How do I find clients without a Subnet/Site mapping in Active Directory?

One of the easiest things in Active Directory to get right (and one of the most neglected, in my experience) is ensuring that you have all of your subnets mapped to appropriate Active Directory Sites.

There’s a common error in the Windows Event Log (5807) that alerts you when a Domain Controller is being hit with requests from clients without a correct subnet/site mapping:

 

 

2,325… that’s a lot of connections without the correct subnet/site mapping.

To find out the IP addresses (and therefor subnets) of these machines, you need to look in the c:\windows\debug\netlogon.log file (on your Domain Controller) for lines with the error NO_CLIENT_SITE.

And because these errors are Domain Controller specific, you need to do this on every domain controller you have.

The script below will find all of your domain controllers, and extracts the last 24 hours worth of log entries from netlogon.log and compiles a single list of IP addresses that do not have subnet/site mappings.  From there, you should be able to quickly whittle it down to subnets to add into Active Directory Sites and Services.

I limited the results to the last 24 hours, as there will always be old entries in the log files, and I only wanted what was new/current.

In my example event log entry (above), the 2,325 connections were actually only from 207 different IP addresses (found via the output of this script), which I then filtered down to 12 subnets – so

 

 

The output looks like this:

 

You could always run this via scheduled task every 24 hours and fire-off an email with the list of IP addresses for action (that’s what I would do), to make sure you’re always on top of it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *