Strange DHCP entry

[jcs808]

Hello everybody

Hopefully someone can shed some light on this because I'm just stumped.

I found a strange entry in the dhcp IP lease list. The computer name didn't follow our naming conventions and it also had a FQDN. There was no active directory account or a DNS entry for this computer.

I've been told that one of our sixth form has been plugging his laptop into the network, but if this is his laptop and he has managed to join the domain, why no AD or DNS entries?

I could do without this as we finish for Christmas tomorrow.

Thanks

[K.C.Leblanc]

You don't need to join the domain to get a DHCP entry. Depending how your network is set up it might be possible for him to plug and get internet access.

It also could be something like a printer or access point.

[siuko]

If you have DHCP providing IP addresses for your network a user will be allocated an ip address and be visible on your network.

More often than not - just sat in the workgroup.

I'm guessing with no AD or DNS entries he wont have joined your domain at all... just has an ip address.

Depending on how your network is setup securitywise he could access many things or nothing

The same happened at the school I work at and now I'm much more relaxed knowing we dont use DHCP anymore.

[strawberry]

its the fqdn bit i dont understand, we have the same here.

[DMcCoy]

Some devices and OS append the domain suffix if you specify it in dhcp, others do not. You don't have to be a domain member to do it.

[sahmeepee]

Possibly you haven't tweaked your domain to remove the right for ordinary users to add up to 10 computers to the domain (?)

Is it possible he's added his laptop, picked up a DHCP lease with a FQDN, then removed his computer from the domain again - with DHCP being the only place that leaves a trace.

I had a few muppets do this, so I now get email alerts each time there's a new DHCP lease. It can get a bit "noisy" at the start of term, but I feel more on top of the situation. We've also removed the right to add computers to the domain for standard users.

[jcs808]

its the fqdn bit i dont understand, we have the same here.

Here a DHCP entry only shows a FQDN after a computer has been joined to the domain, until then just the computer name is shown.

[tech_guy]

It's a shame you can't send a 10,000 volt surge down the cable that blows their bloody laptop to bits when they plug it in isn't it!?

[Michael]

@jcs808 - I agree with what's been already said. The user just has an IP allocated by DHCP which is completely normal. They could then browse the web (for example) manually entering proxy settings (if you use a proxy). They cannot browse the network and even if they entered \\servername\sharename, they'll still be asked for a username and password.

If there's no entry in AD or DNS then they haven't joined the domain.

[sahmeepee]

With dynamic updates, would a computer which is removed from the domain not also have its DNS record removed? Obviously the computer account would go from AD at the same time.

EDIT: Failing that, it's also possible DNS scavenging could be set up on a more aggressive interval than DHCP lease expiry. Either way it sounds consistent with the computer having been added to the domain and then removed again.

[AustenLowe]

It sounds like your dns zone for your domain has Nonsecure and Secure Dynamic updates allowed which is why a foreign device has a fqdn address.
When configured to secure only, the dhcp mmc will only show the devices hostname as it wont allow the host to register an A-record (and PTR if setup) unless it belongs to the Active Directory domain.

[rbance]

just a rogue device....student laptop or staff laptop from home perhaps....

[sonofsanta]

just a rogue device....student laptop or staff laptop from home perhaps....

nuh-nuh-nuh-nuh-nuh-nuh-nuh-nuh nuh-nuh-nuh-nuh-nuh-nuh-nuh-nuh NECRO

[JJonas]

well that was a blast from the past...