DhcpNameServer changes after login

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

On a network with Server 2003 providing Active Directory and all its
elements, includeing DHCP and DNS, the name servers change a few seconds
after login. On any workstation running "ipconfig /all" within 30 seconds of
login shows the internal DNS servers but a few seconds later running
"ipconfig /all" shows external non-related DNS servers.

Using RegMON I can tell svchost is changing the registry but I don't know
how to determin what is calling svchost. I've also used HiJackThis and found
nothing unusual in the registry or startup. The external nameservers are not
listed in the registry, at least not as text either.
 
Does it show that the computer has a new DHCP server also with ipconfig
/all?? If so you may have an unauthorized DHCP server/device on your
network. It is curious that the computer would change so fast as DHCP leases
are usually 8 days unless you or the computer are using something like
ipconfig /release and renew or a scrip that uses netsh command to
reconfigure the settings. I would also run rsop.msc to see if any Group
Policy settings [including scripts] are enforcing DNS servers in computer
configuration. You may also want to post in the server.networking
newsgroup. --- Steve
 
Thanks for the suggestion. The DHCP server address does not change. I also
place my laptop on the network, with firewall turned off, and it never
changed. I suspect one of their standard applications is making the change
but don't know of a way to trace calls to svchost.

Steven L Umbach said:
Does it show that the computer has a new DHCP server also with ipconfig
/all?? If so you may have an unauthorized DHCP server/device on your
network. It is curious that the computer would change so fast as DHCP leases
are usually 8 days unless you or the computer are using something like
ipconfig /release and renew or a scrip that uses netsh command to
reconfigure the settings. I would also run rsop.msc to see if any Group
Policy settings [including scripts] are enforcing DNS servers in computer
configuration. You may also want to post in the server.networking
newsgroup. --- Steve


Spinnerdog said:
On a network with Server 2003 providing Active Directory and all its
elements, includeing DHCP and DNS, the name servers change a few seconds
after login. On any workstation running "ipconfig /all" within 30 seconds
of
login shows the internal DNS servers but a few seconds later running
"ipconfig /all" shows external non-related DNS servers.

Using RegMON I can tell svchost is changing the registry but I don't know
how to determin what is calling svchost. I've also used HiJackThis and
found
nothing unusual in the registry or startup. The external nameservers are
not
listed in the registry, at least not as text either.
Click to expand...
Click to expand...
 
Interesting. I would also run rsop.msc on the computer and look for any
configuration under computer configuration/administrative
templates/network/dnsclient. The other thing you could try is to enable
auditing of process tracking in Local Security Policy to see what
processes/executables are running as shown in the security log just before
you see the change with regmon and also use filemon to see if it can tell
anything useful. --- Steve


Spinnerdog said:
Thanks for the suggestion. The DHCP server address does not change. I
also
place my laptop on the network, with firewall turned off, and it never
changed. I suspect one of their standard applications is making the
change
but don't know of a way to trace calls to svchost.

Steven L Umbach said:
Does it show that the computer has a new DHCP server also with ipconfig
/all?? If so you may have an unauthorized DHCP server/device on your
network. It is curious that the computer would change so fast as DHCP
leases
are usually 8 days unless you or the computer are using something like
ipconfig /release and renew or a scrip that uses netsh command to
reconfigure the settings. I would also run rsop.msc to see if any Group
Policy settings [including scripts] are enforcing DNS servers in computer
configuration. You may also want to post in the server.networking
newsgroup. --- Steve


Spinnerdog said:
On a network with Server 2003 providing Active Directory and all its
elements, includeing DHCP and DNS, the name servers change a few
seconds
after login. On any workstation running "ipconfig /all" within 30
seconds
of
login shows the internal DNS servers but a few seconds later running
"ipconfig /all" shows external non-related DNS servers.

Using RegMON I can tell svchost is changing the registry but I don't
know
how to determin what is calling svchost. I've also used HiJackThis and
found
nothing unusual in the registry or startup. The external nameservers
are
not
listed in the registry, at least not as text either.
Click to expand...
Click to expand...
Click to expand...
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Disappearing DNS 2
DNS resetting 2
My PC has been hijacked 1
internal/external DNS resolution problem 9
Runaway DNS in XP! 1
nslookup 1
Unknown svchost.exe DNS port 53 network activity 39
Cannot access Server 1

Back
Top