Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
During the past <number> hours there have been <number> connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '<SystemRoot>\debug\netlogon.log' and, potentially, in the log file '<SystemRoot>\debug\netlogon.bak' created if the former log becomes full.
The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is <number> bytes. The current maximum size is <number> bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is the role of the Netlogon share?
What is a DWORD?
See EV100151 for detailed steps to resolve this problem.
This behavior will occur if the client IP address is not defined in the Subnets folder in Active Directory Sites and Services and it is not mapped to an existing site. See WITP82668 to fix this problem.
See ME889031 to resolve this problem.
As the message says, check the Netlogon.log and Netlogon.bak files in the <SystemRoot>\Debug Directory for potential clues.
To resolve this, check the systemroot/debug/netlogon log for the workstation name, determine the IP address and network it is on. You will find that the network the workstation is on (ping) will not be any of the subnets assigned to any sites in your directory. Add the subnet to the site you want these clients to authen against in AD Sites and Services and allow for replication between DCs and the error will go.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated