Solved

client assignment in AD DS sites

Posted on 2011-09-27
5
947 Views
Last Modified: 2012-05-12
We have 3 sites:
Site A
Site B
Site C

Sites A and B contain domain controllers, and both have subnets defined for them in Active Directory Sites and Services.  Site C has no servers or subnets defined for it.  Clients are associated with Site C.  These clients are also on subnets that are not defined in any site.  Is this why they are associated with Site C?  How are clients that are on a subnet not associated with any site becoming associated with a site?  Does this occur based on link cost and closest DC by hop count?

I'm curious about all of this, b/c clients in Site C are having some GPO replication problems from time to time, and I'm trying to track that down.  Since Site C is defined in AD DS, but it has no subnets, and has no servers, I'm a bit confused about how GPO replication is occuring, and what DC they should be getting it from by default.  I'm also trying to determine what the point of a site is if there are no subnets associated with it.

I know there is copius information on this topic doing a simple google search, however, I struggle from time to time finding concise information specifically regarding what I'm curious about which is why I'm here.

Thank you.
0
Comment
Question by:patriots
  • 2
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Im not sure I 100% understand the question you are asking but here is my stab at it.

If you clients are at site C where there is no domain controller/Global catalog when they attempt to log in and authenticate they will have to authenticate against a domain controller in site A or B. Which one they will associate with will depend on how you have your site links configured, or if you just let Active Directory automatically generated.

A reason you may be having GPO issues could be from the line. By default GPOs have a slow link detection which if your line drops below can cause issues.

0
 

Author Comment

by:patriots
Comment Utility
Good try, and close, and I'm sorry if the question is confusing.  Upon further investigating, it seems some clients are associating with Site C, which according to Sites and Services has not subnets configured within it.  I see this association by looking at the top of a GP results report for the clients I'm referring to.  So this makes me wonder...how can a client associate itself with a Site that has no subnets configured within it?  The whole point of a Site is to tie the network topology into AD.  If a site has no subnet, then it's essentially not configured, or at least that's my assumption.  That being the case, I'm not sure why any client is associated with it unless of course my gpresults report is pulling bad data somehow.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
Comment Utility
Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000,the only source of missing subnet information is the System event 5778. The
The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

With Windows Server 2003, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all of the NO_CLIENT_SITE enTRies. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events.
Here is an example of some of the NO_CLIENT_SITE enTRies from the netlogon.log file:
      01/16 15:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
      01/16 15:50:29 RALLENCORP: NO_CLIENT_SITE: SJC-BACKUP 44.25.26.142

0
 

Author Comment

by:patriots
Comment Utility
Thank you.  that's excellent information.  Do you know why a client would associated with a site that has no subnets configured in it?  The client is apart of a subnet that is not in any site, and it's associated somehow with a site that has no subnets in it.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
It is by design if the client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller of any sites in domain.

When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on.  
There are three possible scenarios for a client to attach to a DC:
1.The subnet that this machine resides on has been properly defined in Sites and Services
2.The site this machine belongs to doesn't have a domain controller within its site
3.This machine's subnet hasn't been defined in Sites and Services
There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified.

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:
notepad.exe %systemroot%\Debug\Netlogon.log
You will need to examine each DC to verify that all your sites are defined.


0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now