locked
DHCP server callout list working? RRS feed

  • Question

  • I have MAC addresses on a DHCP server callout list that are still getting IP addresses. How do I troubleshoot that?
    Thursday, April 21, 2011 2:09 AM

All replies

  • If you are referring Windows Server 2008 or 2008 R2 DHCP server MAC Address Filtering, please note follows,

    When you define a filter, you can specify the MAC address with or without the hyphens. This means that you could enter FE-01-56-23-18-94-EB-F2 or FE0156231894EBF2. You also can use an asterisk (*) as a wildcard for pattern matching. To allow any value to match a specific part of the MAC address, you can insert * where the values normally would be, such as:
    FE-01-56-23-18-94-*-F2
    FE-*-56-23-18-94-*-*
    FE-01-56-23-18-*-*-*
    FE01*

    More information can be found at: http://technet.microsoft.com/en-us/magazine/ff521761.aspx

    As for troubleshooting, ETW trace log could be useful if the server are running 2008 and later OS.

    netsh trace start provider=Microsoft-Windows-DHCP-Server

    then, reproduce the issue. Stop the log, run

    netsh trace stop

    Find the log, and open it with Microsoft Network Monitor tool 3.4. It can be downloaded from public Microsoft download site.

    Tim CHEN

     


    God Bless!
    Thursday, April 21, 2011 3:15 AM
  • Windows Server 2003 R2 SP2

     

    Entered as such:

    MAC_ACTION = {DENY}
    3415cc152229    #PC101
    00236234d56c    #PC102
    00000ebdef1d    #PC103
    Thursday, April 21, 2011 4:51 AM
  • Looks like you are trying to comment each entry. I have reviewed the article: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx, and noticed that it is not supported to enter comments.

    Meanwhile, you can also checkout the information log file, for information on what all addresses were allowed/denied, while the DHCP server service is running.

    Tim CHEN

    Thursday, April 21, 2011 5:19 AM
  • Hi whatsys,

     

    Thanks for posting here.

     

    Is there any error shown in CalloutErrorLogFile or default error log file?

    Please remove the DHCP leases of these restricted clients form you DHCP server and obtain lease again to see how is going.

    Meanwhile, please also post full MACFilter.txt here for further investigation.

     

    Here are also some troubleshoot mentions for reference:

     

    1.       Places the MAC Filter callout dll in your system32 directory.

    2.       Creates \ Modifies following  registry keys at location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

    Key Name

    Key Type

    Description

    CalloutDlls

    REG_MULTI_SZ

    This key specifies callout dll path for DHCP server e.g. c:\windows\system32\MacFilterCallout.dll

    CalloutEnabled

    DWORD

    1 = DHCP Server loads callout.dlls

    (Value 0 means DHCP Server does not load callout dlls)

    CalloutErrorLogFile

    REG_MULTI_SZ

    Specify the file path for logging errors by this callout dll. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt

    CalloutInfoLogFile

    REG_MULTI_SZ

    Specify the file path for logging information messages by callout dll. If this key is not present, no information messages will be logged.

    CalloutMACAddressListFile

    REG_MULTI_SZ

    Specify the complete file path including name of MAC address list file.

    By default the location for the Error Log, Info Log, MACList is initialized to the location of the DHCP Server audit log at the installation time. These values can be changed through regedit.

    3.       Stop DHCP server (if it is already running)

    4.       Start DHCP server. When DHCP server is started, event 1033 will be logged if Callout DLL is loaded successfully by DHCP server.

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 22, 2011 2:36 AM

  •  

    Hi whatsys,

     

    Thanks for posting here.

     

    Is there any error shown in CalloutErrorLogFile or default error log file?

    Please remove the DHCP leases of these restricted clients form you DHCP server and obtain lease again to see how is going.

    Meanwhile, please also post full MACFilter.txt here for further investigation.

