Hi all:

I have an office with a 25 computer Windows NT domain and a Windows exchange server 5.5. We have a Sonicwall Firewall that acts as the DHCP server and gateway. All the client machines (except the exchange server) obtain an IP address from the sonicwall and run Windows XP. The exchange has a static IP. Today morning 5 client machines got disconnected from the network. When I went into the commmand prompt and checked the IP configuration, I saw that the IP address was assigned by a new DHCP server which was not the sonicwall and was in a range that is not in our internal network. I tried restarting the client machines but it was still acquiring an IP from the new DHCP server (I have no idea where the server popped up from). Is there any way to pinpoint that IP to the computer name/MAC address. I had to manually set the IP and gateway information on these client machines to use the Sonicwall.

That got them back on the network but they now cannot access the email. When I try to browse through to the exchange server through network places, I get a message saying "you do not have sufficient priveleges to access the network resource). People who did not get disconnected can access the exchange server without any problems and check their email.

I checked the DHCP log on the Sonicwall and it shows that no leases have been issued and it has all the IP addresses available. IT is obvious that the Sonicwall is not acting as the DHCP server anymore. As soon as the current lease is expiring, the existing machines are getting IP addresses from the new DHCP server and getting disconnected from the network.

I am stumped as to why this would occur. Any ideas. I thought it might be a hack job but once these machines get the new IP, they are getting disconnected from the network and all its resources.

Are these new addresses in the 169.254.x.x range?

If so you don't have a new dhcp server. You have broken equipment.

this is the result when the dhcp client can't get to the dhcp server to get a ip address. MS autoassignes this range of ip.

Golly gee wilerkers everyone. Learn to Internet Search

No:

The DHCP server's IP address is 192.168.0.1, and it is the gateway as well. It asssigns IPs in the range 192.168.1.20-192.168.1.199

The new gateway is 192.168.128.1 and it is assigning IPs in the range 192.168.128.228 and forward.

Thanks,
Ram.

Sounds like someone brought in their own nat [router] device and put it on the network and/or the server has become configured with dhcp services. This is assuming no one is playing with Linux.

If you put in 192.168.128.1 in IE and click go what comes up?

First things first, isolate your network. Turn off the sonicwall. Reboot a machine. Does it get the new dhcp range ip address?

If you have managed switches this would be easy. Ping 192.168.128.1. Now do a arp -a and note the mac address. Look in your managed switch for that mac address. This will give you the port and blade number which you can then use to trace to the culprit.

Sure hope you have a policy in place that says you can't bring in stuff without your permission. Real hard to fire someone if you haven't done this prep work.

Golly gee wilerkers everyone. Learn to Internet Search

You probably have someone that brought in one of those nice little home routers or wireless AP's and it's doling out addresses . Don't know what kind of switch you have but if you can get the mac address you should be able to look at the table , if the switch is a unmanageable one then it's time to start unplugging one at a time .