TechTip: Identify a RAS servers reserving DHCP addresses

If you run a Windows (Server 2003) DHCP server, you have probably encountered address leases created by Remote Access and Routing servers on your network (easily identifiable by "RAS", instead of their MAC address, in the "Unique ID" column of the DHCP server lease list). Usually identifying which server is reserving these addresses is fairly simple, since the hostname of the server will show up under the "Name" column of the lease list, but what if the name is a duplicate or isn't registered in your DNS/WINS? How do you find out the IP of the rogue RAS server, that's taking up precious addresses from your DHCP pool?

The easiest way to find out which system has requested the IP addresses from DHCP server is by examining the DHCP server logs (which can be located under %windir%\System32\Dhcp). Usually, a DHCP server log for server assignment will look like this:


In the format:

10,{date},{time},Assign,{assigned IP},{hostname},{MAC},

Where the first parameter, “10” is the DHCP server event ID, corresponding to "A new IP address was leased to a client" (full list of event ID’s can be found here).

However when a RAS server is assigned IP addresses by the server the log entries look slightly different:


It is almost identical, with the exception of the MAC address field, which is what we are looking for, if we want to identify the server receiving this IP address reservation. The field is too long, but it still has MAC address embedded in the string:

10,{date},{time},Assign,{assigned IP},{hostname},########{MAC}00000{No}000000,

Where #'s represent a identifier number for the server, and value {No} is the sequential number of the IP address allocated to the RAS server (starting from 0 up to n-1, where n is the total number of IP addresses RAS server reserves; by default 10 on Windows-based RAS servers). It can be tricky to spot the MAC address if it begins or ends with a "0", so make sure you count out 8 digits fron the front or 5 zeroes from the {No] value.

Now that you have the MAC address of the server that has requested the reservations, a method of identifying it is just a matter of preference - I personally like to do a reverse lookup in the core routers' ARP table, but if you don't have access to that, there are always applications such as CC Get Mac Address that will scan a specified subnet range and find the specified MAC address (think of it as a batch "nbtstat -A" tool).

No comments: