Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5778 Source: NETLOGON

Source
Level
Description
'<computer name>' tried to determine its site by looking up its IP address ('<ip address>')in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address.
Comments
 
I got the same error on a two-site domain. The error occurred on a DC in site B and the WS that caused it was in site A. The IP address listed in the event log entry for the error was that of our router. The problem was, that I had NAT, i.e. IP masquerading enabled on the connection that linked the two sites. This affected the source IP address of the requests sent from the WS to the DC. The router replaced the WS's IP address with its own. Consequently, the DC could not find the correct site, because the router IP did not belong to either site’s subnets. Surprisingly, everything else between the two sites (ADS replication, NTFRS, domain logons, etc.) worked fine, even though NAT was enabled. To fix it I disabled, NAT on the inter-site connection. Adding the router subnet to the sites in "Sites and Services" console might also work, but I did not try it.
From a newsgroup post: "Look in AD Site and Services to make sure the subnet is defined and assigned to a site. If not create one and assign it to a site".

From a newsgroup post: "If your domain is all on one LAN then it is not important to have sites and subnets configured. Sites are primarily used for controlling logon, traffic, replication traffic and for site aware applications. If you do delete the subnets then you will probably start receiving informational event ID 5778 in the Netlogon log of your domain controllers. It will be logged when clients logon and it means that the client was unable to determine its site because it was unable to locate it's subnet in sites and services. You can delete the information and your domain will continue to function".

From a newsgroup post: "Subnet objects are used to efficiently route network authentication requests. For example, you do not want a client in Los Angeles authenticating to a DC in New York. This event message means that the client's IP was outside the range of mapped addresses. If you only have one site this does not do much harm beyond causing extra event log messages. If you have multiple sites, you should consider creating subnet objects using the Sites and Services Snap-In that map your subnet address to particular sites, (and  subsequently 'closely located' DCs)".

ME316812 gives information on how to create and configure a site link in Active Directory in Windows 2000.
According to a newsgroup post: "A domain member machine attempts to determine what site it is in from its IP Address and subnet mask. A subnet object is requried in the site that matches that address for a given subnet mask."
See ME311759. As per Microsoft, this was fixed with the latest service pack.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...