Wednesday, December 3, 2014

Catch-All Subnets in Active Directory Sites & Services


Background: On many occasions consulting I encountered countless organizations getting the 5807 Event ID on their Domain Controllers. This well documented and there are many blog posts discussing the need to make sure that all subnets are created in AD Sites & Services and attached to the appropriate site.

Problem: Some workstations are authenticating to Domain Controllers in the wrong site, in spite of all the wonderful information available. In fact, many companies are experiencing this and don't even realize it.  After all, the workstation will still authenticate and sometimes the issues are just slow authentication and extra WAN traffic.

Solution: In a perfect world, the AD admins would be notified of every subnet created and ensure they were created and placed in the appropriate site in AD Sites & Services. In reality, this rarely happens. As a way to ensure clients aren't authenticating to the slowest links, a Catch-All subnet can be created to force clients to a specific DC in a higher bandwidth site. Most companies will have a faster connection to their main datacenter, so creating an all-encompassing subnet and attaching it to this site will ensure clients go there if a subnet is not defined for them.

Will this force all my traffic to that one site?!?! No. The subnets start at the most restrictive and work their way to least restrictive. So if you have a subnet defined with a /24 network, all clients on that subnet will authenticate to that site and will only authenticate to your /8 Catch-All if they aren't already defined elsewhere.

Example: You have a client with an IP address of 10.0.7.7, but as the subnets and sites are created for 10.0.6.0/24 and 10.0.8.0/24, your have a client without a site and you can't control where they authenticate. If you create a subnet of 10.0.0.0/8 and attach it to your main site, then any client on a 10.x.x.x subnet that isn't defined, will authenticate to your main site. This doesn't work for everyone, but the majority of businesses I've consulted for didn't have Catch-All subnets and needed them desperately.  There is a great article on the pros and cons of Catch-All subnets, that while 5 years old, is still quite relevant today. http://technet.microsoft.com/en-us/magazine/2009.06.subnets.aspx

Note: I have decided to take some of the things that I found most commonly to be issues in my years of consulting, and create these posts to help System Admins do a little of the easy clean-up on their own. Save up that consulting budget for projects that you really need, and take care of some of this easy cleanup yourself.

No comments:

Post a Comment