DHCP and DNS issue

gojericho0

Wondering if anyone could maybe give me some ideas to try and find out the root cause of the issue we are experiencing.

Symptom: About two weeks ago, we started receiving calls from end users stating they were getting an error message that their IP address is already in use on the network. We noticed in DNS multiple PTR entries are being created for all the clients who have been receiving this message (approximately 10 out of 1000 users). The PTR records show two different computer names will be given the same IP. The A records for these clients have a 1:1 ratio with an IP address so everything is fine during forward lookups.

The difference in creation date between the 2 PTR records are 7 days and our lease time is 8 days. One was created 10/19/2007 at 11:00 PM and the other 10/26/2007 at 11:00 PM. Delete this record when it becomes stale is enabled. I guess to start out here are some of the questions I have

Why would PTR records be created for a different machine if the current machine was still within it's lease time? Shouldn't DHCP prevent this from happening?

Why would the stale PTR record (10/19/2007) not be deleted if the option is checked?

Why would only the PTR record be effected and not the A record as well?


Background on our enviroment:

All servers are Win2k3 R2 and clients are XP SP2

All DNS servers have AD integrated zones

DHCP distributes IP, SNM, Gateway, DNS, and WINS info

Lease time is 8 days

DNS dynamically update with the option: Always dynamically update DNS A and PTR records so that the DHCP server remains in control of DNS registration and not the clients

Discard A and PTR records when lease is deleted is also enabled

Currently scavenging is not enabled which I think may help resolve this issue, but since it has only been occurring over the last two weeks and we have had these scopes for about 2 years.

I attempted to manually scavenge records (left option to default 7 day refresh) to no avail

AD replication is working properly
No errors in DNS event log

sprkymrk

Is there a rogue DHCP server handing out IP's on the network? Some appliances have this enabled by default, such as SOHO Routers/WAPs. Especially possible on networks using private IP's in the 10. or 192.168 range.

Strange that it only affects PTR records though...

gojericho0

No rogue servers that I am aware of. We are pretty proactive when it comes to that stuff using various security tools

Pash

dhcploc x.x.x.x(your location of where running cmd from) x.x.x.x(your actual DHCP servers ie your exclusions)

Run that on a server with dhcploc tool installed, shouldnt be on one of your DHCP servers either.

Thats the best windows way to ensure this, obviously if you are using NAC or something then this is more than likely not the case.

gojericho0

Yeah, we just implemented a NAC solution and it has been very successful. No rouge DHCP servers were discovered

blargoe

There's an option on the dhcp server to enable conflict detection (I forget off hand exactly what it is called, but it's obvious what the check box is for)... is this enabled?

Is it possible that someone is going in an deleting the leases from the DHCP server manually while clients are still active?

Mishra

Have all 10 end users complained about the problem all in 1 day? And is this the first time this has happened?

gojericho0

@blagore

I will try to find the option today at work thanks for the info. I will post the results

@Mishra

To clarify there were about 10 complaints in the two week period that I have noticed this problem as been occurring. I'm not sure what may have changed in our AD since we first started getting duplicate IP tickets other than we had to shutdown all the DC/DNS servers for a SAN firmware upgrade