Event :1046 : DHCP is going down again and again due to which user are unable to get new IP’s.

 Hello Geeks ,

Today I encountered a very unique and different type of issue which I would like to share with you.

Issue :

DHCP is going down again and again due to which user are unable to get new IP’s. I received a call from my associate that no client is able to get IP from the defined DHCpscope and their Lan is getting disconnected again and again. When I checked my DHCp server , I found that DHCP was down. At first I restarted the DHCp service which fixed the issue tempoaraly . But after a course of time it again went down.

 

 

Symptoms :

1.       You received below events

2.       When you open DHCP console , it will appears as down with red indication.

 

 

 

Resolution :

1.       First restart the DHCP server service to check if its just a temporary issue.

2.       If it doesn’t work then try to run below commands:

          Open command prompt and type :

Netsh

Dhcp server

Show all

Below is the output

This I took after fixing the issue. But in your case the rogue authorization attribute should be false.

1.       Go to ADSIedit.msc and go to below location and click on netservices.

 

 

On the right hand side

          You’ll find the below entries highlighted, just delete those entries.These are duplicate entries which is causing the issue. Wait for the replication to be happened across domain or forest. Once done, restart the DHCP server service.

Hope your Issue gets resolved !!

 

 

 

 

 

Authentication issue :Event ID 1054 and 5719: Netlogon and group policy errors

Hi geeks,

Recently I have identified an issue wherein one of my DR server was logging event ID 1054 and Event ID 5719 in the eventlog. Server was not able to make secure channel with the DC. I tried to do telnet my DC on port 445(for netlogon) but was unfortunate. On my further investigation I found that if you keep doing telnetting continuosly ,it will connect it to your DC. This shows that there is a leak either in kernel or a problem lies with the phyical NIC/Switch Port.

I did some below precheck before moving to resolution:

Prechecks/confirmation of issue :

1.       Ping domain controllers

2.       Do ns lookup

3.       Check DNS IP provided to the server

4.       Run nltest /sc_verify:domain name in command prompt. This command checks the secure channel is being established to the DC via DNS>sites and services>nearest DC. If found successfully then run nltest /sc_reset:domain name  . This will change the DC authentication to a new DC from the existing one. DO this many times and analyse the result . if its changing dc then secure channel is absolutely fine.But if not then move forward as below.

5.       Try to access the \\dc\ and if its working fine too then move forward

6.       Do telnet to below ports

Telnet dcname 445  : This port is netlogon port

Telnet dcname 3389 : RDP port

Telnet dcname 135,137,138,139 : Port used by RPC end point mapper for collect dc information.

7.       Run netstat and check which port is responding as” waiting”

Resolution :

I found that there is kernel socket leak happening within the server.I applied the below hotfix and it worked as expected. Thereafter didn't see any authentication issues with the server.

http://support.microsoft.com/kb/2577795 

NOTE : This issue is only related to microsoft windows server 2008R2 enterprise SP1.

Have a great Day !!