IPcongig details wrong

  • Thread starter Thread starter paxoid
  • Start date Start date
P

paxoid

Sorry if this is inappropriate - got a bit confused as to which group would
be best... Any suggestions gratefully recieved.

I'm almost bald! I'm having intermittent problems with a few dozen machines
picking up strange inappropriate network masks (random 255.0.0.0,
255.255.0.0 etc) or not picking up a DNS entry. The only common factor is
that they are all active directory XP machines. All were ok until a month
ago. If a machine gets it, it will frequently exhibit the problem, but
hundreds of others are ok. Any ideas?
thanks
 
Sorry if this is inappropriate - got a bit confused as to which group would
be best... Any suggestions gratefully recieved.

I'm almost bald! I'm having intermittent problems with a few dozen machines
picking up strange inappropriate network masks (random 255.0.0.0,
255.255.0.0 etc) or not picking up a DNS entry. The only common factor is
that they are all active directory XP machines. All were ok until a month
ago. If a machine gets it, it will frequently exhibit the problem, but
hundreds of others are ok. Any ideas?
thanks
Click to expand...

Are all computers getting configuration from DHCP? Are they all getting
configuration from the same server? Or maybe a different server? That's the
nice thing about IPConfig - it shows what server provided the configuration
data.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Chuck said:
Are all computers getting configuration from DHCP? Are they all getting
configuration from the same server? Or maybe a different server? That's
the
nice thing about IPConfig - it shows what server provided the
configuration
data.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...

Hi,
All of the affected machines use DHCP, and ipconfig always shows the same
(correct) server address & the leases are sensible. I can see the server
handing out the leases, and a packet sniffer shows the correct payload.
Cheers,
Paxoid
 
Hi,
All of the affected machines use DHCP, and ipconfig always shows the same
(correct) server address & the leases are sensible. I can see the server
handing out the leases, and a packet sniffer shows the correct payload.
Cheers,
Paxoid
Click to expand...

OK, so the problem is not with the DHCP server?

Are all of "a few dozen machines" in your LAN subject to this problem randomly?
Repeatedly? How many total computers in the LAN? Any differences in hardware
or software? Physical location?

How often does this problem occur, as opposed to not occur?

You "see" this happening thru a packet sniffer running against the DHCP server?
Does this happen constantly? Do you see anything in the Event Log for the
problem computers?

What happened a month ago? Software upgrade? Hardware upgrade? New computer
deployed?

BTW, posting your email address openly will get you more unwanted email, than
wanted email. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Chuck said:
OK, so the problem is not with the DHCP server?

Are all of "a few dozen machines" in your LAN subject to this problem
randomly?
Repeatedly? How many total computers in the LAN? Any differences in
hardware
or software? Physical location?

How often does this problem occur, as opposed to not occur?

You "see" this happening thru a packet sniffer running against the DHCP
server?
Does this happen constantly? Do you see anything in the Event Log for the
problem computers?

What happened a month ago? Software upgrade? Hardware upgrade? New
computer
deployed?

BTW, posting your email address openly will get you more unwanted email,
than
wanted email. Learn to munge your email address properly, to keep
yourself a
bit safer when posting to open forums. Protect yourself and the rest of
the
internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...

Hi,
There are around 5000 machines spread over about 25 CIDR subnets
(interestingly the "wrong" subnet masks have all been classful), but there
are only around 500 active directory machines (the affected ones being a
subset of these) If a machine is affected, we usually see it affected
intermittently thereafter. However, they didn't all appear at the same time,
and new ones continue to appear.
The only updates are via Windows auto update ( I think that there have only
been 3 during this period).
We are actually running 2 dhcp servers off the same data, but I can see both
handing out the same responses to requests, so I don't think that one is
corrupting data.
The event most often happens when a machine is booted in the morning, but it
does occasionally happen in the afternoon (leases are either 2 or 7 days).
We do someimes see leases of 30 minutes, but I believe that this behaviour
is due to the dhcp server pair not having synchronised, and they sort things
out later.
There are many different hardware variations, and ethernet card types - I
can't see any pattern. The event logs just show problems contacting profile
servers etc - consistent with not having a viable tcpip config.
I've tried moving an affected machine to a different location, and so far it
hasn't had a problem. Equally, I've moved a machine with identical hardware
to that one's old location, and it hasn't failed.
The locations are spread out, but it seems to be pretty much wherever we
have active directory deployed.
My thinking is that if it was hardware, OS, switch, router, DHCP server,
DHCP helper on the routers, or location then we should see non active
directory machines affected, but we don't.
That seems to leave AD, or possibly Ghost which we use to roll out new
desktops. However the problem doesn't coincide with any new ghostings, and
most AD machines are not affected. I'm not an AD expert, but our people who
look after it can't see any problem either.
Strange one ain't it?
Fair comment about munging, however I'm deliberately using a real address as
part of a bit of research into spam. Needless to say its not my main email
address ;-)
Cheers!
paxoid
 
On Sun, 27 Feb 2005 22:37:44 GMT, "paxoid" <*email_address_deleted*> wrote:

Hi,
There are around 5000 machines spread over about 25 CIDR subnets
(interestingly the "wrong" subnet masks have all been classful), but there
are only around 500 active directory machines (the affected ones being a
subset of these) If a machine is affected, we usually see it affected
intermittently thereafter. However, they didn't all appear at the same time,
and new ones continue to appear.
The only updates are via Windows auto update ( I think that there have only
been 3 during this period).
We are actually running 2 dhcp servers off the same data, but I can see both
handing out the same responses to requests, so I don't think that one is
corrupting data.
The event most often happens when a machine is booted in the morning, but it
does occasionally happen in the afternoon (leases are either 2 or 7 days).
We do someimes see leases of 30 minutes, but I believe that this behaviour
is due to the dhcp server pair not having synchronised, and they sort things
out later.
There are many different hardware variations, and ethernet card types - I
can't see any pattern. The event logs just show problems contacting profile
servers etc - consistent with not having a viable tcpip config.
I've tried moving an affected machine to a different location, and so far it
hasn't had a problem. Equally, I've moved a machine with identical hardware
to that one's old location, and it hasn't failed.
The locations are spread out, but it seems to be pretty much wherever we
have active directory deployed.
My thinking is that if it was hardware, OS, switch, router, DHCP server,
DHCP helper on the routers, or location then we should see non active
directory machines affected, but we don't.
That seems to leave AD, or possibly Ghost which we use to roll out new
desktops. However the problem doesn't coincide with any new ghostings, and
most AD machines are not affected. I'm not an AD expert, but our people who
look after it can't see any problem either.
Strange one ain't it?
Fair comment about munging, however I'm deliberately using a real address as
part of a bit of research into spam. Needless to say its not my main email
address ;-)
Cheers!
paxoid
Click to expand...

Pax,

OK, so you have a few dozen AD computers out of a total population of 5000. On
25 subnets, in how many physical locations? Any network components - routers,
data links - in common with the 60 or so AD computers? Are the AD computers
evenly spread around the 25 subnets?

How do you identify when the odd subnet masks show up? What application
symptoms are seen? How do you know that this isn't happening to any other
computers at the same time?

You earlier said that the common factor to the problem is "are all active
directory XP machines". Now "most AD machines are not affected". How about
some more numbers - out of 5000 computers, how many are AD? How many total
numbers have been found to show this problem? And how many times has this been
observed (any computers repeat symptoms)? Also, how do you resolve each
individual case?

Thanks for acknowledging my concerns about your posting your email address. So
you want to make a spam trap out of your h-----l address. I'll bet you're
getting a few spams. Enjoy.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Chuck said:
Pax,

OK, so you have a few dozen AD computers out of a total population of
5000. On
25 subnets, in how many physical locations? Any network components -
routers,
data links - in common with the 60 or so AD computers? Are the AD
computers
evenly spread around the 25 subnets?

How do you identify when the odd subnet masks show up? What application
symptoms are seen? How do you know that this isn't happening to any other
computers at the same time?

You earlier said that the common factor to the problem is "are all active
directory XP machines". Now "most AD machines are not affected". How
about
some more numbers - out of 5000 computers, how many are AD? How many
total
numbers have been found to show this problem? And how many times has this
been
observed (any computers repeat symptoms)? Also, how do you resolve each
individual case?

Thanks for acknowledging my concerns about your posting your email
address. So
you want to make a spam trap out of your h-----l address. I'll bet you're
getting a few spams. Enjoy.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...

Hi Chuck,
Thanks for the reply.

There are only around 500 active directory machines (the affected ones being
aI think that at the last count, there were 54 affected at least once and a
core of around 35 affected faily regularly (but not contantly - ie sometimes
they work). There are i think 5 subnets affected, but we only have 6 subnets
which have active directory machines. Interestingly the one which is not
affected is our5 IT department which uses different switches, but my
previous observations make me a bit sceptical of this beining the cause.
We spot the problem because the users report that no network applications
work - not surprising if they receive a 255.0.0.0 mask) Also, as I said in
the original post, sometimes they don't get a DNS server, which will also
cause problems. Again, we have no reports whatsoever from non active
directory users. Resolution is just a ipconfig/release /renew, problem is
that it has to be done by a tech as the users do not have admin rights.
Links are all Gig lx to distribution switches fanning out to edge switches
We have 3 core routers servicing the subnets, and the affected ones are
distributed evenly over the 3. Affected subnets also contain non active
directory macines that are quite happy.
I've been monitoring for rogue DHCP servers & haven't seen any, but again,
if this was the cause, then non AD machines should similarly be affected.

Strangely, the spam trap is not really seeing much - since I posted, I've
only seen 2 spams - remarkable reall. Chances are that it takes a little
while to be harvested & sold on..

Thanks again for your interest, it helps to run things past someone else!
Paxoid
 
paxoid said:
Hi Chuck,
Thanks for the reply.

There are only around 500 active directory machines (the affected ones
being a
I think that at the last count, there were 54 affected at least once and a
core of around 35 affected faily regularly (but not contantly - ie
sometimes they work). There are i think 5 subnets affected, but we only
have 6 subnets which have active directory machines. Interestingly the one
which is not affected is our5 IT department which uses different switches,
but my previous observations make me a bit sceptical of this beining the
cause.
We spot the problem because the users report that no network applications
work - not surprising if they receive a 255.0.0.0 mask) Also, as I said in
the original post, sometimes they don't get a DNS server, which will also
cause problems. Again, we have no reports whatsoever from non active
directory users. Resolution is just a ipconfig/release /renew, problem is
that it has to be done by a tech as the users do not have admin rights.
Links are all Gig lx to distribution switches fanning out to edge switches
We have 3 core routers servicing the subnets, and the affected ones are
distributed evenly over the 3. Affected subnets also contain non active
directory macines that are quite happy.
I've been monitoring for rogue DHCP servers & haven't seen any, but again,
if this was the cause, then non AD machines should similarly be affected.

Strangely, the spam trap is not really seeing much - since I posted, I've
only seen 2 spams - remarkable reall. Chances are that it takes a little
while to be harvested & sold on..

Thanks again for your interest, it helps to run things past someone else!
Paxoid
Click to expand...
May be an Active Directory problem (always thought so ;-) watch this space
 
May be an Active Directory problem (always thought so ;-) watch this space
Click to expand...

It sometimes helps to ask more questions. I'll be watching eagerly. :-)

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Chuck said:
It sometimes helps to ask more questions. I'll be watching eagerly. :-)

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...

Well, still unresolved, but we got hit by another problem which follows the
same pattern: http://support.microsoft.com/kb/832161/EN-US/. This had been
an occasional problem, but suddenly developed into an outbreak of 20 or so
on Wednesday -again, in small groups with no apparent similarity. We
disabled the webclient on affected machines and rolled it out on the global
policy. It sorted that problems, and we have had only 1 report of the
original problem since. Not being one to amalgamate multiple problems into
one solution, I'm still sceptical, but I'll probably have to wait until
Monday to see if this cures all. Not holding my breath...
Paxoid
 
paxoid said:
Well, still unresolved, but we got hit by another problem which follows
the same pattern: http://support.microsoft.com/kb/832161/EN-US/. This had
been an occasional problem, but suddenly developed into an outbreak of 20
or so on Wednesday -again, in small groups with no apparent similarity. We
disabled the webclient on affected machines and rolled it out on the
global policy. It sorted that problems, and we have had only 1 report of
the original problem since. Not being one to amalgamate multiple problems
into one solution, I'm still sceptical, but I'll probably have to wait
until Monday to see if this cures all. Not holding my breath...
Paxoid
Click to expand...
may have got it sussed - only time will tell...
Tracked down a couple of articles citing spanning tree as a possible cause.
We generally have STP switched on after a couple od disasterous loops. I've
enabled fast forward on several switches, and we haven't had any problems.
Mind you we haven't had problems on switches that haven't been changed....!
Paxoid
 
may have got it sussed - only time will tell...
Tracked down a couple of articles citing spanning tree as a possible cause.
We generally have STP switched on after a couple od disasterous loops. I've
enabled fast forward on several switches, and we haven't had any problems.
Mind you we haven't had problems on switches that haven't been changed....!
Paxoid
Click to expand...

Wow, heavy duty network stuff! Interesting! Will be interested to see how it
shakes out, if you get any details how these workstations were involved (what
set them apart from the others), would appreciate knowing.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 
Chuck said:
Wow, heavy duty network stuff! Interesting! Will be interested to see
how it
shakes out, if you get any details how these workstations were involved
(what
set them apart from the others), would appreciate knowing.

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
Click to expand...

Not had any problems today, but I'm not counting my chickens before next
week ;-)
Articles were http://support.microsoft.com/kb/168455/EN-US/
http://www.serverwatch.com/tutorials/article.php/2190411
There was also a good cisco link, but it seems to have disappeared off
Google :-(
I'll hopefully post a resoluton soon
Cheers,
Paxoid
PS: Had precisely one spam on Hotmail since I posted the original - maybe
they have cleaned up their act... ok, I'm asking for trouble ;-)
 
paxoid said:
Not had any problems today, but I'm not counting my chickens before next
week ;-)
Articles were http://support.microsoft.com/kb/168455/EN-US/
http://www.serverwatch.com/tutorials/article.php/2190411
There was also a good cisco link, but it seems to have disappeared off
Google :-(
I'll hopefully post a resoluton soon
Cheers,
Paxoid
PS: Had precisely one spam on Hotmail since I posted the original - maybe
they have cleaned up their act... ok, I'm asking for trouble ;-)
Click to expand...
Well, as I turn Fast-Forwarding on switch-by-switch, I get fewer and fewer
complaints. I still think that it is a timing problem with AD as the
symptoms are so bizarre, but it is a low-pain solution, so I'm happy.
paxoid
 
"paxoid" <*email_address_deleted*> wrote in message


Well, as I turn Fast-Forwarding on switch-by-switch, I get fewer and fewer
complaints. I still think that it is a timing problem with AD as the
symptoms are so bizarre, but it is a low-pain solution, so I'm happy.
paxoid
Click to expand...

Thanks for the update, Pax. How did you arrive at the connection between your
problem and Fast-Forwarding?

--
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
My email is AT DOT
actual address pchuck sonic net.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

We're totally messed up 3
Error with XP Pro 16
Windows XP: 100 mbit connection gives no connectivity; 10 mbit ok 3
Administrator.<machine name> ?!?!?!?!?! 2
Home Network Probs - HELP CHUCK!!! 11
VERY Strange IP info??? 1
"Autoconfiguration IPv4 Address. . : 169.254.32.239" 5
NIC Problems 4

Back
Top