Categories: Windows

How to detect rogue DHCP server?

Recently one of our Clients complained that printers are not printing and are shown offline on computers. Since the client has Windows as a print server we've verified the server functionality only to find out it has IP in the wrong DHCP scope. We immediately suspected there must be a rogue DHCP server in our network causing havoc. 

So how do you check if there's another DHCP in your network? You can follow EVENT ID's on the server as per DHCP Server Rogue Detection available on Microsoft Technet or you can use Rogue Checker specially crafted to this quickly and efficiently without need to go thru pages of logs. There is at least 10 possible Event ID's referring to rogue DHCP server.

Event ID

Source

Message

1042

Microsoft-Windows-DHCP-Server

The DHCP/BINL service running on this computer has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses.

1098

Microsoft-Windows-DHCP-Server

Unreachable Domain

1100

Microsoft-Windows-DHCP-Server

Server Upgraded

1101

Microsoft-Windows-DHCP-Server

Cached authorization

1103

Microsoft-Windows-DHCP-Server

Authorized(servicing)

1105

Microsoft-Windows-DHCP-Server

Server found in our domain

1107

Microsoft-Windows-DHCP-Server

Network failure

1109

Microsoft-Windows-DHCP-Server

Server found that belongs to DS domain

1110

Microsoft-Windows-DHCP-Server

Another server was found

1111

Microsoft-Windows-DHCP-Server

Restarting rogue detection

You can also check it using ipconfig /all command.

 

Finally, if both options are not for you, you can use a tool called Rogue Checker which is a better option then both mentioned above. Why? Because it's quick, easy, and doesn't require checking anything in logs!

After opening the tool you simply press Detect Rogue Servers and woila! It shows you that there is a server inside delivering other IP Addresses!

It can be configured to search on multiple IP interfaces, or even have scheduled frequency for finding Rogue DHCP servers.

After removing the server and rerunning the tool Rogue Checker reports there are no longer any other servers than the ones authorized in Active Directory.

Unfortunately finding that there is a rogue DHCP server inside and tracking it physically is another part of a job. Maybe next time 🙂 It's not easy to find the download on Microsoft Pages so we're attaching it here for your convenience.

This post was last modified on May 15, 2020 17:24

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

5 days ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

4 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

8 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

1 year ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago