Event 5807 and VPN Clients

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm getting a warning on one of my 2003 DCs which is as follows:
----
Event ID 5807
Source: Netlogon
Details:
During the past 4.22 hours there have been 8 connections to this Domain
Controller from client machines whose IP addresses don't map to any of the
existing sites in the enterprise. Those clients, therefore, have undefined
sites and may connect to any Domain Controller including those that are in
far distant locations from the clients. A client's site is determined by the
mapping of its subnet to one of the existing sites. To move the above
clients to one of the sites, please consider creating subnet object(s)
covering the above IP addresses with mapping to one of the
existing sites. The names and IP addresses of the clients in question have
been logged on this computer in the following log file
'<SystemRoot>\debug\netlogon.log' and, potentially, in the log file
'<SystemRoot>\debug\netlogon.bak' created if the former log becomes full.
The log(s) may contain additional unrelated debugging information. To filter
out the needed information, please search for lines which contain text
'NO_CLIENT_SITE:'. The first word after this string is the client name and
the second word is the client IP address. The maximum size of the log(s) is
controlled by the following registry DWORD value
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
the default is <number> bytes. The current maximum size is <number> bytes.
To set a
different maximum size, create the above registry value and set the desired
maximum size in bytes.
----

What these rogue IPs belong to are the VPN clients coming into our network
via our hardware VPN. Of course their remote IPs are not on any subnets as
I have no idea what their ISP will assign them or how their local home
router is setup. Just in an attempt to keep the event log clean, is it
possible to suppress these events being logged to the event viewer and to
the \debug\netlogon.log file?

Thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> What these rogue IPs belong to are the VPN clients coming into our
> network via our hardware VPN. Of course their remote IPs are not on any
> subnets as I have no idea what their ISP will assign them or how their
> local home router is setup.

This doesn't matter. If they are connecting into your network, you must be
allocating them an address within your range somewhere. This is the range
that you need to define in AD Sites and Services. For example, if your VPN
clients connect into HQ, you should associate the subnet that they use to
the HQ site. I assume that your VPN server is allocating the IP addresses
and doing the necessary routing? If this is a hardware unit, it might have
it's own private address pools. If you've setup and ISA box, or something
similar, then it will either be allocating addresses from a statically
defined range, or acting as a DHCP relay agent.


> Just in an attempt to keep the event log clean, is it possible to suppress
> these events being logged to the event viewer and to the
> \debug\netlogon.log file?

No, I very much doubt you can do this. This is deep down in the code for
AD/ Windows.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"David Shoemaker" <David Shoemaker@discussions.microsoft.com> wrote in
message news9B991E5-FCD4-4721-BD50-92FCD781C2F7@microsoft.com...
I'm getting a warning on one of my 2003 DCs which is as follows:
----
Event ID 5807
Source: Netlogon
Details:
During the past 4.22 hours there have been 8 connections to this Domain
Controller from client machines whose IP addresses don't map to any of the
existing sites in the enterprise. Those clients, therefore, have undefined
sites and may connect to any Domain Controller including those that are in
far distant locations from the clients. A client's site is determined by the
mapping of its subnet to one of the existing sites. To move the above
clients to one of the sites, please consider creating subnet object(s)
covering the above IP addresses with mapping to one of the
existing sites. The names and IP addresses of the clients in question have
been logged on this computer in the following log file
'<SystemRoot>\debug\netlogon.log' and, potentially, in the log file
'<SystemRoot>\debug\netlogon.bak' created if the former log becomes full.
The log(s) may contain additional unrelated debugging information. To filter
out the needed information, please search for lines which contain text
'NO_CLIENT_SITE:'. The first word after this string is the client name and
the second word is the client IP address. The maximum size of the log(s) is
controlled by the following registry DWORD value
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
the default is <number> bytes. The current maximum size is <number> bytes.
To set a
different maximum size, create the above registry value and set the desired
maximum size in bytes.
----

What these rogue IPs belong to are the VPN clients coming into our network
via our hardware VPN. Of course their remote IPs are not on any subnets as
I have no idea what their ISP will assign them or how their local home
router is setup. Just in an attempt to keep the event log clean, is it
possible to suppress these events being logged to the event viewer and to
the \debug\netlogon.log file?

