{"id":517,"date":"2022-09-07T10:02:04","date_gmt":"2022-09-07T17:02:04","guid":{"rendered":"https:\/\/blog.iabsolute.com\/?p=517"},"modified":"2022-09-07T10:02:04","modified_gmt":"2022-09-07T17:02:04","slug":"netlogon-event-5807","status":"publish","type":"post","link":"https:\/\/blog.iabsolute.com\/?p=517","title":{"rendered":"NETLOGON event 5807"},"content":{"rendered":"\n

The Ugly<\/strong><\/h2>\n\n\n\n

A routine check of the system log advised warnings related to the NETLOGON service. As this service is related to all remote network accesses to the DC servers, such an event must be carefully investigated.<\/p>\n\n\n\n

\"Event<\/a><\/figure>\n\n\n\n

There is a long explanation about this error and it requires careful reading. I highlighted the two most important pieces of information. Here is the whole description of this event:<\/p>\n\n\n\n

During the past 4.16 hours there have been 107 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.\n<\/pre>\n\n\n\n
The names and IP addresses of the clients in question have been logged on this computer in the following log file \u2018%SystemRoot%\\debug\\netlogon.log\u2019 and, potentially, in the log file \u2018%SystemRoot%\\debug\\netlogon.bak\u2019 created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text \u2018NO_CLIENT_SITE:\u2019. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value \u2018HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\\LogFileMaxSize\u2019; the default is 20000000 bytes.<\/p>\n\n\n\n
The current maximum size is 20000000 bytes.<\/p>\n\n\n\n
To set a different maximum size, create the above registry value and set the desired maximum size in bytes.<\/p>\n\n\n\n
There is the log file named netlogon.log<\/strong>. This file is located in the folder %SystemRoot%\\debug<\/strong>. In most cases, this is C:\\Windows\\debug. This log is now your best friend.<\/p>\n\n\n\n
The Bad<\/strong><\/h2>\n\n\n\n
The second piece is that those computers can\u2019t be associated with any know site. I opened the named log file and found that all those machines added to the domain with the IPs from test network have this label NO_CLIENT_SITE.<\/p>\n\n\n\n
\"clip_image003\"<\/a><\/figure>\n\n\n\n
The Good<\/strong><\/h2>\n\n\n\n
I opened the Active Directory Sites and Services<\/em> console and expanded the Subnets tree.<\/p>\n\n\n\n
\"AD<\/a><\/figure>\n\n\n\n
I found that this highlighted network doesn\u2019t exists. Adding it into the subnets list and associating it with the HQ LAN site solved this issue. No more NETLOGON related events in the System log.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Ugly A routine check of the system log advised warnings related to the NETLOGON service. As this service is related to all remote network accesses to the DC servers, such an event must be carefully investigated. There is a … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-517","post","type-post","status-publish","format-standard","hentry","category-windows"],"_links":{"self":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=517"}],"version-history":[{"count":1,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/517\/revisions"}],"predecessor-version":[{"id":518,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=\/wp\/v2\/posts\/517\/revisions\/518"}],"wp:attachment":[{"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.iabsolute.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}