UNSOLVED What would cause multiple MAC addresses to be loaded into a host?

  • As the title. For the last two days I’ve had some people contact me about AD security trust issues when trying to logon - only on a couple of PCs though.

    I’ve just realised today that those PCs have had their names changed to one of the PCs built about 2 weeks ago for general use.

    I’m used to seeing two pending macs for VMWare virtual adapters, but I’ve now checked out the FOG page for that hostname and found it has 10 entries!


    The weird thing is that about half of them seem to be mac addresses for hardware I haven’t seen used anywhere in our labs, whereas others belong to machines we have around the labs (and it seems from the latest backup 3 days ago that they weren’t a part of our FOG system for whatever reason).

    Whatever the reason behind this, has anyone got any idea why this might happen? (FYI: SVN 3533)

  • @Trevelyan Do you mind hitting me up through chat?

    I think I know a fix. My guess all of the systems have a VM system installed on them? Because of the imaging process, they all have the exact same NICs for the VM system. What I’d recommend is to set the two macs on the filter list so those two macs don’t get added/readded through subsequent registers.

    This meaning, add the two 00:50:56 (you should be okay with just that much of the mac added to the filter, approve these two nics and delete them after approving them.

    They should no longer continue to register (hopefully if SVN is working properly) and all your other hosts should (if using the new client) register themselves into a pending state, or do nothing at all because there’s no mac address associated with a host.

  • Ok so I’m on SVN 3563 now and have the pending mac list visible - it seems that even with deleting the host completely, it now exists again. Same problem ensues still - old FOG client seems to be renaming existing PCs that were not actually registered on FOG, but likely all had the same two virtual macs that are pending.

    Does anybody at all have any idea or input for this?aaaa.png

  • Ok interesting; what seems to have happened is that - after upgrading to SVN - hosts that were not registered on FOG are being affected by this.

    It seems as though one host has associated itself with the 00:50:56:C0:00 (virtual adapter) addresses used by basically every other PC. I have no idea why this computer in particular has the addresses pending, but before, multiple hosts could have these same pending addresses.

    Now, the few hosts that happened to have the FOG client - but were not registered with their own primary MAC address on FOG - seem to have put their own primary MAC address as a pending address in FOG against that single unrelated host. It looks like what could be happening is that they see the virtual adapter addresses and because they also have this on the machine, they are now thinking that they - too- should be called CSTC107-084132.

    The upshot is that we have 10 PCs with domain trust issues and are unable to logon at all - where once they were fine. My question now is, is how have pending MAC addresses been changed and will there be any different controls for how people can approve or reject MACs - or perhaps set some sort of exclusions (so that virtual mac addresses don’t get added, for example).