none
NETLOGON error 5807

    Question

  •  

    Hi Experts,

    I am getting the NETLOGON error 5807 in my domain controller, then I am checking the log files below is the error.

    02-Nov 22:25:22               DomainDnsZones.Domain.com:        NO_CLIENT_SITE:            computer name                               IP

    Feb-14  12:43:36               Domain.com:  NO_CLIENT_SITE:            Computer Name              IP

    When I am checking these IPs, these subnet already added in the Active Directory Site & Services with correct sites.

    Pelase help.


    • Edited by VLCC Tuesday, February 21, 2012 12:13 PM
    Tuesday, February 21, 2012 11:10 AM

Answers

  • The error generally occurs when domain computer's IP subnet is not defined in ADSS.

    http://support.microsoft.com/kb/889031

     

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 21, 2012 12:51 PM
    Moderator
  • See my blog to help with this.  It details missing subnets as Awinish points too.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, February 21, 2012 1:09 PM
    Moderator
  • Never Delta with this kind of situation before.

    But you can refer the link to understand this better.

    Probably subnets you have defined subnets which are not registered in AD Properly.

    http://www.oreilly.de/catalog/9780596521103/toc.html

    The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

    As of Windows Server 2008, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. Starting in Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

    Please refer above link for troublshooting purpose.

    here is one more explanation on the dliemma.

    http://www.open-a-socket.com/index.php/category/active-directory/page/5/

    Missing subnet registrations

    In a number of environments I have seen, AD subnets are registered and associated with their corresponding AD site when the infrastructure is first put in place.  Subnets introduced afterwards are not always registered.  When subnets are not registered, clients on those subnets will not find an in-site DC and/or GC to use, which can lead to slow responses and unnecessary bandwidth utilisation.

    DCs detect connections from clients on unregistered subnets and log the information in the Directory Service event log (Event 5807). The DC also commits the information into the %windir%\debug\netlogon.log.  You should regularly monitor your DCs for missing subnets and register them as required.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com

    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Friday, February 24, 2012 12:59 PM
  • If secure channel is broken, i'm afraid you don't have any options apart from dis-joining and joining it back.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

     

     

    Regards

    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Saturday, February 25, 2012 5:53 PM
    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Saturday, February 25, 2012 6:26 AM
    Moderator
  • I Agree with Awinish,

     Please refer below link to understand it better.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9a11ab4-87bb-4aba-b63b-5bff756371f0

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Monday, February 27, 2012 6:59 AM

All replies

  • Can you post the following :

    - output of nltest /dsgetsite from the client

    - output of nltest /dsaddresstosite:DC /addresses:IP from the domain controller (where DC is the domain controler where you are seeing the error and IP address is the IP reported in the error above

    - full wording of the error message above

    hth
    Marcin

    Tuesday, February 21, 2012 11:48 AM
  • Hello,

    as we are now on a newer date as your output states 14. Feb is that still current issue or did you just realize this yet?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 21, 2012 12:09 PM
  • The error generally occurs when domain computer's IP subnet is not defined in ADSS.

    http://support.microsoft.com/kb/889031

     

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 21, 2012 12:51 PM
    Moderator
  • See my blog to help with this.  It details missing subnets as Awinish points too.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2010/04/19/ad-clients-not-authenticating-to-its-local-site.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, February 21, 2012 1:09 PM
    Moderator
  •  

    Thanks to all !!

    But I surprised that these IPs I’ve already added in the ADSS subnet list with correct site, but why I am getting error for these ?

    What can be the troubleshooting steps, if a client computer is not going to correct site even the subnet is already added in ADSS

    Wednesday, February 22, 2012 6:07 AM
  • you can refer to the below links which helps you to understand how client locate the DC.

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-3.aspx

    Probably you can start with nltest commandlets.

    To detemine client is in which AD Site use.

    nltest /dsgetsite.

    To determine a DC within a set of DC of DCs in the client's AD site that could authenticate/service the client:

    NLTEST /DSGETDC:<FQDN DOMAIN>

    Hope it will help you to understand this better.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com

    Wednesday, February 22, 2012 6:13 AM
  •  

    Thanks to all !!

    But I surprised that these IPs I’ve already added in the ADSS subnet list with correct site, but why I am getting error for these ?

    What can be the troubleshooting steps, if a client computer is not going to correct site even the subnet is already added in ADSS

    Hello,

    so you have cleared the log and they reappear with the current date?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, February 22, 2012 6:58 AM
  • Thanks for reply.

    Yes, i am getting the logs for the today's date also.

    Wednesday, February 22, 2012 4:48 PM
  • Never Delta with this kind of situation before.

    But you can refer the link to understand this better.

    Probably subnets you have defined subnets which are not registered in AD Properly.

    http://www.oreilly.de/catalog/9780596521103/toc.html

    The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

    As of Windows Server 2008, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. Starting in Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology.

    Please refer above link for troublshooting purpose.

    here is one more explanation on the dliemma.

    http://www.open-a-socket.com/index.php/category/active-directory/page/5/

    Missing subnet registrations

    In a number of environments I have seen, AD subnets are registered and associated with their corresponding AD site when the infrastructure is first put in place.  Subnets introduced afterwards are not always registered.  When subnets are not registered, clients on those subnets will not find an in-site DC and/or GC to use, which can lead to slow responses and unnecessary bandwidth utilisation.

    DCs detect connections from clients on unregistered subnets and log the information in the Directory Service event log (Event 5807). The DC also commits the information into the %windir%\debug\netlogon.log.  You should regularly monitor your DCs for missing subnets and register them as required.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com

    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Friday, February 24, 2012 12:59 PM
  • Thanks much!!!

    The articles u suggest here, are EXCELLENT

    Yes, this is matching with my case. Please suggest me that how to reregister these ips to ADSS as these subnet are already added in ADSS with correct site.

    Should I rejoin these machines to domain or any other short way or way, by which I can solve this remotely?


    • Edited by VLCC Saturday, February 25, 2012 5:48 AM
    Saturday, February 25, 2012 5:45 AM
  • If secure channel is broken, i'm afraid you don't have any options apart from dis-joining and joining it back.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

     

     

    Regards

    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf WeberMVP Saturday, February 25, 2012 5:53 PM
    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Saturday, February 25, 2012 6:26 AM
    Moderator
  • I Agree with Awinish,

     Please refer below link to understand it better.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9a11ab4-87bb-4aba-b63b-5bff756371f0

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by VLCC Tuesday, February 28, 2012 4:01 AM
    Monday, February 27, 2012 6:59 AM