The IP address of a Domain Controller map to the site it serves

active-directorydomain-controller

I have questions related to this specific event:

Index              : 865
EntryType          : Warning
InstanceId         : 5802
Message            : None of the IP addresses (192.168.254.17) of this Domain Controller map to the configured site 'North'.
                    While this may be a temporary situation due to IP address changes, it is generally
                    recommended that the IP address of the Domain Controller (accessible to machines in
                    its domain) maps to the Site which it services. If the above list of IP addresses is
                    stable, consider moving this server to a site (or create one if it does not already
                    exist) such that the above IP address maps to the selected site. This may require the
                    creation of a new subnet object (whose range includes the above IP address) which maps
                    to the selected site object.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {North, 192.168.254.17}
Source             : NETLOGON
TimeGenerated      : 11/10/2018 4:45:42 PM
TimeWritten        : 11/10/2018 4:45:42 PM
UserName           :

The event was being logged repeatedly by a domain controller whose IPv4 address was not associated at that time to the site it serves, as configured on Active Directory Sites and Services console. I suppressed it by creating a /32 subnet object that maps to the served site, however I am wondering to know about the actual consequences.

  • Why should the IPv4 address of the domain controller map to the site it serves?
  • Why is such test being performed by Netlogon? Why is the recommendation generally recommended?
  • Besides the event log, how would Active Directory infrastructure be impacted by such configuration mismatch?

Although the network infrastructure that links the sites consists of no more than a few meters of optic fibers and has low latency and high bandwidth, multiple sites were created in order to establish affinities between users and domain controllers while maintaning IPv4 addresses unchanged. It is a purpose of capacity management.

Under a test environment, a few Windows PowerShell lines may reproduce the issue.

DC1:

New-NetIPAddress -IPAddress 192.168.254.16 `
    -InterfaceAlias Ethernet -AddressFamily IPv4 `
    -Type Unicast -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias Ethernet `
    -ServerAddresses @('192.168.254.17','192.168.254.16')

Import-Module ServerManager
Install-WindowsFeature -IncludeManagementTools ("AD-Domain-Services")

Import-Module ADDSDeployment
$dsrm_password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
Install-ADDSForest `
    -DomainName 'contoso.com' `
    -InstallDns `
    -SafeModeAdministratorPassword $dsrm_password

#--------------

New-ADReplicationSite -Name 'North'
New-ADReplicationSite -Name 'South'
Get-ADReplicationSite -Identity 'Default-First-Site-Name' | `
    Get-ADObject | Rename-ADObject -NewName 'CPD'
New-ADReplicationSubnet -Name '192.168.0.0/16' -Site 'CPD'
New-ADReplicationSubnet -Name '192.168.0.0/18' -Site 'North'
New-ADReplicationSubnet -Name '192.168.128.0/18' -Site 'South'

New-ADReplicationSiteLink -Name 'CPD-North' `
    -SitesIncluded @('CPD', 'North') `
    -InterSiteTransportProtocol IP `
    -ReplicationFrequencyInMinutes 15 `
    -OtherAttributes @{'Options'=5}

New-ADReplicationSiteLink -Name 'CPD-South' `
    -SitesIncluded @('CPD', 'South') `
    -InterSiteTransportProtocol IP `
    -ReplicationFrequencyInMinutes 15 `
    -OtherAttributes @{'Options'=5}

Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | Remove-ADReplicationSiteLink

DC2:

New-NetIPAddress -IPAddress 192.168.254.17 `
    -InterfaceAlias Ethernet -AddressFamily IPv4 `
    -Type Unicast -PrefixLength 24

Set-DnsClientServerAddress -InterfaceAlias Ethernet `
    -ServerAddresses @('192.168.254.16','192.168.254.17')

Import-Module ServerManager
Install-WindowsFeature -IncludeManagementTools ("AD-Domain-Services")

Import-Module ADDSDeployment
$dsrm_password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force

Install-ADDSDomainController `
    -InstallDns `
    -SiteName 'North' `
    -DomainName 'contoso.com' `
    -SafeModeAdministratorPassword $dsrm_password `
    -Credential (Get-Credential)

#--------------

Get-EventLog -LogName 'System' -InstanceId 5802 -Newest 1

Best Answer

It's how clients locate a closest domain controller. If a client cannot find a site that maps to its network, or a domain controller in that site with an appropriate subnet that matches the client, the client will choose any domain controller to authenticate. If you're ok with that, there is no impact.

Related Topic