If you have a laptop with LAN And WIFI connections, depending on the binding order, doesn't it occasionally register the "Wrong" IP address in DNS? So your wired connection is on the Network with the proper address, and the WIFI link is connected w/ an APIA address, and WIFI is set first in the binding order, it will register that IP address.
I also see similar behavior if a User is VPN'd in and their home IP address will register in DNS as well. -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, February 20, 2009 10:11 AM To: NT System Admin Issues Subject: Re: Question Let me get this straight: 1) The machine has been stolen 2) The machine is set for autologon 3) The machine also has VPN access 4) Whoever has possession of the stolen machine has Internet access, and 5) Therefore when the machine is turned on, it does its autologon, and connects to your network via its VPN facility. 6) You want to trace this machine, and find out who has possession of it If all of this is correct, seeking the MAC address is not useful. Instead, find out the public IP address of the machine by querying your VPN termination point, and consult with the owner of that address - that is, the ISP who is assigning it to their customers. They will be able to tell you, from their logs, who is using that IP address currently. Then you can call in the cops, and they can take it from there. Kurt On Fri, Feb 20, 2009 at 09:05, Vue, Za <z...@emory.edu> wrote: > It was a classroom machine so we set it to auto logon. The classroom account > has no admin access. The machine has not been renamed either. > > -Z.V. > > -----Original Message----- > From: Vue, Za [mailto:z...@emory.edu] > Sent: Friday, February 20, 2009 12:01 PM > To: NT System Admin Issues > Subject: RE: Question > > Remember the stolen Dell? DNS entries are hardcoded on my machines, but IP > addresses are released through DHCP. The machine showed up last night on my > DNS server with a private IP. I tried to get some information about it but > only got "TTL expired in transit" from the border router. > > If I can get a hold of the MAC I may be able to proceed further. > > -Z.V. > > -----Original Message----- > From: Christopher Bodnar [mailto:christopher_bod...@glic.com] > Sent: Friday, February 20, 2009 11:54 AM > To: NT System Admin Issues > Subject: RE: Question > > Can you outline the situation in more detail? Is this an internal > client of yours? Or are you talking about a remote client coming > across the Internet and hitting a DNS server in your DMZ? > > If this is all internal you can use the GETMAC resource kit utility. > > http://technet.microsoft.com/en-us/library/bb490913.aspx > > > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Distributed Systems Service Delivery - Intel Services Guardian Life > Insurance Company of America > Email: christopher_bod...@glic.com > Phone: 610-807-6459 > Fax: 610-807-6003 > > -----Original Message----- > From: Vue, Za [mailto:z...@emory.edu] > Sent: Friday, February 20, 2009 11:46 AM > To: NT System Admin Issues > Subject: RE: Question > > I did that already. No ARP found. > > -Z.V. > > -----Original Message----- > From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] > Sent: Friday, February 20, 2009 11:44 AM > To: NT System Admin Issues > Subject: Re: Question > > 1. Ping the address > > 2. In a command console, enter "arp -a" > -------------------------------------- > Richard McClary, Systems Administrator ASPCA Knowledge Management > 1717 S Philo Rd, Ste 36, Urbana, IL 61802 > 217-337-9761 > http://www.aspca.org > > > "Vue, Za" <z...@emory.edu> wrote on 02/20/2009 10:37:09 AM: > >> Windows 2003 AD: >> >> A machine with a private IP address is using my DNS server for name >> resolution. How do I capture the MAC? >> >> -Z.V. >> >> This e-mail message (including any attachments) is for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution >> or copying of this message (including any attachments) is strictly >> prohibited. >> >> If you have received this message in error, please contact >> the sender by reply e-mail message and destroy all copies of the >> original message (including attachments). > >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ----------------------------------------- > This message, and any attachments to it, may contain information > that is privileged, confidential, and exempt from disclosure under > applicable law. If the reader of this message is not the intended > recipient, you are notified that any use, dissemination, > distribution, copying, or communication of this message is strictly > prohibited. If you have received this message in error, please > notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
