{"id":542,"date":"2009-07-25T12:19:00","date_gmt":"2009-07-25T12:19:00","guid":{"rendered":"https:\/\/brainlitter.itgroove.net\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/"},"modified":"2009-07-25T12:19:00","modified_gmt":"2009-07-25T12:19:00","slug":"event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network","status":"publish","type":"post","link":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/","title":{"rendered":"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network"},"content":{"rendered":"<div class=\"ExternalClass476EB86E83A24150BB2AE8AAA10539BB\">\n<p>I&#8217;ve seen these Event ID&#8217;s appear in situations where: <\/p>\n<p style=\"text-align:justify\">\u00a0<\/p>\n<ul>\n<li>\n<div style=\"text-align:justify\">Active Directory was unhealthy (or a single DC, that a workstation was attempting to connect to was unhealthy) <\/div>\n<\/li>\n<li>\n<div style=\"text-align:justify\">DNS Servers that a workstation points to, are unhealthy <\/div>\n<\/li>\n<li>\n<div style=\"text-align:justify\">Combination of both (usually they are related) <\/div>\n<\/li>\n<\/ul>\n<p style=\"text-align:justify\">\u00a0<\/p>\n<p style=\"text-align:justify\">Where workstations were not receiving GPO updates successfully, and workstations were also displaying unpredictable behavior when accessing network resources. <\/p>\n<p style=\"text-align:justify\">\u00a0<\/p>\n<h2>Event ID&#8217;s: <\/h2>\n<ul>\n<li>\n<div style=\"text-align:justify\">15, 1053, 1054 <\/div>\n<\/li>\n<\/ul>\n<p style=\"text-align:justify\">\u00a0<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"\/brainlitterarchive\/Lists\/Photos\/072509_1919_EventID15101.png\"><img decoding=\"async\" alt=\"\" src=\"\/brainlitterarchive\/Lists\/Photos\/072509_1919_EventID15102.png\"> <\/p>\n<p>\u00a0<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"\/brainlitterarchive\/Lists\/Photos\/072509_1919_EventID15103.png\"> <\/p>\n<p>\u00a0<\/p>\n<h3>The Solution <\/h3>\n<p>\u00a0<\/p>\n<p>However, in today&#8217;s occurrence, it wasn&#8217;t Active Directory or DNS that was the problem. After some investigating and troubleshooting, a simple IPCONFIG showed that the offending workstation was receiving DHCP addresses from the newly installed SonicWall firewall (or in your situation, some other &#8216;rogue&#8217; DHCP Server, or router\/firewall\/WAP providing DHCP Services). Once the &#8216;DHCP&#8217; server was turned off on the firewall, and the respective workstation received the correct DHCP settings from the DHCP server, operations were running successfully, namely Group Policy Objects were being applies successfully. I.e. the core problem here was the workstation no longer *knew* which correct DNS server to communicate with, as the bogus DHCP Server was providing the ISP&#8217;s DNS servers \u2013 which are no help at all in an Active Directory setting. <\/p>\n<p>\u00a0<\/p>\n<p>I wanted to post this as this will come up from time to time and the situation isn&#8217;t immediately obvious. In an SBS environment, the DHCP Server service on the SBS server would be turned off and logged (by design) which makes this easier to catch. But, in a larger environment that isn&#8217;t using SBS, DHCP on a Windows Server does not have this &#8216;safety mechanism&#8217;. So, the quick discovery here is simply to perform an IPCONFIG \/ALL and verify the value for the &#8216;DHCP SERVER&#8217; is what you expect it to be. <\/p>\n<p>\u00a0<\/p>\n<p>Happy Hunting.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve seen these Event ID&#8217;s appear in situations where: \u00a0 Active Directory was unhealthy (or a single DC, that a workstation was attempting to connect to was unhealthy) DNS Servers that a workstation points to, are unhealthy Combination of both (usually they are related) \u00a0 Where workstations were not receiving GPO updates successfully, and workstations &hellip; <a href=\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\"><\/a><\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":"","_jetpack_memberships_contains_paid_content":false},"categories":[436,222,427],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge\" \/>\n<meta property=\"og:description\" content=\"I&#8217;ve seen these Event ID&#8217;s appear in situations where: \u00a0 Active Directory was unhealthy (or a single DC, that a workstation was attempting to connect to was unhealthy) DNS Servers that a workstation points to, are unhealthy Combination of both (usually they are related) \u00a0 Where workstations were not receiving GPO updates successfully, and workstations &hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\" \/>\n<meta property=\"og:site_name\" content=\"Brainlitter - Inside the mind of Sean Wallbridge\" \/>\n<meta property=\"article:published_time\" content=\"2009-07-25T12:19:00+00:00\" \/>\n<meta name=\"author\" content=\"Sean Wallbridge\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sean Wallbridge\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\",\"url\":\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\",\"name\":\"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge\",\"isPartOf\":{\"@id\":\"https:\/\/regroove.ca\/brainlitter\/#website\"},\"datePublished\":\"2009-07-25T12:19:00+00:00\",\"dateModified\":\"2009-07-25T12:19:00+00:00\",\"author\":{\"@id\":\"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77\"},\"breadcrumb\":{\"@id\":\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Brainlitter\",\"item\":\"https:\/\/regroove.ca\/brainlitter\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/regroove.ca\/brainlitter\/#website\",\"url\":\"https:\/\/regroove.ca\/brainlitter\/\",\"name\":\"Brainlitter - Inside the mind of Sean Wallbridge\",\"description\":\"Dad. Husband. Drummer. Learner of Things.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/regroove.ca\/brainlitter\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77\",\"name\":\"Sean Wallbridge\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g\",\"caption\":\"Sean Wallbridge\"},\"url\":\"https:\/\/regroove.ca\/brainlitter\/author\/swallbridge\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/","og_locale":"en_US","og_type":"article","og_title":"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge","og_description":"I&#8217;ve seen these Event ID&#8217;s appear in situations where: \u00a0 Active Directory was unhealthy (or a single DC, that a workstation was attempting to connect to was unhealthy) DNS Servers that a workstation points to, are unhealthy Combination of both (usually they are related) \u00a0 Where workstations were not receiving GPO updates successfully, and workstations &hellip;","og_url":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/","og_site_name":"Brainlitter - Inside the mind of Sean Wallbridge","article_published_time":"2009-07-25T12:19:00+00:00","author":"Sean Wallbridge","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sean Wallbridge","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/","url":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/","name":"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network - Brainlitter - Inside the mind of Sean Wallbridge","isPartOf":{"@id":"https:\/\/regroove.ca\/brainlitter\/#website"},"datePublished":"2009-07-25T12:19:00+00:00","dateModified":"2009-07-25T12:19:00+00:00","author":{"@id":"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77"},"breadcrumb":{"@id":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/regroove.ca\/brainlitter\/2009\/07\/25\/event-id-15-1053-and-1054watch-for-a-rogue-dhcp-server-on-your-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Brainlitter","item":"https:\/\/regroove.ca\/brainlitter\/"},{"@type":"ListItem","position":2,"name":"Event ID 15, 1053 and 1054 \u2013 Watch for a rogue DHCP Server on your network"}]},{"@type":"WebSite","@id":"https:\/\/regroove.ca\/brainlitter\/#website","url":"https:\/\/regroove.ca\/brainlitter\/","name":"Brainlitter - Inside the mind of Sean Wallbridge","description":"Dad. Husband. Drummer. Learner of Things.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/regroove.ca\/brainlitter\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/74e1c0def190f181c1394c2b6d883e77","name":"Sean Wallbridge","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/regroove.ca\/brainlitter\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/adf8cea6291c39d166616f2148d919a6?s=96&d=mm&r=g","caption":"Sean Wallbridge"},"url":"https:\/\/regroove.ca\/brainlitter\/author\/swallbridge\/"}]}},"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/posts\/542"}],"collection":[{"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/comments?post=542"}],"version-history":[{"count":0,"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/posts\/542\/revisions"}],"wp:attachment":[{"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/media?parent=542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/categories?post=542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regroove.ca\/brainlitter\/wp-json\/wp\/v2\/tags?post=542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}