DHCP Rogue Leases on Reconcile!

We have a few Windows 2003 servers with a DHCP role implemented. We've seen some recent odd occurances on the DHCP servers with the dynamic pool filling up but not with active clients, it is only when we Reconcile Scopes that we're shown a set of IP addresses, we cleanse these at which point they then appear in the 'Address Leases' table.

However, the entries that appear are far from normal, a standard expected entry in the Address Leases table may appear as this...

45.52.63.14 PCHostName 20/06/2009 10:50 DHCP 003344556677 (MAC)

However, the rogue entries appear as:

45.52.63.15 45.52.63.15 20/06/2009 10:50 DHCP/BOOTP 32352e3136372e33382e32353500

As you can see, the rogue entry adopts DHCP/BOOTP instead of the configured DHCP only - the MAC address is also much longer than expected and appears to be a set of 4 digits separated by an 'e' and so potentially a longnumber IP address form? Eitherway, the numbers increment in no standard form per appearance of each rogue entry.

We try pinging the IP address but it doesn't exist, nor does a Netscan of the entire IP range show any devices responding to the allocated IPs.

The other oddity is that the IP's appear in groups at exactly the same Lease Expiry time, groups of 4-8 on average. BUT they only appear in the Address Leases table AFTER using the Reconcile option.

Does anyone have any ideas as to the cause of this issue? Its filling up our Address Pools and is only cured temporarily by deleting the addresses from the Address Lease table, only for them to reappear.

Interpeting the number given as the MAC address would perhaps be a good start to identifying the source?

Thanks for your help!

 

Could it be Vista IPv6 causing the problem? I'd be tempted to disable IPv6 on any Vista PC and see if that helped. You can turn it back on if there is no effect.

 

Thanks for this pointer, I'm investigating now and will report back. Please don't lock this topic mods as the conclusion will be useful for anyone else searching.

 

Is there any solution for this Problem? i think we got the same Problem!

 

Unfortunately no, the range of Dynamic addresses that we permitted in this single instance kept filling with rogue addresses UNTIL active users started utilising the DHCP range (via true dynamic DHCP), we haven't seen a rogue address within that specific scope since!!

We have however since found the same issue on other sites/scopes - very frustrating, would be worth a call to Microsoft?

We did investigate the Vista theory but concluded that there weren't any Vista workstations on the domain.

 

It seem's like it's the same Problem.

I've made a call to my network team, they should sniffing there and i hope we found out wich network device is responsible for this Problem.

We have also no vista clients.

 

Nice one, let me know what you find! We were also going to use a sniffer to look for rogue DHCP packets but I suspect its more of a DHCP server fault, not a network traffic fault?

Interesting one isn't it!!

 

We're upgrading our servers and we have the same problem with the new DHCP Server... so we were thinking as some network devices are making trouble.

i give more informations when we have some

 

Hey Snowy,

Just wondering if you managed to find out anything interesting regarding this one?

Cheers,