1

We have a two way trust in place between two Windows forests.

We get "errors" constantly on our domain controllers in both AD forests regarding clients whose IP addresses don't conform to an AD site subnet.

The reason I think I understand. Client from FOREST-A travels to a location in FOREST-B and logs on with their FOREST-A account. The computer gets an IP address from a DHCP server in FOREST-B but the AD authentication occurs across the WAN back to a DC in FOREST-A. That DC then logs the error in the c:\windows\debug\netlogon.log file on the DC as it authenticates the client.

While it's probably safe to ignore the error...is there a way to actually remedy the issue?

TheCleaner
  • 32,627
  • 26
  • 132
  • 191

1 Answers1

3

Add the respective subnets in AD Sites and Services, and perhaps create a separate site you assign those subnets to. The site doesn't need its own DC.

Ansgar Wiechers
  • 4,247
  • 2
  • 18
  • 26
  • I thought about that...but can I (or better still should I) add subnets for a remote forest into ADS&S? – TheCleaner Sep 06 '12 at 19:22
  • You can add the subnets, or you can live with the warnings. Your choice. – Ansgar Wiechers Sep 06 '12 at 19:24
  • Are you certain though that I can add subnets to ADS&S for a remote forest when no DC for that remote forest exists in that subnet without messing it up? Do you have a source for your answer? – TheCleaner Sep 06 '12 at 19:32
  • Yes, I am certain. I have done this myself. I don't have a source other than personal experience. – Ansgar Wiechers Sep 06 '12 at 19:48
  • If there's no DC in that site that the subnet is attached to in ADSS how does the client decide – TheCleaner Sep 06 '12 at 19:49
  • The client decides nothing. This merely prevents the domain controllers from logging warning when a client with an address from an unknown subnet connects. Because the subnet then is no longer unknown. – Ansgar Wiechers Sep 06 '12 at 19:51
  • I'm with Ansgar. The warnings you're recieving are just that, warnings. It's AD saying "oi, you've forgotten a subnet". In a single forest, all of your subnets' clients are typically wanting access to your DCs, so you'd add them all. Now you're introducing "foreigners". AD is just doing it's job. – Simon Catlin Sep 06 '12 at 20:05