Some DHCP clients end up with wrong DNS server

domain-name-system dhcp windows-server-2008-r2

21,849

Solution 1

I would run a packet dump on a few of these boxes until it happens. See if you can find anything network related. Maybe you will see some packets that give you an idea if it is not that.

Can a group policy in Windows set the DNS server. Maybe somehow there has been a strange GP applied on the domain?

Update:
I have never done this, but since it seems like you are getting a little desperate, what about blowing away the current DHCP database. These instructions say how to back up the mdb file, so maybe moving it somehwere else will make it so DHCP creates a new one after restarting. That might fix the problem...

The thing that doesn't jive in my mind, :-), is why clients would be getting new information if their lease hasn't expired yet and they haven't rebooted... is this what is happening?

Solution 2

Check your router to make sure that it isn't providing any sort of DHCP service. If you telnet into the router and it has lines in the configuration that start with "ip dhcp", then it is providing some sort of DHCP response.

Solution 3

Clients will change from Primary to Secondary DNS if the primary DNS doesn't respond in a timely manner and they won't switch back until the lease is renewed. I think DNS will just fail if the secondary doesn't respond, ie. I don't think they then switch to the Gateway but it's possible. This could be tested pretty easily.

The options that I can think of:
-The scope actually has the incorrect IP as a DNS option. Corrupt DHCP scope, delete and recreate or post a screen shot or export of the DHCP scope options.
-There is another DHCP server running. Ipconfig /all lists the IP of the DHCP server the client obtained the lease from & the timestamp when it was obtained.
-On the clients there is a DNS server(s) setup under the Static or Alternative configurations.
-The clients are changing between wired and wireless and getting a different lease on the wireless network.

If IPConfig shows the DNS server listed and the IP of the DHCP server is also as expected then something on that IP is giving out the bad/unexpected leases.

As Kyle suggested, wireshark/netmon on the server will confirm if the lease is actually coming from that server with the bad info.

Solution 4

I know this is an old thread, but i experienced this same issue, and maybe it can contribute to someon else.

In my work network we had a service that included a modem that a provider used to connect to a piece of equipment they provided. I didn't know at the time, but it seems this modem was also a router with DHCP Enabled, and started causing this same issue.

What was happening was that after a client sent a DHCP Request, both the main server and this router answered. The client got the IP from the main server but the DNS from the router, wich caused the conflict. After get the modem/rotuer offline, the services were normalized.

Solution 5

I know this is a an old post but I thought I would send an update since this just happened to our latest migration to 2012. The root cause was the fact that we imported the dhcp database from the old 2003 server. All was fine initially but once we needed to make scope change, specifically for dns option, the clients started experiencing the issue described. They would initially have the correct dns setting but would all of a sudden revert back to the old dns settings. A renew or reboot would always fix the issue but only temporary.

Hope this helps

View more solutions

21,849

Nic

Updated on September 17, 2022

Comments

Nic almost 2 years
The scenario:
- DC running Windows Server 2008 R2 providing DNS + DHCP
- Cisco 1811 Router as the gateway
- 30 Windows XP DHCP clients on the LAN
The problem:
- Some workstations are spontaneously switching to an incorrect DNS server. Specifically, ipconfig /all shows that they start using the gateway as a DNS server.
- This happens about 5-10 times a day to various computers, sometimes more than once per day.
The workaround:
- Repairing the connection on the XP client always fixes the problem, and the correct DNS server address is obtained.
We lost our main DNS/DHCP machine a week ago, and had to bring this one online as a spare. We've been having this issue since then. DHCP leases on the old and new servers are configured for "wired" (8 day) duration. There are definitely no other DHCP servers active on the LAN. So far there is no discernible pattern about which clients will show this problem, or when.

When I ran DCDIAG /test:DNS it came back clean. Manual inspection of the DNS zone shows that all the records are appearing as expected, with no traces of the previous machine in there.

Update Feb 27: Added screenshots.

Here is a screenshot of the DHCP scope options on the 2008 R2 server. http://nicwaller.com/screens/dhcpscope.png

And here is a screenshot of ipconfig /all running on a healthy host. I don't have any ailing hosts at the moment, but will grab a screencap next time it happens. http://nicwaller.com/screens/ipconfigall.png

Update Feb 28: More screenshots.

