The case of the rogue DHCP server and using DHCPLOC
Recently a customer asked me to troubleshoot a strange problem with their DHCP server service on the main Windows 2003 Server shutting down randomly. At first it wasn’t that much of a problem as most of their leases were 14 days, so quite often it would be down and not noticed for days.
It was only when a desktop requested a new lease and did not get one, was the problem discovered each time.
The main problem was that according to the Windows Server’s Event Logs, it reported that there was a secondary or rogue DHCP somewhere on the network. I originally suspected that another of their servers had it’s DHCP server service switched on by accident. After painstakingly auditing all servers, no DHCP servers were found, so it was back to square one.
We then suspected that VMware was causing the problems as it bridges a connection between the physical NIC and a virtual NIC. It can also be setup so that the physical NIC gets a normal network DHCP address or a fake virtual address. No dice on this suspicion however.
I then decided to employ the DHCPLOC tool which is part of the Windows Support Tools. It is fairly easy to run and is command line based.
Unfortunately DHCPLOC turned up nothing except for the standard Windows Server DHCP server.
However after several days of running the tool, it picked up a DHCP server running on one of the local addresses in the IP range. Tracing this IP became a nightmare, as everytime I tried to ping or locate this IP it would timeout.
It turns out that I was purely doing the ping checks etc at the wrong time of the day. I know that sounds strange but it will all make sense.
When I ping’ed the address during the day, it actually responded, however at night it timed out. After tracking down the hostname associated with this IP, it was found that it belonged to a users iPhone that was connected via wifi.
You may be thinking how can an iPhone interfere with a DHCP server?.
Well it was quite easy to figure out from here. This particular iPhone was jailbroken and was running PDANet. PDANet is a program that allows you to tether your iPhone to your PC/Mac via wireless. The problem is it also provides a DHCP server of it’s own.
This DHCP server was basically causing the main DHCP server to shutdown each time. Unfortunately the reason it took so long to find was this user was not always in the office or didn’t have the iPhone connected via wifi all the time when they were in the office.
Technorati Tags:
Windows Server, DHCP, iPhone, PDANet, Tethering
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
You know so many interesting infomation. You might be very wise. I like such people. Don’t top writing.