Thx.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I appreciate your response and time, but I double checked and the ip's
recorded in the logs are the ip's of the remote users without a conversion
into a local subnet of any kind. This may be in part because the old system
we are currently migrating away from was Safenet Soft Remote, and part of the
design config of the system was to bring the host with their IP for some type
of security purposes (i think). Anywho, we are currently migrating to a cisco
concentrator / vasco solution -- which in fact does assign incoming vpn
connections with a particular ip address depending upon which side of the big
pond they are on... either US, or Euro. So, perhaps the issue will resolve
itself once the migration is complete. ?

Again, thanks for your time.. and I appreciate your thoughts.

"ptwilliams" wrote:

> > What these rogue IPs belong to are the VPN clients coming into our
> > network via our hardware VPN. Of course their remote IPs are not on any
> > subnets as I have no idea what their ISP will assign them or how their
> > local home router is setup.
>
> This doesn't matter. If they are connecting into your network, you must be
> allocating them an address within your range somewhere. This is the range
> that you need to define in AD Sites and Services. For example, if your VPN
> clients connect into HQ, you should associate the subnet that they use to
> the HQ site. I assume that your VPN server is allocating the IP addresses
> and doing the necessary routing? If this is a hardware unit, it might have
> it's own private address pools. If you've setup and ISA box, or something
> similar, then it will either be allocating addresses from a statically
> defined range, or acting as a DHCP relay agent.
>
>
> > Just in an attempt to keep the event log clean, is it possible to suppress
> > these events being logged to the event viewer and to the
> > \debug\netlogon.log file?
>
> No, I very much doubt you can do this. This is deep down in the code for
> AD/ Windows.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "David Shoemaker" <David Shoemaker@discussions.microsoft.com> wrote in
> message news9B991E5-FCD4-4721-BD50-92FCD781C2F7@microsoft.com...
> I'm getting a warning on one of my 2003 DCs which is as follows:
> ----
> Event ID 5807
> Source: Netlogon
> Details:
> During the past 4.22 hours there have been 8 connections to this Domain
> Controller from client machines whose IP addresses don't map to any of the
> existing sites in the enterprise. Those clients, therefore, have undefined
> sites and may connect to any Domain Controller including those that are in
> far distant locations from the clients. A client's site is determined by the
> mapping of its subnet to one of the existing sites. To move the above
> clients to one of the sites, please consider creating subnet object(s)
> covering the above IP addresses with mapping to one of the
> existing sites. The names and IP addresses of the clients in question have
> been logged on this computer in the following log file
> '<SystemRoot>\debug\netlogon.log' and, potentially, in the log file
> '<SystemRoot>\debug\netlogon.bak' created if the former log becomes full.
> The log(s) may contain additional unrelated debugging information. To filter
> out the needed information, please search for lines which contain text
> 'NO_CLIENT_SITE:'. The first word after this string is the client name and
> the second word is the client IP address. The maximum size of the log(s) is
> controlled by the following registry DWORD value
> 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize';
> the default is <number> bytes. The current maximum size is <number> bytes.
> To set a
> different maximum size, create the above registry value and set the desired
> maximum size in bytes.
> ----
>
> What these rogue IPs belong to are the VPN clients coming into our network
> via our hardware VPN. Of course their remote IPs are not on any subnets as
> I have no idea what their ISP will assign them or how their local home
> router is setup. Just in an attempt to keep the event log clean, is it
> possible to suppress these events being logged to the event viewer and to
> the \debug\netlogon.log file?
>
> Thx.
>
>
>
>