Event ID 1042 — DHCP Server Rogue Detection

Applies To: Windows Server 2008 R2

When configured correctly and authorized for use on a network, Dynamic Host Configuration Protocol (DHCP) servers provide a useful administrative service. However, a misconfigured or unauthorized DHCP server can cause problems. For example, if an unauthorized DHCP server starts, it might begin either leasing incorrect IP addresses to clients or negatively acknowledging DHCP clients that attempt to renew current address leases.

To resolve these issues, DHCP servers are verified as authorized in Active Directory Domain Services before they can service clients and unauthorized, or rogue, servers are detected. This prevents most of the accidental damage caused by either misconfigured DHCP servers or correctly configured DHCP servers running on the wrong network.

Event Details

Product: Windows Operating System
ID: 1042
Source: Microsoft-Windows-DHCP-Server
Version: 6.1
Symbolic Name: DHCP_ROGUE_EVENT_UNAUTHORIZED_INFO
Message: The DHCP/BINL service running on this computer has detected a server on the network. If the server does not belong to any domain, the domain is listed as empty. The IP address of the server is listed in parentheses. %1

Resolve

Authorize the DHCP server

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To authorize a DHCP server in Active Directory Domain Services:

  1. At the DHCP server, click Start, point to Administrative Tools, and then click DHCP.
  2. In the console tree, click DHCP.
  3. On the Action menu, click Manage authorized servers.
  4. In the Manage Authorized Servers dialog box, click Authorize.
  5. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK.

Verify

To perform these procedures, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.

To verify that the DHCP server is authorized in Active Directory Domain Services, perform the following steps:

  1. At the DHCP server computer, click Start, click Run, type dhcpmgmt.msc, and then press ENTER.
  2. Right-click DHCP, and then click Manage authorized servers.
  3. If the DHCP server is authorized, it appears in the list.

To verify that clients are getting leased IP addresses from the DHCP server, perform the following steps:

  1. At the DHCP-enabled client computer, click Start, in Start Search type cmd, and then press ENTER.
  2. To verify the lease of the client with a DHCP server, type ipconfig /all to view lease-status information.
  3. The DHCP server should be distributing leases to clients.

DHCP Server Rogue Detection

DHCP Infrastructure