Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 17, 2010 2:12 AM
Hi,
I have setup 2 new DHCP servers (Windows 2008 Standard) having role of AD, DNS, WINS and DHCP in new office.
We have divided subnets having 50-50% to lease IP's. Now, DHCP server is authorized and no errors are reported.
Relay agent is also configured for the new 2 DHCP servers.
Problem:
Clients are not receiving IP leases and if we assign static IP it works fine. We ran traces and found that Discover request reached DHCP server but unfortunately DHCP server is not leasing the IP's.
Please suggest what could be the reason and how to start troubleshooting? Please help...
All replies (9)
Wednesday, November 17, 2010 6:12 PM ✅Answered
Good to hear you have their permission to disable the Windows firewall.
What firewall rules are between the VLANs? Can you disable them too, for this troubleshooting procedure? This will help eliminate this as a factor, and of course if it resolve the problem, you'll know what to look at to get it fixed.
Also curious, regarding the ipconfigs, what are 138.213.114.49 and 172.18.16.24?? Is that an external DNS server? Do they host the AD zone? I didn't see what the AD domain name in the ipconfigs since you've removed the upper portion of it. But we'll need to know if 138.213.114.49 and 172.18.16.24 both host the AD zone. If they do not, they MUST be removed from the NICs.
In addition, having four entries is overkill. Based on the client side resolver service algorithm, it may never get to the third entry anyway. If you want to read more on how the algorithm works, it's in the following link:
DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
Also, the 127.0.0.1 is superfluous since the actual DC's IP is first in the list. Therefore, from what I see, and assuming that the 138.213.114.49 DNS server does not have a copy of the AD zone, my suggestions are on each DC:
- Remove 138.213.114.49 and 172.18.16.24
- Remove 127.0.0.1
- Configure a Forwarder to 138.213.114.49 and 172.18.16.24 (this is assuming they do not host the AD zone)
- Therefore, what you should have in the DNS list are only two DNS addresses - the actual IP of the DC itself as the first entry, and the other DC as the second entry.
Once you've done that, then run on each:
- ipconfig /registerdns
- net stop netlogon
- net start netlogon
Then check the Event logs, and check Services to make sure the DHCP service is running. If it is, restart it. If not, start it.
Remember to ask your group if there are any firewall rules on the VLANs or if you can disable it to troubleshoot this. It's important to have cooperation from the networking group, as well as their understanding of what AD needs as far as ports, DNS settings, etc. I've seen in many scenarios where AD has issues and the AD group asking the Networking group for assistance only to find that necessary ports are blocked because there may be a misunderstanding of AD's requirements and how the Microsoft product technologies work. If they need a list of ports that AD requires, I will be glad to post the necessary information.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, November 18, 2010 1:12 PM ✅Answered
Hi Ace, Thank you so much for analyzing and supporting me.
I really apprecciate your help and making me think other way around.
Yes, you were right and it was Network side problem. I beleive it was firewall issue, but network team is working on it to provide us further details. After they made some change, DHCP starting offering IP's. Thank god its fine now.
I'm really happy that i got you on this issue and and your direction was absolutely right. Thanks and Thanks once again.
Regards,
Sahil Soi
Thursday, November 18, 2010 3:52 PM ✅Answered
Hi Sahill,
I'm happy to have helped. I hope you and the networking team are able to get this sorted out.
If you feel my assistance was beneficial and provided the correct answer, please mark the specific post as the Answer.
Let us know if you need additional assistance.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, November 17, 2010 2:09 AM
Hi,
I have setup 2 new DHCP servers (Windows 2008 Standard) having role of AD, DNS, WINS and DHCP.
We have divided subnets having 50-50% to lease IP's. Now, DHCP server is authorized and no errors are reported.
Relay agent is also configured for the new 2 DHCP servers.
Problem:
Clients are not receiving IP leases and if we assign static IP it works fine. We ran traces and found that Discover request reached DHCP server but unfortunately DHCp server is not leasing the IP's.
Please suggest what could be the reason and how to start troubleshooting? Please help...
Wednesday, November 17, 2010 5:40 AM
Are there any firewall ports being blocked between the subnet the relay agent is configured for?
In the capture logs you said the DISCOVER is reaching DHCP, but is DHCP responding with anything at all? If not, are the scope subnets exactly matching the interface IP the relay agent is located at?
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, November 17, 2010 5:57 AM
Hi Ace, Thank you for reply.
Well i checked on DHCP statistics as well and there are continuous "Discovers" and "Requests" but no "Offer" at all.
In Windows 2008, we also have Firewall configured and i have also added Ports: 67 and 2535 UDP in exception list. Regarding Ports between Subnet and relay agent being blocked, i will double check with my Network Team immediately.
DCHP is not responding in the traces and the scope subnets are matching the the interface IP the relay agent is located at.
Please let me know if you need more information.
Also, one strange thing i noticed in DHCP log is mentioned below:
55,11/17/10,14:07:00,Authorized(servicing),,(Domain name) => I checked and 55+ means Rogue DHCP server.
I'm not sure if this can be Rogue DHCP. Please suggest i'm waiting for your reply.
Thanks
Wednesday, November 17, 2010 6:09 AM
Rogue DHCP Service? I checked the following site, and EventID 55 in the error means it's authorized to start on the network.
Analyzing server log files: Dynamic Host Configuration Protocol (DHCP)Jan 21, 2005 ...
http://technet.microsoft.com/en-us/library/cc776384(WS.10).aspx
What link did you find? Please post it.
At this time, it's starting to sound like an AD issue. It would be helpful to post a complete ipconfig /all from the server, as well as list your scopes out, and what is the subnet ID where the DHCP relay agent is configured.
Also would be helpful if you can post the actual and complete Event log error, as well as any other Event log errors. Please post the complete error (eventID# and Source). YOu can use the copy/paste function.
Ace
Late addition:
Also, disable ALL firewalls on the server and on the router where the agent is. Let's completely eliminate this as a possibility.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, November 17, 2010 6:40 AM
I found inside DHCP Log itself where it says 50+ Codes above 50 are used for Rogue Server Detection information
AD Issue: Please find below Ipconfig from both DHCP/AD/DNS?WINS Server:
Server 1:
Ethernet adapter Team 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 84-2B-2B-52-3F-BE
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.127.10.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.10.1
DNS Servers . . . . . . . . . . . : 10.127.10.21
172.18.16.24
138.213.114.49
127.0.0.1
Primary WINS Server . . . . . . . : 10.127.10.21
Secondary WINS Server . . . . . . : 172.18.16.22
138.213.114.48
NetBIOS over Tcpip. . . . . . . . : Enabled
SERVER2:
Ethernet adapter Team 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 84-2B-2B-52-06-0B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.127.10.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.10.1
DNS Servers . . . . . . . . . . . : 101.127.10.21
10.127.10.22
138.213.114.49
127.0.0.1
Primary WINS Server . . . . . . . : 10.127.10.21
Secondary WINS Server . . . . . . : 172.18.16.22
138.213.114.48
NetBIOS over Tcpip. . . . . . . . : Enabled
List of Scopes: There are lot of Scopes for writing but all are ranging from 10.127.
Relay agent is on the network side VLAN and all VLAN's are 10.127 range and all pointing to 10.127.10.21 and 10.127.10.22
It will not be possible to Disable Windows Firewall as after disabling, We cannot RDP the server due to compliance issue.
Please let me know incase you have any questions.
Wednesday, November 17, 2010 7:41 AM
Hi Ace, I checked with my Teams and finally got confirmation and disabled windows Firewall on one of the servers (Server 1) and still DHCP is not leasing IP.