DHCP, Task: Compliance check-conflict detection on DHCP servers (rogue detection and IP in use)

Task: Compliance check-conflict detection on DHCP servers (rogue detection and IP in use) in DHCP Operations Guide

Task: Compliance check - conflict detection on DHCP servers (rogue detection and IP in use)

Purpose

This task reviews conflict detection settings to make sure that after a month of daily operations, the configuration still matches the original architectural intent given the configuration of the environment.

 

Procedure 1: Detect and identify IP address conflict via server-side checking

Windows 2000 and Windows XP DHCP client computers that obtain IP addresses via DHCP automatically use a gratuitous address resolution protocol (ARP) request for conflict detection on the client side. This is done prior to completing the configuration and use of the offered IP address. If a client running Windows 2000 or Windows XP is configured to use DHCP and detects a conflict, it sends a DHCPDecline message to the DHCP server.

If the network includes Windows 95-based DHCP clients, use server-side conflict detection provided by the DHCP service. To enable this mediated conflict detection, increase the number of ping attempts that the DHCP service performs for each address before leasing that address to a client.

Note For each additional conflict detection attempt the DHCP service performs, additional seconds are added to the time needed to negotiate leases for DHCP clients.

  1. Click Start, then Run, and type:
    %SystemRoot%\system32\dhcpmgmt.msc /s
  2. In the console tree, click the applicable DHCP server.
  3. On the Action menu, click Properties, then the Advanced tab.
  4. For conflict detection attempts, type a number greater than 0 (zero) and less than 6 (2 is recommended), and then click OK.

 

Procedure 2: Monitor logs for IP conflict

  1. View the current log for DHCP. These are sorted by days of the week (default location in C:\windows\system32\dhcp).
  2. Check for Event ID 13.

 

Event 13 indicates that “An IP address was found to be in use on the network.” This often happens when the IP was already dispensed by a rogue system.


Procedure 3: Rogue DHCP detection via Netsh

To use Terminal Services to connect to the host or subnet with an IP address conflict and find all responding DHCP servers

  1. Click Start, then Run, and enter cmd
  2. In the command window, type:
    netsh diag ping dhcp
  3. Note all DHCP servers identified and pinged, and compare with known good DHCP servers for additional rogue detection.

 

Dependencies

None

Technology Required

  • Netsh is included with Windows Server 2003
  • Base DHCP Windows Server 2003