NETLOGON event 5807

Recently, I found a lot of NETLOGON warnings in the system log. As I know my network is very clean, I was very curious about this. Every anomaly in my network requires careful examination.

After analysis of the log file, I found the root cause of this warning. Over time, we added some servers in the test network and at the same time added them to the AD domain. However, I omitted to define this subnet range in the AD site structure.

 

The Ugly

A routine check of the system log advised warnings related to the NETLOGON service. As this service is related to all remote network accesses to the DC servers, such an event must be carefully investigated.

Event log

There is a long explanation about this error and it requires careful reading. I highlighted the two most important pieces of information. Here is the whole description of this event:

During the past 4.16 hours there have been 107 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.

The names and IP addresses of the clients in question have been logged on this computer in the following log file ‘%SystemRoot%\debug\netlogon.log’ and, potentially, in the log file ‘%SystemRoot%\debug\netlogon.bak’ created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text ‘NO_CLIENT_SITE:’. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize’; the default is 20000000 bytes.

The current maximum size is 20000000 bytes.

To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

There is the log file named netlogon.log. This file is located in the folder %SystemRoot%\debug. In most cases, this is C:\Windows\debug. This log is now your best friend.

 

The Bad

The second piece is that those computers can’t be associated with any know site. I opened the named log file and found that all those machines added to the domain with the IPs from test network have this label NO_CLIENT_SITE.

clip_image003

 

The Good

I opened the Active Directory Sites and Services console and expanded the Subnets tree.

AD Sites and Services

I found that this highlighted network doesn’t exists. Adding it into the subnets list and associating it with the HQ LAN site solved this issue. No more NETLOGON related events in the System log.

Stay tuned.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s