Query on AD Sites and Services

Posted on 2010-01-06
Last Modified: 2012-05-08

Our forest root is, and we have child domains of, and AD is 2003.

Each child domain has about 10 sites geographically within it that are set up as AD Sites in AD Sites and Services. So far, all subnets have been registered correctly relating to each site.

However, I was wondering, what would happen if we created a new site but didn't assign the subnet in ADSS? I have searched on the Internet but cannot find an answer to this.

How does a client find a DC to authenticate to in that respect? Are there any logs we can check on the DC's to find out if there are any client requests from clients that aren't in that DC's "listed" subnets?
Question by:kam_uk
    LVL 26

    Accepted Solution

    Here it explains how the clients use SRV records to discover sites:
    If it doesn't find a DC in it's own subnet, it will automatically go to a different site.  It may pick one that may be slow.
    You can also look in the event logs of the DC's that will indicate this issue to you:
    You look in the netlogon.log file and it will tell you the clients who are logging on without a subnet defined.
    LVL 70

    Assisted Solution

    by:Chris Dent

    A little extra for this one.

    This is the DC Locator algorithm:

    With a pretty flow chart at the bottom :)

    LVL 3

    Author Comment

    Thanks - so would I be correct in saying that if there was a client in, say, London belong to an undefined subnet - it may pick a DC to authenticate to anywhere in Europe, but not outside this domain (assuming the client was joined to the domain)?
    LVL 70

    Expert Comment

    by:Chris Dent
    Correct, it must pick a DC within it's domain. The DC it eventually finds will log a NO_CLIENT_SITE message in netlogon.log as Pber has shown.

    You can prevent certain DCs from being discovered by the locator by limiting which service records DCs publish in DNS (via a Group Policy setting).

    I tend to make use of that for client sites with low bandwidth / high latency, I don't want clients discovering generic service records and using those DCs unless they belong to that site.

    If the policy needs to apply to a specific group of DCs I use Security Filtering on the GPO. I avoid moving DCs into sub-OUs because it causes MS-support issues.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now