• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 966
  • Last Modified:

client assignment in AD DS sites

We have 3 sites:
Site A
Site B
Site C

Sites A and B contain domain controllers, and both have subnets defined for them in Active Directory Sites and Services.  Site C has no servers or subnets defined for it.  Clients are associated with Site C.  These clients are also on subnets that are not defined in any site.  Is this why they are associated with Site C?  How are clients that are on a subnet not associated with any site becoming associated with a site?  Does this occur based on link cost and closest DC by hop count?

I'm curious about all of this, b/c clients in Site C are having some GPO replication problems from time to time, and I'm trying to track that down.  Since Site C is defined in AD DS, but it has no subnets, and has no servers, I'm a bit confused about how GPO replication is occuring, and what DC they should be getting it from by default.  I'm also trying to determine what the point of a site is if there are no subnets associated with it.

I know there is copius information on this topic doing a simple google search, however, I struggle from time to time finding concise information specifically regarding what I'm curious about which is why I'm here.

Thank you.
  • 2
  • 2
1 Solution
Joseph DalyCommented:
Im not sure I 100% understand the question you are asking but here is my stab at it.

If you clients are at site C where there is no domain controller/Global catalog when they attempt to log in and authenticate they will have to authenticate against a domain controller in site A or B. Which one they will associate with will depend on how you have your site links configured, or if you just let Active Directory automatically generated.

A reason you may be having GPO issues could be from the line. By default GPOs have a slow link detection which if your line drops below can cause issues.

patriotsAuthor Commented:
Good try, and close, and I'm sorry if the question is confusing.  Upon further investigating, it seems some clients are associating with Site C, which according to Sites and Services has not subnets configured within it.  I see this association by looking at the top of a GP results report for the clients I'm referring to.  So this makes me wonder...how can a client associate itself with a Site that has no subnets configured within it?  The whole point of a Site is to tie the network topology into AD.  If a site has no subnet, then it's essentially not configured, or at least that's my assumption.  That being the case, I'm not sure why any client is associated with it unless of course my gpresults report is pulling bad data somehow.
SandeshdubeySenior Server EngineerCommented:
Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000,the only source of missing subnet information is the System event 5778. The
The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

With Windows Server 2003, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all of the NO_CLIENT_SITE enTRies. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events.
Here is an example of some of the NO_CLIENT_SITE enTRies from the netlogon.log file:

patriotsAuthor Commented:
Thank you.  that's excellent information.  Do you know why a client would associated with a site that has no subnets configured in it?  The client is apart of a subnet that is not in any site, and it's associated somehow with a site that has no subnets in it.
SandeshdubeySenior Server EngineerCommented:
It is by design if the client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller of any sites in domain.

When a workstation first logs on (Machines log onto the domain, just like users) it sends out a dns query to locate a service record of the closest DC for the subnet this workstation resides on.  
There are three possible scenarios for a client to attach to a DC:
1.The subnet that this machine resides on has been properly defined in Sites and Services
2.The site this machine belongs to doesn't have a domain controller within its site
3.This machine's subnet hasn't been defined in Sites and Services
There is no reason to go over scenario one, since everything is working as expected

Scenario two should be working as well, since auto site coverage was implemented in Windows 2003.  Domain Controllers should register their DNS service (SRV) records in nearby sites that contain no DC's.  This action is known as "Automatic Site Coverage" (ASC),  ASC has to factor in the link costs associated with a site to compute the cheapest route for the DC less clients with in the site.

Scenario three is a mistake in the Sites and Services defined topology by the administrator.  Although the client and Domain Controller both exist in the same subnet, the subnet hasn't been defined in Sites and Services.  Therefore when the client machine hatches the DC Locator service, the DC in the local site isn't offered to authenticate the machine or the user.  Instead a Dc from the default-site within Sites and Services is presented to the client.  Also the log file netlogon.log on the authenticating DC is updated with a line noting the missing subnet.  I check this log file weekly to verify that our network crew didn't add any new subnets without our group being notified.

Just run the following from a command prompt on your default-site DC's to see if there are any undefined subnet's:
notepad.exe %systemroot%\Debug\Netlogon.log
You will need to examine each DC to verify that all your sites are defined.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now