Connections From Machines That Don’t Map to Sites?

KB ID 0001635

Problem

I was troubleshooting some replication issues for a client, and carried out a dcdiag on one of their domain controllers, and saw this;

 Starting test: SystemLog
A warning event occurred. EventID: 0x000016AF
Time Generated: xx/xx/xxxx xx:xx:xx
Event String:
During the past 4.21 hours there have been {xxx} connections to this Domain Controller from client machines whose IP addresses don’t map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client’s site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file ‘%SystemRoot%\debug\netlogon.log’ and, potentially, in the log file ‘%SystemRoot%\debug\netlogon.bak’ created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text ‘NO_CLIENT_SITE:’. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize’; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

Solution

On the DC in question, Windows Key+R > %Systemroot%\debug\netlogon.log > OK > There’s you missing subnet!

Go to Active Directory Sites and Services, add the missing subnet, and allocate it to the correct site.

Related Articles, References, Credits, or External Links

NA

Windows – Error ‘A Good Time server could not be located’

KB ID 0000705

Problem

Seen when running dcdiag,

Error(s):

Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising

 

Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck

Solution

Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.

1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.

Locate your FSMO Role Servers

2. Now configure your PDC emulator to get its time from a reliable external source.

Windows – Setting Domain Time

3. If you have got this far, then should already have the windows time service running, check!

4. From command line, remove and reinstall the Windows time service with the following two commands.

[box]w32tm /unregister<br />w32tm /register[/box]

Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,

Error
The following error occurred: Access is denied (0x80070005)

If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.

WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.

5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;

[box]HKLM > System > CurrentControlSet > services > W32Time > Parameters[/box]

Ensure the Type value it set to NTP, the restart the Windows time service and check again.

5. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.

6. Whilst still in the registry editor navigate to;

[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]

Make sure the Enabled value is set to 1 (one).

7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.

Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).

As above navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]

Make sure Global Configuration Settings is set to ‘Not Configured’.

Navigate to;

[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]

Make ALL the settings are set to ‘Not Configured’.

If you changed anything, run ‘gpupdate /force’ and try again.

Related Articles, References, Credits, or External Links

NA