Active Directory Cookbook for Windows Server 2003 and Windows 2000-Active Directory Cookbook for Windows Server 2003 and Windows 2000

Recipe 11.6 Finding Missing Subnets

11.6.1 Problem

You want to find the subnets that are missing from your site topology. Missing subnets can result in clients not authenticating against the most optimal domain controller, which can degrade performance.

11.6.2 Solution

Having all of your subnets in Active Directory is important because a client that attempts to logon from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000, the only source of missing subnet information was the System event 5778. Here is an example:

Event Type:        Information
Event Source:        NETLOGON
Event Category:        None
Event ID:        5778
Date:                1/27/2003
Time:                12:07:04 AM
User:                N/A
Computer:        DC2
Description:
'JSMITH-W2K' tried to determine its site by looking up its IP address ('10.21.85.34') 
in the Configuration\Sites\Subnets container in the DS.  No subnet matched the IP 
address.  Consider adding a subnet object for this IP address.

The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

With Windows Server 2003 things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they could easily fill up your System event log if you had many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology. Here is an example:

Event Type:        Warning
Event Source:        NETLOGON
Event Category:        None
Event ID:        5807
Date:                1/10/2003
Time:                10:59:53 AM
User:                N/A
Computer:        DC1
Description:
During the past 4.18 hours there have been 21 connections to this Domain Controller
from client machines whose IP addresses don't map to any of the existing sites in the 
enterprise. Those clients, therefore, have undefined sites and may connect to any 
Domain Controller including those that are in far distant locations from the clients. 
A client's site is determined by the mapping of its subnet to one of the existing 
sites. To move the above clients to one of the sites, please consider creating subnet 
object(s) covering the above IP addresses with mapping to one of the existing sites.  
The names and IP addresses of the clients in question have been logged on this 
computer in the following log file '%SystemRoot%\debug\netlogon.log' and, 
potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former 
log becomes full. The log(s) may contain additional unrelated debugging information. 
To filter out the needed information, please search for lines which contain text
'NO_CLIENT_SITE:'. The first word after this string is the client name and the second 
word is the client IP address. The maximum size of the log(s) is controlled by the 
following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current 
maximum size is 20000000 bytes.  To set a different maximum size, create the above 
registry value and set the desired maximum size in bytes.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/
events.asp.

Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all the NO_CLIENT_SITE entries. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events.

Here is an example of some of the NO_CLIENT_SITE entries from the netlogon.log file:

01/16 15:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 15:50:29 RALLENCORP: NO_CLIENT_SITE: SJC-BACKUP 44.25.26.142
01/16 16:19:58 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:20:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:57:00 RALLENCORP: NO_CLIENT_SITE: JSMITH-W2K1 10.61.80.19
01/16 17:20:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 17:50:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157

If you wanted to get creative and automate a solution to do this, you could write a script that goes out to each domain controller, opens the netlogon.log file and retrieves NO_CLIENT_SITE entries. You can then examine all of the IP addresses and create subnets in Active Directory that would contain them. You could associate all of those subnets with a default site or even use the Default-First-Site-Name site. Then once a week (or whenever), you could look at the sites that were created or that were associated with the default site and determine what site they really should be associated with.

[ Team LiB ]