Link to home
Start Free TrialLog in
Avatar of patriots
patriots

asked on

client assignment in AD DS sites

We have 3 sites:
Site A
Site B
Site C

Sites A and B contain domain controllers, and both have subnets defined for them in Active Directory Sites and Services.  Site C has no servers or subnets defined for it.  Clients are associated with Site C.  These clients are also on subnets that are not defined in any site.  Is this why they are associated with Site C?  How are clients that are on a subnet not associated with any site becoming associated with a site?  Does this occur based on link cost and closest DC by hop count?

I'm curious about all of this, b/c clients in Site C are having some GPO replication problems from time to time, and I'm trying to track that down.  Since Site C is defined in AD DS, but it has no subnets, and has no servers, I'm a bit confused about how GPO replication is occuring, and what DC they should be getting it from by default.  I'm also trying to determine what the point of a site is if there are no subnets associated with it.

I know there is copius information on this topic doing a simple google search, however, I struggle from time to time finding concise information specifically regarding what I'm curious about which is why I'm here.

Thank you.
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image

Im not sure I 100% understand the question you are asking but here is my stab at it.

If you clients are at site C where there is no domain controller/Global catalog when they attempt to log in and authenticate they will have to authenticate against a domain controller in site A or B. Which one they will associate with will depend on how you have your site links configured, or if you just let Active Directory automatically generated.

A reason you may be having GPO issues could be from the line. By default GPOs have a slow link detection which if your line drops below can cause issues.

Avatar of patriots
patriots

ASKER

Good try, and close, and I'm sorry if the question is confusing.  Upon further investigating, it seems some clients are associating with Site C, which according to Sites and Services has not subnets configured within it.  I see this association by looking at the top of a GP results report for the clients I'm referring to.  So this makes me wonder...how can a client associate itself with a Site that has no subnets configured within it?  The whole point of a Site is to tie the network topology into AD.  If a site has no subnet, then it's essentially not configured, or at least that's my assumption.  That being the case, I'm not sure why any client is associated with it unless of course my gpresults report is pulling bad data somehow.
ASKER CERTIFIED SOLUTION
Avatar of Sandesh Dubey
Sandesh Dubey
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you.  that's excellent information.  Do you know why a client would associated with a site that has no subnets configured in it?  The client is apart of a subnet that is not in any site, and it's associated somehow with a site that has no subnets in it.
It is by design if the client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller of any sites in domain.

When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on.  
There are three possible scenarios for a client to attach to a DC:
1.The subnet that this machine resides on has been properly defined in Sites and Services
2.The site this machine belongs to doesn't have a domain controller within its site
3.This machine's subnet hasn't been defined in Sites and Services
There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified.

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:
notepad.exe %systemroot%\Debug\Netlogon.log
You will need to examine each DC to verify that all your sites are defined.