Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


client assignment in AD DS sites

Posted on 2011-09-27
Medium Priority
Last Modified: 2012-05-12
We have 3 sites:
Site A
Site B
Site C

Sites A and B contain domain controllers, and both have subnets defined for them in Active Directory Sites and Services.  Site C has no servers or subnets defined for it.  Clients are associated with Site C.  These clients are also on subnets that are not defined in any site.  Is this why they are associated with Site C?  How are clients that are on a subnet not associated with any site becoming associated with a site?  Does this occur based on link cost and closest DC by hop count?

I'm curious about all of this, b/c clients in Site C are having some GPO replication problems from time to time, and I'm trying to track that down.  Since Site C is defined in AD DS, but it has no subnets, and has no servers, I'm a bit confused about how GPO replication is occuring, and what DC they should be getting it from by default.  I'm also trying to determine what the point of a site is if there are no subnets associated with it.

I know there is copius information on this topic doing a simple google search, however, I struggle from time to time finding concise information specifically regarding what I'm curious about which is why I'm here.

Thank you.
Question by:patriots
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 35

Expert Comment

by:Joseph Daly
ID: 36713007
Im not sure I 100% understand the question you are asking but here is my stab at it.

If you clients are at site C where there is no domain controller/Global catalog when they attempt to log in and authenticate they will have to authenticate against a domain controller in site A or B. Which one they will associate with will depend on how you have your site links configured, or if you just let Active Directory automatically generated.

A reason you may be having GPO issues could be from the line. By default GPOs have a slow link detection which if your line drops below can cause issues.


Author Comment

ID: 36713207
Good try, and close, and I'm sorry if the question is confusing.  Upon further investigating, it seems some clients are associating with Site C, which according to Sites and Services has not subnets configured within it.  I see this association by looking at the top of a GP results report for the clients I'm referring to.  So this makes me can a client associate itself with a Site that has no subnets configured within it?  The whole point of a Site is to tie the network topology into AD.  If a site has no subnet, then it's essentially not configured, or at least that's my assumption.  That being the case, I'm not sure why any client is associated with it unless of course my gpresults report is pulling bad data somehow.
LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 36714296
Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000,the only source of missing subnet information is the System event 5778. The
The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

With Windows Server 2003, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all of the NO_CLIENT_SITE enTRies. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events.
Here is an example of some of the NO_CLIENT_SITE enTRies from the netlogon.log file:


Author Comment

ID: 36718045
Thank you.  that's excellent information.  Do you know why a client would associated with a site that has no subnets configured in it?  The client is apart of a subnet that is not in any site, and it's associated somehow with a site that has no subnets in it.
LVL 24

Expert Comment

ID: 36788083
It is by design if the client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller of any sites in domain.

When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on.  
There are three possible scenarios for a client to attach to a DC:
1.The subnet that this machine resides on has been properly defined in Sites and Services
2.The site this machine belongs to doesn't have a domain controller within its site
3.This machine's subnet hasn't been defined in Sites and Services
There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified.

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:
notepad.exe %systemroot%\Debug\Netlogon.log
You will need to examine each DC to verify that all your sites are defined.


Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question