     


    MacFilterCalloutErrorLog.txt is empty. When I add a new MAC to the list, I always delete the corresponding lease.  Is it MAClist.txt you want me to post?

     

    Tim, did I misinterpret the instructions in SetupDHCPMacFilter.rtf?

    MAC Address List File Format
        File should contain action followed by MAC address list as show in below

    #MACList.txt
    MAC_ACTION = {ALLOW / DENY}
    #List of MAC Addresses:
    000a0c0d1254     #lab-server1
    000d0c4a6723     #lab-server2

    My registry settings are correct.
    Sunday, April 24, 2011 5:50 AM
  •   Did you try it without the comments (eg #lab-server1) as Tim suggested?

     


    Bill
    Sunday, April 24, 2011 7:10 AM
  • Hi whatsys,

     

    Thanks for update.

     

    Try also removing spaces from the mac action line “MAC_ACTION={DENY}” and restart DHCP service to see how is going.

    Is this a English version Windows server 2003 R2 sp2 you installed ? Checking the “language” entry form winver.exe file properties.

    Have you also deployed other DHCP services in this subnet ?

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 25, 2011 3:18 AM
  •  Yes, it is English. There is another DHCP server that maintains the other half of a 50/50 split scope. Both are the only two DCs in this domain.

     

    If DHCP services are running, then the MAC filter filters by default, I mean it cant be turned off, right? I ask because the MacFilterCalloutInfoLog only goes back to April 15; if the computer whose MAC address was on the list but got an IP anyway made the request at a time when the filter was not active, that could account for it getting an IP.

    Monday, April 25, 2011 9:11 PM
  • Hi,

    We tested a few scenarios and the callout still worked.
    1. Used comments.
    2. Purposely mistyped one or more MAC adresses
    3. Placed the log file in different locations.
    --
    For this inquiry, you must be sure that the callout is enabled on bot DHCP servers. Otherwise, the server that does not have a DENY entry for the requesting MAC address will issue a lease. If possible,  submit the text file associated with the callout... we can test it locally with the same scope info.

     


    Ketan Thakkar | Microsoft Online Community Support
    Tuesday, May 17, 2011 5:27 AM
  • I checked for event 1033 (The DHCP service has successfully loaded one or more callout DLLs) and the last one was April 15, same date the MacFilterCalloutInfoLog goes back to so I restarted the DHCP service and got a 1033. The last reboot (event 6009 - Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor Free) was April 15, 2 minutes before the last 1033, so I wonder what stopped it. So it looks like the filter was not 'on'. I will check MacFilterCalloutInfoLog and the leases in 24 hours.
    Tuesday, May 17, 2011 5:05 PM
  • Update: so far, so good, but no denied MACs may have tried. Im going to give it a few more business days.
    Friday, May 20, 2011 5:12 PM
  • No denied MACs getting addresses, so the I guess the problem was the filter was not 'on'. Any guesses what would cause that? Also does restarting the DHCP service clear the MacFilterCalloutInfoLog?
    Monday, May 30, 2011 4:20 AM
  • Log file is not deleted with DHCP server restarts.

    Is this happening in your case?


    Ketan Thakkar | Microsoft Online Community Support
    Wednesday, June 1, 2011 4:00 PM
  • Log file is not deleted with DHCP server restarts.

    Is this happening in your case?


    Ketan Thakkar | Microsoft Online Community Support

    The log file is not deleted. When the DHCP service is restarted, is the earliest date/time in the log coincide with the restart?
    Thursday, June 2, 2011 9:59 PM
  • Hi,

    Any upate?

    Is it not working for all filters? Can you share logs?


    Ketan Thakkar | Microsoft Online Community Support
    Wednesday, June 22, 2011 5:18 AM
  • In DHCP on the primary domain controller, there still are MACs that are on the MAClist, but not getting denied.

     

    From MacFilterCalloutInfoLog:

    02aabbccdd77 was first allowed June 3

    01aabbccdd77 was first allowed June 17

    03aabbccdd77 is not in the log but is in the MAClist

     

    The earliest entry in the log is May 17, all the way through to today but the file's 'last modified date' is May 17. Filtering for DHCP server service in the Windows event log, the most recent of these 3 events:

    Event 1044   5/17   
    The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain mydomain.local, has determined that it is authorized to start. It is servicing clients now.

    Event 1033    5/17   
    The DHCP service has successfully loaded one or more callout DLLs.

    Event 1056    5/17   
    The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service.  This is not a recommended security configuration.  Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the  DHCP Administrative tool.

    I fixed the DNScredentials problem.

     

    Should there be 1033 for every 'deny'?

    For the MacFilterCalloutInfoLog, shouldnt the last 'last modified date' correspond with last entry (today)?

     

    I restarted the DHCP service (and got a 1033).

     

    I noticed in the MAClist, there is an empty line. These 3 MACs are below that line. Maybe it interprets the space as the end of the file and stops parsing.

     

     

     

     

     

     

     




    Thursday, June 23, 2011 10:15 PM
  • Confirmed: some MACs in MAClist are still getting addresses.
    Wednesday, July 6, 2011 4:57 AM
  • The file format should follow instructions listed here (which appear to already have been communicated to Cx):
    http://blogs.technet.com/b/teamdhcp/archive/2008/03/14/dhcp-server-callout-dll-for-mac-address-based-filtering-mac-address-list-file-format.aspx

    As per a previous post on  April 24, 2011 5:50 AM post as:
    #MACList.txt
     MAC_ACTION = {ALLOW / DENY}
     #List of MAC Addresses:
     000a0c0d1254     #lab-server1
     000d0c4a6723     #lab-server2

    The response to this was on Monday, April 25, 2011 3:18 AM from Tiger Li was:
    ...Try also removing spaces from the mac action line “MAC_ACTION={DENY}” and restart DHCP service...
    which may have left some room for some miscommunication about what we have in the file. 

    We have following wrong here:

    #MACList.txt   <==No comments
     MAC_ACTION = {ALLOW / DENY}  <==Need only {ALLOW} or {DENY} in seperate sections
     #List of MAC Addresses: <== No comments
     000a0c0d1254     #lab-server1 <== No comments
     000d0c4a6723     #lab-server2 <== No comments

    In addition to this no spaces or returns and per link posted'There should not any delimiter such as -,  : in MAC address  Each MAC address should be specified in separate line."

    So the way this file is written may be parsed sensitive to the breaks in recommended practice .

    Please  alter file according to specifications

    If problem persists we may need to grab file and repro the issue and open a PSS Case.


    Ketan Thakkar | Microsoft Online Community Support
    Thursday, July 7, 2011 6:56 AM
  • These are the the first 5 lines of my MACList.txt

    MAC_ACTION={DENY}
    34159e853339    #unknown 192.168.0.109
    12336c90c56c     #unknown 192.168.0.121
    001dfebdef1d     #unknown 192.168.0.126
    f87b7a888b1a    #unknown 192.168.0.140 

     

    No spaces in the first line, only one action and no delimiters in the addresses.

    I see team DHCP comment on 18 Jun 2008 stating no option to add comments but the last post 3 years later on 25 May 2011 states it does work with the # character. There have been no responses to that.

     

    I would have posted sooner but my email notifications are all fouled up, which I reported to forumsup 3 weeks ago but has not been resolved yet.

     

    Sunday, July 24, 2011 5:33 AM
  • Hi,

    Looking at the issue complexity and in-depth troubleshooting required further, we suggest you get a PSS paid case.


    Ketan Thakkar | Microsoft Online Community Support
    Friday, July 29, 2011 11:13 AM
  • Wonderful. Last time I did that they could not resolve the issue but it was resolved here. No other suggestions?

     

    And to confirm, anything else on the same line as a MAC address commented out should make no difference?

    Monday, August 22, 2011 5:20 PM