Here's a screenshot of DHCP and DNS traffic from a healthy client when repairing the local area connection. There's definitely only one server responding, but it does seem strange that the negotiation takes place twice. I'll try to get a similar capture from a sick machine this coming week. http://nicwaller.com/screens/dhcprenew_screen.png

Update Mar 01: Caught a bad ipconfig.

Here's a screenshot of ipconfig /all from a client that had this issue. It says the lease was issued this morning, but it doesn't even have an entry for the secondary DNS I set up yesterday. Both DNS servers were discovered properly when repairing the connection. http://nicwaller.com/screens/bad_dns.png

Update Mar 01: It even got the sysadmin!

This issue finally affected my personal workstation this morning. Unfortunately I had just rebooted and wasn't running a packet dump at the time. I set up a secondary server yesterday, and was logging all DNS traffic to it. My machine had not contacted the secondary DNS in over half an hour, so that says to me that it's just spontaneously reverting to the gateway without even failing over to secondary DNS first.

Today I swapped the order of the DNS servers in DHCP, so the secondary is primary and vice versa. I will update again once I know how that goes.
- Ed Fries over 14 years
  
  Does "incorrect DNS server" mean the secondary DNS server in the DHCP scope, a DNS server that isn't listed in the DHCP scope at all or something else?
- Nic over 14 years
  
  The new DNS server is at x.x.x.7 and the (Cisco Router) gateway is at x.x.x.254. They are switching to using the gateway as DNS. It's within the DHCP scope, but not listed in the DHCP options.
- James over 14 years
  
  Do you have any reservations set up? For instance the DHCP server can't give its own address or the address of the gateway to any one can it?
- Nic over 14 years
  
  Nope, there are no reservations in use. We use static addressing for servers and printers. The address pool is distinct from the ranges used for static addressing, so the DHCP server would not issue an overlapping address.
- artifex over 14 years
  
  Just putting it out there: support.microsoft.com/kb/263217 - Windows DHCP Server Gives Incorrect Settings for the Default Gateway or the DNS Server. It says in the article that it applies to windows 2000, but it wouldnt hurt to check it out.
- Kyle Brandt over 14 years
  
  Updated my answer with the recommendation that you might try blowing away the current DHCP database on the server. Not the most elegant solution, but might fix it. This sort of sporadic behavior sounds like some sort of corruption maybe.
- Spiff about 14 years
  
  I'm curious, did this ever get resolved?
- Nic about 14 years
  
  After deploying a new DHCP+DNS server, the problem went away. I was never able to conclusively determine the cause of the problem.
Nic over 14 years

I did test this. With DHCP disabled on the server, I am unable to obtain a lease on any clients.
Nic over 14 years

All good ideas. Posted screenshot of DHCP scope and ipconfig on healthy host. No static DNS setup on clients (if there was, repairing wouldn't fix the problem). Problem has affected desktop clients with no wireless.
Nic over 14 years

There is no group policy affecting DNS settings. I tested with gp modelling and gpresult, looking for settings under computer/admin templates/network. (Although forcing the correct server via GP might work as a temporary solution, so +1 for that)
Ed Fries over 14 years

All looks normal, like you said. I would also confirm the ipconfig when the DNS server is incorrect. Is IP v6 running on the clients? I would disable/remove if so. For testing I would add a 2nd DNS server to the DHCP scope and see if the clients start using that. If so then the DNS response from the server is not consistent and possibly the clients are rotating off of the DNS to the Gateway.
Philip over 14 years

If the router is out of addresses it will behave this way too, you need to login to the router and check it's DHCP configuration. It's probably turned on.
Nic over 14 years

I found only one line matching your criteria: "ip dhcp excluded-address 10.10.10.1". Is that enough to cause problems?
Nic over 14 years

I believe the scope options inherit from the server options, so that screenshot has everything there. (And I checked to make sure - nothing wonky in the global options)
Nic over 14 years

(Re: update) Yes, this is absolutely what is happening. The DNS settings are changing well before the DHCP lease should ever expire, even several times per day. I am desperate now, so I'll try blowing away the DHCP database tonight.
Nic over 14 years

Accepted this as my answer because it provided a plausible workaround and good debugging suggestions. My problem is still not resolved, but bounty question would get forced auto-accept.