Subnet problems

[Jon Spinney]

I am currently having a problem. I set up sites for our domain. We
have a central office with several subnets and about 40 WAN
connections. I have followed Microsoft's documentation on settting up
the sites, then setting up the subnet, and then applying the subnet to
the site. Then I began setting up the links. I made sure that all
the links are IP and I set up the Global Catalog servers to allow IP
data traffic. The problem is that almost every machine is logging an
Event 5778 Netlogon error

'<computer name>' tried to determine its site by looking up its IP
address ('<ip address>')in the Configuration\Sites\Subnets container
in the DS. No subnet matched the IP address. Consider adding a subnet
object for this IP address.

I double checked the IP address against the subnet that I set up in
Sites and Services and it was within the range. The subnet was
assigned a site. All of our DCs are running Win2000 server SP4.
Please let me know if you have any ideas. Thanks

Jon Spinney

 

[Ace Fekay [MVP]]

In

I am currently having a problem. I set up sites for our domain. We
have a central office with several subnets and about 40 WAN
connections. I have followed Microsoft's documentation on settting up
the sites, then setting up the subnet, and then applying the subnet to
the site. Then I began setting up the links. I made sure that all
the links are IP and I set up the Global Catalog servers to allow IP
data traffic. The problem is that almost every machine is logging an
Event 5778 Netlogon error

'<computer name>' tried to determine its site by looking up its IP
address ('<ip address>')in the Configuration\Sites\Subnets container
in the DS. No subnet matched the IP address. Consider adding a subnet
object for this IP address.

I double checked the IP address against the subnet that I set up in
Sites and Services and it was within the range. The subnet was
assigned a site. All of our DCs are running Win2000 server SP4.
Please let me know if you have any ideas. Thanks

Jon Spinney

One note:
< and I set up the Global Catalog servers to allow IP

data traffic.

How did you do that? GCs are not 'setup' to allow IP data traffic. That's
determined by what sort of links you created, unless I misintrepreted your
statement.

As for the error, did you by chance delete the Default-First-Site-Name?
There was an old wive's tale that I read long ago by one of the MS engineers
not to delete this but rather create your other sites, subnets, and
associate them with the Sites, and adjust your links to accomodate, but
leave the default site alone. Not saying that it's an issue or not, nor do I
know if it was ever addressed by an SP or not, but I've always followed the
tale by not deleting it. Who knows, could be supersition! LOL

Anyway, have you read this article?
http://www.eventid.net/display.asp?eventid=5778&source=


Could you post the exact message from the Event viewer? I'm curious as to
the actual IP and the associated site. Otherwise, if everything is setup
properly as you stated, it should work. Otherwise, it may entail remoting
into your system to take a look at your config.

Thanks!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

How did you do that? GCs are not 'setup' to allow IP data traffic. That's

determined by what sort of links you created, unless I misintrepreted your
statement.

I agree -- that phrase bugged me when I read it; began wondering
what unnecessary or odd setting the OP was messing around with.

Usually such problems (replication & authentication) are DNS related.
1) DNS must be dynamic
2) ALL clients must point their NIC DNS server setting at ONLY
the "internal DNS server (set)"
3) For #2 above, SERVERS are clients too; point the DCs at the
internal DNS server set also -- restart NetLogon service if you
have to correct this.

Ask him if he has a "one or two-tag DNS name" like you usually do,
Ace <grin> I usually forget about that one.

If using AD Integrated DNS and messed up the above DNS setting
there is a good chance you must return to a SINGLE Primary or AD
DNS server long enough to get everything registered. AD is dependent
on DNS for replication and if you integrate DNS into AD before the
DNS is set correctly you end up with a circular problem that breaks
them both.

