2.

  2. Thanks to Michael from:

    jjohnsoncantell (6th June 2012)

  3. #17
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    854
    Thank Post
    88
    Thanked 148 Times in 122 Posts
    Blog Entries
    8
    Rep Power
    34
    Quote Originally Posted by Michael View Post
    Generally speaking it's obvious whether or not a rogue router is the problem, as the IP might be a class C, whereas your network may be a class A for example.
    I had this happen once when a teacher brought in a Linksys home router for wireless in their classroom. The teacher wound up plugging the LAN side into our building network and it was handing out class C's when our addressing is all class A. If this is your problem you can find it without too much pain by doing this:

    1. View the ARP cache on the client machine with the bad address and copy the MAC of the default gateway. This is the MAC address of the rogue router.
    2. Console into your core switch and view the MAC table looking for the MAC you just wrote down. From here you can see what physical port it learned of the MAC from.
    3. View CDP neighbors to see which physical device is connected to that port and then telnet into that device and continue the search. Eventually you come to the last switch inline that has said rogue device jack into it.
    4. You should now be able to go to the closet, trace back the patch from the switch port to the patch panel and figure out the physical location.


    This was done on Cisco hardware, but the principal should apply to other vendor's hardware.

  4. Thanks to Duke5A from:

    jjohnsoncantell (6th June 2012)

  5. #18

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    i havent as yet gone to a workstation with a bad address since it was happening on so many pcs at once i had to keep the rest of the clients going. I have only one dhcp server so will look into that. Duke thats a great idea, if what i have done so far doesnt work this will be the next course of action i take.

  6. #19

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    Still no bad addresses since i disabled that routing bridge... Im hoping thats problem solved. Thankyou to everyone who replied, you were most helpful.

  7. #20
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    Hi

    What I would do is capture the network traffic on your dhcp server with something like wireshark for about 10 mins and then import the file into capsa free edition and it will analyse the file for you.

    If you can get the mac of the item you might be able to find what sort of nic it is.

    Do you have dynamic updates on the dns set to secure.

    Also do you have conflict detection set above 0 in dhcp. This pings the ip to see if the ip is being used before issuing it.

    You could reduce the lease time in dhcp but you need to find the problem and capsa should help.

    If this does not find it look at dns poisoning DNS spoofing - Wikipedia, the free encyclopedia

    Plus is there another dhcp server on another machine. May be on a laptop.

    Richard

    Richard



SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. DHCP leases at 100%
    By sdc in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 27th April 2009, 01:44 PM
  2. Offline files filling up hard drive
    By OverWorked in forum Windows
    Replies: 8
    Last Post: 8th January 2009, 03:35 PM
  3. Terminal server drives filling up with profiles
    By Andi in forum Thin Client and Virtual Machines
    Replies: 9
    Last Post: 23rd June 2007, 09:36 AM
  4. Access points not picking up DHCP reservations?
    By Halfmad in forum Wireless Networks
    Replies: 2
    Last Post: 26th April 2007, 03:11 PM
  5. DHCP lease duration +increased traffic
    By Kyle in forum Windows
    Replies: 6
    Last Post: 25th January 2007, 10:20 AM

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •