Hi
Our network: Windows 2008 standard server (domain controller holding all FSMO roles, DHCP, DNS), Windows 2003 standard server (DNS, WINS), domain functional level = 2003. Windows storage server 2008 (file server), Windows server 2012 (WSUS, Remote access). One site, one 192.168.0.xxx subnet. Mixture of XP and Win 7 clients and one Vista client. None of the servers are multi-homed.
The DHCP server is configured with a scope that assigns addresses between 100 and 200. All the clients (35 of them) have reserved addresses. The 2012 server grabs a block of ten or so addresses for VPN connections. DHCP server also specifies DNS server, router, time server, domain name, WINS server, NetBIOS over TCP/IP, and WINS node type. Address duration is 6 days.
Clients' DHCP settings are configured as normal, except that APIPA address assignment has been customised so they get an address 192.168.0.2xx and the DNS server is the gateway not the domain controller.
Last week, everything was fine.
Monday morning and all the Windows 7 clients are unable to browse the network. I checked and saw that each W7 client had the APIPA address assigned. The XP machines were fine.
The DHCP management console snap-in showed the IPV4 node with a red symbol. I restarted the DC but it did not help. The DHCP custom event log under Server Roles has no events at all. In the past there have been startup events present.
When I started the DHCP snap-in it said that the server was not authorised. Selecting the server then clicking the action menu shows an unauthorise option.
The system log has event 1059 logged:
Log Name: System
Source: Microsoft-Windows-DHCP-Server
Date: 16/12/2013 08:31:02
Event ID: 1059
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Phobos.htlincs.local
Description:
The DHCP service failed to see a directory server for authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1059</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-12-16T08:31:02.000Z" />
<EventRecordID>823779</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Phobos.htlincs.local</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>htlincs.local</Data>
<Data>0x 203a</Data>
<Binary>3A200000</Binary>
</EventData>
</Event>
This was followed by event 1044: The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain htlincs.local, has determined that it is authorized to start. It is servicing clients now.
Then event 1059 (above) was repeated.
After 12 minutes event 1044 was repeated, but no other DHCP events have been logged since that time.
I assigned static IP addresses to the clients and they are now able to browse the network
There was just one system change made to the domain controller that hosts DHCP and that was the installation of Netwrix File Server Change Reporter. The installation required a new GPO being created and configured as shown on pp 16/17 of this guide http://www.netwrix.com/download/documents/NetWrix_File_Server_Change_Reporter_Administrator_Guide.pdf.
I uninstalled this program and removed the GPO this morning.
I checked the DHCP server about 3 hours later and the IPV4 node was green. Also, when the snap-in loaded it did not display a message saying that the server needs to be authorised.
Anyone have any idea what may have caused the DHCP server to behave this way? It seems to be OK now (Win 7 clients with DHCP address assignment enabled are OK when restarted), and I wouldn't expect the Netwrix application to have this adverse effect on it.
Also, I don't understand why the Win 7 clients could not simply retain their existing address. Why were the alternate configuration addresses used? I doubt very much that all those machines' address leases had expired by this morning (though, of course, it is remotely possible).
Thanks!
Our network: Windows 2008 standard server (domain controller holding all FSMO roles, DHCP, DNS), Windows 2003 standard server (DNS, WINS), domain functional level = 2003. Windows storage server 2008 (file server), Windows server 2012 (WSUS, Remote access). One site, one 192.168.0.xxx subnet. Mixture of XP and Win 7 clients and one Vista client. None of the servers are multi-homed.
The DHCP server is configured with a scope that assigns addresses between 100 and 200. All the clients (35 of them) have reserved addresses. The 2012 server grabs a block of ten or so addresses for VPN connections. DHCP server also specifies DNS server, router, time server, domain name, WINS server, NetBIOS over TCP/IP, and WINS node type. Address duration is 6 days.
Clients' DHCP settings are configured as normal, except that APIPA address assignment has been customised so they get an address 192.168.0.2xx and the DNS server is the gateway not the domain controller.
Last week, everything was fine.
Monday morning and all the Windows 7 clients are unable to browse the network. I checked and saw that each W7 client had the APIPA address assigned. The XP machines were fine.
The DHCP management console snap-in showed the IPV4 node with a red symbol. I restarted the DC but it did not help. The DHCP custom event log under Server Roles has no events at all. In the past there have been startup events present.
When I started the DHCP snap-in it said that the server was not authorised. Selecting the server then clicking the action menu shows an unauthorise option.
The system log has event 1059 logged:
Log Name: System
Source: Microsoft-Windows-DHCP-Server
Date: 16/12/2013 08:31:02
Event ID: 1059
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Phobos.htlincs.local
Description:
The DHCP service failed to see a directory server for authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1059</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-12-16T08:31:02.000Z" />
<EventRecordID>823779</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Phobos.htlincs.local</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>htlincs.local</Data>
<Data>0x 203a</Data>
<Binary>3A200000</Binary>
</EventData>
</Event>
This was followed by event 1044: The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain htlincs.local, has determined that it is authorized to start. It is servicing clients now.
Then event 1059 (above) was repeated.
After 12 minutes event 1044 was repeated, but no other DHCP events have been logged since that time.
I assigned static IP addresses to the clients and they are now able to browse the network
There was just one system change made to the domain controller that hosts DHCP and that was the installation of Netwrix File Server Change Reporter. The installation required a new GPO being created and configured as shown on pp 16/17 of this guide http://www.netwrix.com/download/documents/NetWrix_File_Server_Change_Reporter_Administrator_Guide.pdf.
I uninstalled this program and removed the GPO this morning.
I checked the DHCP server about 3 hours later and the IPV4 node was green. Also, when the snap-in loaded it did not display a message saying that the server needs to be authorised.
Anyone have any idea what may have caused the DHCP server to behave this way? It seems to be OK now (Win 7 clients with DHCP address assignment enabled are OK when restarted), and I wouldn't expect the Netwrix application to have this adverse effect on it.
Also, I don't understand why the Win 7 clients could not simply retain their existing address. Why were the alternate configuration addresses used? I doubt very much that all those machines' address leases had expired by this morning (though, of course, it is remotely possible).
Thanks!