As for the error, did you by chance delete the Default-First-Site-Name?
There was an old wive's tale that I read long ago by one of the MS engineers
not to delete this but rather create your other sites, subnets, and
associate them with the Sites, and adjust your links to accomodate, but
leave the default site alone. Not saying that it's an issue or not, nor do I
know if it was ever addressed by an SP or not, but I've always followed the
tale by not deleting it. Who knows, could be supersition! LOL

Interesting. Best practice is to LEAVE it and rename it as your main site.
DCs (and other servers) will end up in that Site when no matching subnet
is found for them during install.

One issue about Sites and Services -- if AD replication is broken and
you try to correct Sites and Services to fix (that break) it then you may
not succeed since Sites and Services (config partition) is also replicated
by AD (sort of like the DNS issue above but another circular problem
possibility.)

 

[Ace Fekay [MVP]]

In

I agree -- that phrase bugged me when I read it; began wondering
what unnecessary or odd setting the OP was messing around with.

Usually such problems (replication & authentication) are DNS related.
1) DNS must be dynamic
2) ALL clients must point their NIC DNS server setting at ONLY
the "internal DNS server (set)"
3) For #2 above, SERVERS are clients too; point the DCs at the
internal DNS server set also -- restart NetLogon service if
you have to correct this.

Ask him if he has a "one or two-tag DNS name" like you usually do,
Ace <grin> I usually forget about that one.

Yeah, like the DNS single label name issue! Good point! "domain" instead of
the required "domain.com" name.

If using AD Integrated DNS and messed up the above DNS setting
there is a good chance you must return to a SINGLE Primary or AD
DNS server long enough to get everything registered. AD is dependent
on DNS for replication and if you integrate DNS into AD before the
DNS is set correctly you end up with a circular problem that breaks
them both.



Interesting. Best practice is to LEAVE it and rename it as your main
site. DCs (and other servers) will end up in that Site when no
matching subnet
is found for them during install.

I agree....

One issue about Sites and Services -- if AD replication is broken and
you try to correct Sites and Services to fix (that break) it then you
may not succeed since Sites and Services (config partition) is also
replicated by AD (sort of like the DNS issue above but another
circular problem possibility.)

Agree here too...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jon Spinney]

How did you do that? GCs are not 'setup' to allow IP data traffic.
Here's how I set this up. If you right click on the server and go to
Properties, you have the option to set up whether it uses IP or SMTP.
It could be that I misread this Properties page.
It is dynamic
We have a primary and secondary DNS server and all clients and servers
point to both of them

This may be the problem, I don't know. The Default-First-Site was
deleted or renamed. Not sure which one. I believe it was renamed to
our central site. I'm assuming that it's something that can't be
recreated

 

[Herb Martin]

Usually such problems (replication & authentication) are DNS related.

It is dynamic

We have a primary and secondary DNS server and all clients and servers
point to both of them

It always bugs me when someone writes back and confirms PART of the
requirement check and doesn't mention the other part: ONLY.

If you clients or servers try to ALSO point elsewhere, e.g., to the ISP or
other Internet-direct resolving DNS server it won't work reliably.

Run DCDiag on each DC to make sure all this got resovled on every DC
and every DNS server.

This may be the problem, I don't know. The Default-First-Site was
deleted or renamed. Not sure which one. I believe it was renamed to
our central site. I'm assuming that it's something that can't be
recreated

I think the next created site becomes the default. I am not sure that
deleting it is terrible, but renaming is better.

After that, re-check your subnets and masks.

And run that DCDiag sending output to a text file and search for
FAIL, WARN, and IGNORE.

 

[Ace Fekay [MVP]]

In

I think the next created site becomes the default. I am not sure that
deleting it is terrible, but renaming is better.

After that, re-check your subnets and masks.

And run that DCDiag sending output to a text file and search for
FAIL, WARN, and IGNORE.

I agree, rename the one that got renamed from the dfault back to the
default, and then create one for the new site.

Also would probably want to run a netdiag /v /fix.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

And run that DCDiag sending output to a text file and search for

I agree, rename the one that got renamed from the dfault back to the
default, and then create one for the new site.

I am not concerned with what the default site is named and the
more I think about it, I believe it is just the "first" one and if that
is deleted the second, etc.

