How to Identify and Locate a DHCP Server in a Mixed Windows and SonicWall Network Environment


2 views

When inheriting a poorly documented network with multiple Windows servers (2003/2008) and SonicWall firewall, identifying DHCP services becomes critical. The key observations:

  • Client devices receive gateway IP matching SonicWall TZ210
  • SonicWall's DHCP service is confirmed disabled
  • Potential DHCP conflicts from multiple servers
  • DNS and domain controller inconsistencies

Start with these essential commands to uncover DHCP services:

# Windows command to check DHCP lease information
ipconfig /all | find "DHCP Server"

# PowerShell alternative (Windows 7/Server 2008+)
Get-DhcpServerInDC | Format-Table -AutoSize

# Cross-platform nmap scan (requires admin rights)
nmap -sU -p67,68 192.168.1.0/24

For each Windows server, verify DHCP role installation:

# Check installed Windows features
Get-WindowsFeature -ComputerName SERVER01 | Where-Object {$_.Installed -eq $true}

# Alternative using Server Manager CLI
servermanagercmd -query

When traditional methods fail, capture DHCP traffic:

# tcpdump example for DHCP traffic
tcpdump -i eth0 -vvv -n port 67 or port 68 -w dhcp.pcap

# Wireshark filter for DHCP analysis:
bootp.option.type == 53

On potential DHCP servers, check these log locations:

# Windows DHCP server logs
Get-EventLog -LogName "System" -Source "DHCPServer" -After (Get-Date).AddDays(-7)

# SonicWall DHCP logs (if enabled)
ssh admin@sonicwall show log event filter "DHCP"

For networks with rogue DHCP servers, implement these protective measures:

# PowerShell DHCP server authorization check
Get-DhcpServerInDC | Test-DhcpServer

# DHCP snooping configuration example (Cisco)
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10

Create a comprehensive network inventory script:

#!/usr/bin/env python3
import nmap
import subprocess

def scan_dhcp_servers():
    nm = nmap.PortScanner()
    nm.scan(hosts='192.168.1.0/24', arguments='-sU -p67,68')
    for host in nm.all_hosts():
        if nm[host]['udp'][67]['state'] == 'open':
            print(f"Potential DHCP server found at {host}")

if __name__ == "__main__":
    scan_dhcp_servers()
    # Windows specific check
    if sys.platform == 'win32':
        result = subprocess.run(['ipconfig', '/all'], capture_output=True, text=True)
        print([line for line in result.stdout.split('\n') if 'DHCP Server' in line])

When inheriting a poorly documented network infrastructure, identifying all active DHCP servers becomes critical for both security and network stability. The symptoms you're experiencing - conflicting network information with potential duplicate services - suggest classic DHCP server conflicts.

Start with these PowerShell commands to identify DHCP servers broadcasting on your network:

# Method 1: Check DHCP-assigned configuration
ipconfig /all | findstr /i "DHCP Server"

# Method 2: PowerShell alternative
Get-NetIPConfiguration | Where-Object { $_.IPv4DefaultGateway -ne $null } | Select-Object InterfaceAlias, IPv4Address, IPv4DefaultGateway, @{Name="DHCPServer";Expression={$_.NetAdapter.DHCPLeaseObtained.DHCPServer}}

For a comprehensive scan across all subnets, use these techniques:

# Using nmap for DHCP server discovery (Linux/Windows)
nmap --script broadcast-dhcp-discover -e eth0

# Windows alternative using PowerShell (requires admin rights)
$dhcpServers = Get-DhcpServerInDC
if ($dhcpServers.Count -eq 0) {
    Write-Host "No authorized DHCP servers found in Active Directory"
} else {
    $dhcpServers | Format-Table -AutoSize
}

Capture DHCP traffic to identify unauthorized servers:

# tcpdump example for DHCP traffic (port 67/68)
tcpdump -i eth0 -vvv -n port 67 or port 68

# Wireshark filter for DHCP traffic:
bootp.option.dhcp == 1

Verify DHCP server roles on all Windows servers:

# PowerShell command to check installed roles
Get-WindowsFeature -ComputerName Server01 | Where-Object { $_.Installed -eq $true -and $_.Name -like "*DHCP*" }

# For legacy Server 2003 systems (WMIC):
wmic /node:"ServerName" product where "name like '%DHCP%'" get name,version

Examine DNS records that may reveal DHCP servers:

# Query DNS for DHCP-related records
nslookup -type=ptr _msdcs.yourdomain.local
Resolve-DnsName -Name "_ldap._tcp.dc._msdcs.yourdomain.local" -Type SRV

Despite the web interface showing DHCP disabled, confirm via CLI:

# SonicOS CLI command to verify DHCP
show dhcpd status
show dhcpd lease all

Once identified, document all DHCP scopes and options before making changes:

# Export DHCP configuration from Windows Server
Export-DhcpServer -ComputerName DHCP01 -File C:\DHCP_Backup.xml -Leases