Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5807

Source
Level
Description
During the past <number> hours there have been <number> connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '<SystemRoot>\debug\netlogon.log' and, potentially, in the log file '<SystemRoot>\debug\netlogon.bak' created if the former log becomes full.
The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is <number> bytes. The current maximum size is <number> bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
Comments
 
See EV100151 for detailed steps to resolve this problem.
This behavior will occur if the client IP address is not defined in the Subnets folder in Active Directory Sites and Services and it is not mapped to an existing site. See WITP82668 to fix this problem.
See ME889031 to resolve this problem.
As the message says, check the Netlogon.log and Netlogon.bak files in the <SystemRoot>\Debug Directory for potential clues.
To resolve this, check the systemroot/debug/netlogon log for the workstation name, determine the IP address and network it is on. You will find that the network the workstation is on (ping) will not be any of the subnets assigned to any sites in your directory. Add the subnet to the site you want these clients to authen against in AD Sites and Services and allow for replication between DCs and the error will go.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...