Duplicate IP Address has been Detected

Microsoft.Windows.Server.10.0.OperatingSystem.IPAddressConflict.Alert (Rule)

A duplicate IP address has been detected on the network

Knowledge Base article:

Summary

This rule generates an alert when Windows® detects that he local machine’s IP address is in conflict with one or more identical IP addresses on the network.

Until the IP address conflict is resolved, remote clients and applications may have difficulty accessing resources on any of the effected computers. Additionally, the local computer may not be able to access network resources.

Related Events

This rule generates an alert whenever the following events occur and are recorded in the System Event Log:

The system detected an address conflict for IP address %2 with the system having network hardware address %3. The local interface has been disabled.

Causes

Another computer on the network is using the same IP address.

There is a duplicate media access control (MAC) address on the network. Duplicate MAC addresses can occur if you are assigning locally administered addresses (LAA), usually in Token Ring adapter drivers.

Resolutions

If there is an IP address conflict and your network uses Dynamic Host Configuration Protocol (DHCP), DHCP can automatically supply a new IP address:

If there is an IP address conflict and your network uses static IP addresses, obtain an available unique IP address from your network administrator and replace the current IP address with the new IP address.

If there is a duplicate MAC address on the network, you must determine which other computer on the network is using the same MAC address. To isolate the duplicate MAC address, perform the following steps from a working TCP/IP-based client:

External

For more information, see Microsoft® Knowledge Base Article: 164903, “How to Troubleshoot Duplicate Media Access Control Address Conflicts,” at http://go.microsoft.com/fwlink/?LinkId=28866.

Element properties:

TargetMicrosoft.Windows.Server.10.0.OperatingSystem
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
IP address conflict
{0}
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Windows.Server.10.0.OperatingSystem.IPAddressConflict.Alert" Enabled="true" Target="ServervNext!Microsoft.Windows.Server.10.0.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>TCPIP</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4198</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>4199</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.10.0.OperatingSystem.IPAddressConflict.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>