Event ID 5807 : Connections to this Domain Controller from client machines whose IP addresses don’t map to any of existing sites

Event ID 5807 : Connections to this Domain Controller from client machines whose IP addresses don’t map to any of existing sites

August 24, 2021 Active Directory PowerShell 0

Summary

When client subnets are missing from active directory Sites and Services that results client to choose a incorrect domain controllers to communicate effectively with Directory Services. During DC localization process, Computer IP address matches against the subnets created in AD which helps to identify the subnet where client belongs to.

If the DC cannot match the IP address of the Computer to an AD subnet OR if it can match the IP address to an AD subnet but the AD subnet is not linked to an AD site, DC will then service the computer AND log the error “NO_CLIENT_SITE” in the NETLOGON.LOG file (C:\Windows\Debug)

Error gets recorded in both event viewer and NETLOGON.LOG file. You see below event message in event viewer.

Event Type:    Warning
Event Source:    NETLOGON
Event Category:    None
Event ID:    5807
Date:        21/07/2010
Time:        14:40:58
User:        N/A
Computer:    ***********
Description:
During the past 2 hours there have been 1700 connections to this Domain Controller from client machines whose IP addresses don’t map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client’s site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file ‘%SystemRoot%\debug\netlogon.log’ and, potentially, in the log file ‘%SystemRoot%\debug\netlogon.bak’ created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text ‘NO_CLIENT_SITE:’. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize’; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

WHY THE “NO_CLIENT_SITE” ERROR

Deep diving further about how Domain controller matches the client subnets and log 8057 event.

  • The Windows computer sends an DNS query to ask for DNS resolution of _ldap._tcp.dc._msdcs.domain.com (Example: _ldap._tcp.dc._msdcs.test.local) SRV records
  • The DNS server responds with the list of registered DNS records (The records contain the list of Domain Controllers within the AD domain)
  • The Windows computer reviews the list of SRV records and selects one according to the priority and weight assigned to the records. It will then query the DNS server to get the IP address of the selected Domain Controller
  • The DNS server checks the A record of the Domain Controller and responds with the IP address
  • The Windows computer contacts the selected Domain Controller and initiates the communication with it
  • Based upon the IP Address of the computer DC will check if it can match the IP address of the computer to an AD subnet.
    • Assuming DC can match the IP address to an AD subnet and the AD subnet is linked to an AD site, the DC will inform the computer in which AD site the computer is in
    • If the DC cannot match the IP address of the computer to an AD subnet OR if it can match the IP address to an AD subnet but the AD subnet is not linked to an AD site, the DC will then service the computer AND log the error “NO_CLIENT_SITE” in the NETLOGON.LOG file (C:\Windows\Debug).

Find missing subnets in AD.

Domain Controller captures information about a client for which there is no site linked through AD subnets. This error is domain controller specific. You need to check the every domain controller you have to know all missing subnets.

Run below script to find out the client subnets  that are missing in AD.

Import-Module -Name ActiveDirectory
$OU = (Get-ADDomain).DomainControllersContainer
$DomainControllers = Get-ADComputer -Filter * -SearchBase $OU
$PathNetlogon = ‘Admin$\debug\netlogon.log’
$Pattern = ‘NO_CLIENT_SITE’
[Object]$Content = $null

foreach($DomainController in $DomainControllers) {

# Define Path
$Path = (‘\\{0}\{1}’ -f $DomainController.DNSHostName, $PathNetlogon)

# Check Path
if (Test-Path -Path $Path -ErrorAction SilentlyContinue) {

Write-Host (‘Getting logs from Server {0}:’ -f $DomainController.Name) -ForegroundColor Green

$Rows = Get-Content -Path $Path | Select-String -Pattern $Pattern

# Add Lines to variable
$Content += $Rows
}
}

$Content | ConvertFrom-Csv -Delimiter ‘ ‘ -Header ‘Date’,’Time’,’Id1′,’Domain’,’Type’,’Client’,’IPAddress’ | Export-Csv -Delimiter ‘,’ -Path $HOME\Documents\NO_CLIENT_SITE.csv -NoTypeInformation

Adding  subnet(s) to Sites and Services

You should create matching subnet/sites, avoid Netlogon 5807 with a high number of unmapped connections.  Based on CSV output of script, summarize list of subnets missing from Sites and Services. Create each subnet and link them with proper AD sites to eliminate 5807 event and also helps client to choose matching DC’s linked to its subnet.

 2,467 total views,  3 views today

Leave a Reply

Your email address will not be published. Required fields are marked *