Thursday, July 10, 2008

Weird DHCP issue ..resolved

Ok, so a user reports vista wants them to identify a new network i've never heard of as "home,work, or public". This isn't our corporate domain (which their machine is a member of), and this is happening over wired connections. To put it mildly, this gets my attention. I look at his network adapter settings, it's all setup to DHCP, nothing hard coded. doing a ipconfig /all and looking at his registry, he is receiving a different DHCP server than I am handing him, and his "DhcpDomain" as it is referred to in the registry is not my domain, but this newfound mystery domain. The crazy thing is that the "DhcpServer" is MY server. I verified with wireshark that my dhcp server is giving him the address directly, and that on his end, he is receiving DHCP from me, so what gives? where is the incorrect data coming from? In the packet capture I noticed something very interesting, there are Dhcp Inform packets coming from a random PC on my corporate lan.

Basically the answer is, someone created a "test domain" and installed DHCP server, configured a scope, and then disabled that scope, but did not delete the scope or uninstall/disable DHCP Server. Due to a microsoft bug, http://support.microsoft.com/kb/944200, it will still respond to these DHCP inform packets, and append/overwrite the data my DHCP server is sharing.

Good luck if this happens to you. I am going to go drink a Guinness.

No comments: