How to detect rogue DHCP server?

Recently one of our Clients complained that printers are not printing and are shown offline on computers. Since the client has Windows as a print server we've verified the server functionality only to find out it has IP in the wrong DHCP scope. We immediately suspected there must be a rogue DHCP server in our network causing havoc. 

So how do you check if there's another DHCP in your network? You can follow EVENT ID's on the server as per DHCP Server Rogue Detection available on Microsoft Technet or you can use Rogue Checker specially crafted to this quickly and efficiently without need to go thru pages of logs. There is at least 10 possible Event ID's referring to rogue DHCP server.

You can also check it using ipconfig /all command.

Finally, if both options are not for you, you can use a tool called Rogue Checker which is a better option then both mentioned above. Why? Because it's quick, easy, and doesn't require checking anything in logs!

After opening the tool you simply press Detect Rogue Servers and woila! It shows you that there is a server inside delivering other IP Addresses!

It can be configured to search on multiple IP interfaces, or even have scheduled frequency for finding Rogue DHCP servers.

After removing the server and rerunning the tool Rogue Checker reports there are no longer any other servers than the ones authorized in Active Directory.

Unfortunately finding that there is a rogue DHCP server inside and tracking it physically is another part of a job. Maybe next time 🙂 It's not easy to find the download on Microsoft Pages so we're attaching it here for your convenience.