client assignment in AD DS sites

Posted on 2011-09-27
Last Modified: 2012-05-12
We have 3 sites:
Site A
Site B
Site C

Sites A and B contain domain controllers, and both have subnets defined for them in Active Directory Sites and Services.  Site C has no servers or subnets defined for it.  Clients are associated with Site C.  These clients are also on subnets that are not defined in any site.  Is this why they are associated with Site C?  How are clients that are on a subnet not associated with any site becoming associated with a site?  Does this occur based on link cost and closest DC by hop count?

I'm curious about all of this, b/c clients in Site C are having some GPO replication problems from time to time, and I'm trying to track that down.  Since Site C is defined in AD DS, but it has no subnets, and has no servers, I'm a bit confused about how GPO replication is occuring, and what DC they should be getting it from by default.  I'm also trying to determine what the point of a site is if there are no subnets associated with it.

I know there is copius information on this topic doing a simple google search, however, I struggle from time to time finding concise information specifically regarding what I'm curious about which is why I'm here.

Thank you.
Question by:patriots
  • 2
  • 2
LVL 35

Expert Comment

by:Joseph Daly
ID: 36713007
Im not sure I 100% understand the question you are asking but here is my stab at it.

If you clients are at site C where there is no domain controller/Global catalog when they attempt to log in and authenticate they will have to authenticate against a domain controller in site A or B. Which one they will associate with will depend on how you have your site links configured, or if you just let Active Directory automatically generated.

A reason you may be having GPO issues could be from the line. By default GPOs have a slow link detection which if your line drops below can cause issues.


Author Comment

ID: 36713207
Good try, and close, and I'm sorry if the question is confusing.  Upon further investigating, it seems some clients are associating with Site C, which according to Sites and Services has not subnets configured within it.  I see this association by looking at the top of a GP results report for the clients I'm referring to.  So this makes me can a client associate itself with a Site that has no subnets configured within it?  The whole point of a Site is to tie the network topology into AD.  If a site has no subnet, then it's essentially not configured, or at least that's my assumption.  That being the case, I'm not sure why any client is associated with it unless of course my gpresults report is pulling bad data somehow.
LVL 24

Accepted Solution

Sandeshdubey earned 500 total points
ID: 36714296
Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000,the only source of missing subnet information is the System event 5778. The
The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

With Windows Server 2003, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all of the NO_CLIENT_SITE enTRies. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events.
Here is an example of some of the NO_CLIENT_SITE enTRies from the netlogon.log file:


Author Comment

ID: 36718045
Thank you.  that's excellent information.  Do you know why a client would associated with a site that has no subnets configured in it?  The client is apart of a subnet that is not in any site, and it's associated somehow with a site that has no subnets in it.
LVL 24

Expert Comment

ID: 36788083
It is by design if the client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller of any sites in domain.

When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on.  
There are three possible scenarios for a client to attach to a DC:
1.The subnet that this machine resides on has been properly defined in Sites and Services
2.The site this machine belongs to doesn't have a domain controller within its site
3.This machine's subnet hasn't been defined in Sites and Services
There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified.

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:
notepad.exe %systemroot%\Debug\Netlogon.log
You will need to examine each DC to verify that all your sites are defined.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question