Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland

How to detect rogue DHCP server?

Recently one of our Clients complained that printers are not printing and are shown offline on computers. Since the client has Windows as a print server we've verified the server functionality only to find out it has IP in the wrong DHCP scope. We immediately suspected there must be a rogue DHCP server in our network causing havoc. 

So how do you check if there's another DHCP in your network? You can follow EVENT ID's on the server as per DHCP Server Rogue Detection available on Microsoft Technet or you can use Rogue Checker specially crafted to this quickly and efficiently without need to go thru pages of logs. There is at least 10 possible Event ID's referring to rogue DHCP server.

Event ID

Source

Message

1042

Microsoft-Windows-DHCP-Server

The DHCP/BINL service running on this computer has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.

1098

Microsoft-Windows-DHCP-Server

Unreachable Domain

1100

Microsoft-Windows-DHCP-Server

Server Upgraded

1101

Microsoft-Windows-DHCP-Server

Cached authorization

1103

Microsoft-Windows-DHCP-Server

Authorized(servicing)

1105

Microsoft-Windows-DHCP-Server

Server found in our domain

1107

Microsoft-Windows-DHCP-Server

Network failure

1109

Microsoft-Windows-DHCP-Server

Server found that belongs to DS domain

1110

Microsoft-Windows-DHCP-Server

Another server was found

1111

Microsoft-Windows-DHCP-Server

Restarting rogue detection

You can also check it using ipconfig /all command.

DHCP Ipconfig Configuration

 

Finally, if both options are not for you, you can use a tool called Rogue Checker which is a better option then both mentioned above. Why? Because it's quick, easy, and doesn't require checking anything in logs!

After opening the tool you simply press Detect Rogue Servers and woila! It shows you that there is a server inside delivering other IP Addresses!

Rouge Checker - Processing Screen - Rogue Server Found

It can be configured to search on multiple IP interfaces, or even have scheduled frequency for finding Rogue DHCP servers.

Rouge Checker - Configuration Screen

After removing the server and rerunning the tool Rogue Checker reports there are no longer any other servers than the ones authorized in Active Directory.

Rouge Checker - Processing Screen - Rogue Server Not Found

Unfortunately finding that there is a rogue DHCP server inside and tracking it physically is another part of a job. Maybe next time 🙂 It's not easy to find the download on Microsoft Pages so we're attaching it here for your convenience.

Leave a comment

You must be logged in to post a comment.