He's got other problems unless he deleted all sites.

Also would probably want to run a netdiag /v /fix.

Far more interested in DCDiag; I seldom use netdiag.

 

[Jon Spinney]

First a reply about the DNS. Sorry that I didn't confirm both. Both
of our DNS servers are internal and all clients and servers point to
these two servers.

Far more interested in DCDiag; I seldom use netdiag.

Well, I ran both netdiag /v /fix and DCDiag and piped them out to a
text file. Alot of information, but everything passed.

I did not get any Fail, Warn, or Ignore.

I also had some of the guys look over my shoulder regarding the subnet
configuration and everything looks good.

One other thing, I have to check this theory, but I think the only
clients that are having problems are in the first site, but only some
of the clients. I'll post more when I know.

Thanks for all your help so far.

Jon Spinney

 

[Jon Spinney]

After that, re-check your subnets and masks.

Ok, I've done a little more research now that alot of users are in and
turning their machines on. It turns out that I am having problems
with only 1 subnet, but it is our largest. We subnetted it out like
the following

10.10.24.0
255.255.248.0

I have checked the clients on all of the other subnets and they seem
to have no problem finding their site based on subnets. I double
checked and it is applied to a site.

I'm not sure I understand why this subnet seems to having problems.
I've double checked with several other co-workers and the subnet
information above is correct.

 

[Herb Martin]

I did not get any Fail, Warn, or Ignore.

I also had some of the guys look over my shoulder regarding the subnet
configuration and everything looks good.

Those two are starting to make it possible you have something
other than the 99% issue that most others have.

I like the "look over shoulder" -- I always do that when things
get goofy.

10.10.24.0
255.255.248.0

I have checked the clients on all of the other subnets and they seem
to have no problem finding their site based on subnets. I double
checked and it is applied to a site.

Subnetting doesn't matter AS LONG as it Routes successfully so
do a bunch of pings and such and make sure you have full connectivity.

I re-read the original problem and it sure looks like the DC in that
site is either NOT using the correct DNS (make sure it can contact
the dynamic DNS or set it directly to the whichever can accept the
change), OR it doesn't have an IP "officially" in that site, OR it isn't
in the site in Sites and Services.

Check the _underscore DNS container for _Sites and determine that
is has a similar set of SRV records to other DCs in other sites: LDAP,
Kerberos and GC.

BTW, it should be a GC also.

The only other likelihood is that you don't have a DC in that Site
at all -- i.e., it isn't a mistake, but you just don't have one there.

You really should have at least one DC (also a GC) in every site or
there is little reason to make a site.

What is your Win2000 Domain name? It is at least 2-tags long,
right? domain.com rather than just "domain."

 

[Ace Fekay [MVP]]

In

Ok, I've done a little more research now that alot of users are in and
turning their machines on. It turns out that I am having problems
with only 1 subnet, but it is our largest. We subnetted it out like
the following

10.10.24.0
255.255.248.0

I have checked the clients on all of the other subnets and they seem
to have no problem finding their site based on subnets. I double
checked and it is applied to a site.

I'm not sure I understand why this subnet seems to having problems.
I've double checked with several other co-workers and the subnet
information above is correct.

Is the subnet object created for that subnet reflect this exact subnet in
Sites?
I am going to assume that the server is configured with this subnet as well
and physically exists under that Site object?



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Is the subnet object created for that subnet reflect this exact subnet in

Sites?

Let's not overspecify: Having the "exact" subnet is both
unnecessary and sometimes counterproductive (and sometimes
insufficient.)

The subnet (group) must be specified without being specified
in some other site.

One is free to use subnet summaries (which look like supernetting)
and to overide such on another site with a more specific subnet.

Maybe better would be to check all the OTHER subnets to see if
something that overides this one might be specified.

Subnets work like "routes" and supernets -- a summary can specify
a contiguous range but a more specific specification can extract a
range of addresses to another site.