Over the last 3-4 weeks I have been trying to find a rogue DHCP server on my network but have been stumped! It is offering IP Addresses that do not work with my network, so any device that needs a Dynamic Address is getting one from the Rogue DHCP and then that device stops working. I need help to find and destroy this thing! I think it might be a Trojan of some sort.
My Main Router is the only valid DHCP Server and is 192.168.0.1 which offers a range of 192.160.0.150-199, and I have this configured in my AD as Authorized. This ROGUE DHCP claims to be coming from 192.168.0.20 and offering an IP Address in the range of 10.255.255.* which is messing up EVERYTHING on my network unless I assign a static IP Address to it. 192.168.0.20 does not exist on my network.
My network is a single AD Server on Windows 2008R2, 3 other physical servers (1-2008R2 and 2 2012R2) about 4 Hypervisor VM's, 3 laptops and a Windows 7 box.
I can't ping the rogue 192.160.0.20 IP, and I can't see it in the ARP -A output, so I can't get its MAC address. I'm hoping that someone reading this post has come across this before.