Query on AD Sites and Services


Our forest root is company.com, and we have child domains of eu.company.com, asia.company.com and usa.company.com. AD is 2003.

Each child domain has about 10 sites geographically within it that are set up as AD Sites in AD Sites and Services. So far, all subnets have been registered correctly relating to each site.

However, I was wondering, what would happen if we created a new site but didn't assign the subnet in ADSS? I have searched on the Internet but cannot find an answer to this.

How does a client find a DC to authenticate to in that respect? Are there any logs we can check on the DC's to find out if there are any client requests from clients that aren't in that DC's "listed" subnets?
Who is Participating?
PberSolutions ArchitectCommented:
Here it explains how the clients use SRV records to discover sites:
If it doesn't find a DC in it's own subnet, it will automatically go to a different site.  It may pick one that may be slow.
You can also look in the event logs of the DC's that will indicate this issue to you:
You look in the netlogon.log file and it will tell you the clients who are logging on without a subnet defined.
Chris DentPowerShell DeveloperCommented:

A little extra for this one.

This is the DC Locator algorithm:


With a pretty flow chart at the bottom :)

kam_ukAuthor Commented:
Thanks - so would I be correct in saying that if there was a client in, say, London belong to an undefined subnet - it may pick a DC to authenticate to anywhere in Europe, but not outside this domain (assuming the client was joined to the eu.company.com domain)?
Chris DentPowerShell DeveloperCommented:
Correct, it must pick a DC within it's domain. The DC it eventually finds will log a NO_CLIENT_SITE message in netlogon.log as Pber has shown.

You can prevent certain DCs from being discovered by the locator by limiting which service records DCs publish in DNS (via a Group Policy setting).

I tend to make use of that for client sites with low bandwidth / high latency, I don't want clients discovering generic service records and using those DCs unless they belong to that site.


If the policy needs to apply to a specific group of DCs I use Security Filtering on the GPO. I avoid moving DCs into sub-OUs because it causes MS-support issues.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.