Thanks! This white paper appears to answer the question I was asking. -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 2:26 AM To: Rachui, Scott; '[EMAIL PROTECTED] '; '[email protected] ' Subject: RE: [ActiveDir] Unmapped IP Subnets in Another AD Forest
Hi, First of all you need to create an AD subnet for each subnet on your network so that always the nearest DC is used. In a multiple forest scenario it is best to have the same sites and subnets configuration. This can be done manually but it can also be synchronised. ##### * Synchronization of sites and subnets: Enable each forest to recognize the entire scope of the network. To allow clients in one forest to locate the nearest domain controller in another forest and enable access to DFS file shares with minimum network traffic, configure the same sites and subnets in all forests. ##### This came from "Multiple Forest Considerations in Windows 2000 and Windows Server 2003"(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tec hnol ogies/directory/activedirectory/mtfstwp.mspx) SEARCH FOR Synchronizing Sites and Subnet Jorge -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 4/5/2005 3:19 AM Subject: [ActiveDir] Unmapped IP Subnets in Another AD Forest I have an odd problem. I checked one of our AD 2000 (SP4) forests today. It had a flurry of Event ID 5778s as shown below: Event Type: Information Event Source: NETLOGON Event Category: None Event ID: 5778 Date: 4/4/2005 Time: 9:14:17 PM User: N/A Computer: <Domain Controller> Description: '<Computer Name>' tried to determine its site by looking up its IP address ('<IP Address>') in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address. The only problem was that in some cases, the computers mentioned in the events were authenticating to another forest. There is a 2-way trust between Forest A and Forest B. The user and computer are both in Forest A, with only resources in Forest B (a migration is underway). My understanding of unmapped subnets is that DNS will give you a random list of DCs and you'll query them to find you're optimal site. If your IP Address is unmapped, you'll use whichever DC replies first. But you'll also re-query AD every 15 minutes until your IP Subnet is defined and you are using AD optimally. Now if a computer is authenticating to Forest A and then only accessing resources in Forest B, why would he post 5778 events just because his IP Subnet from Forest A isn't also defined in Forest B? This seems wrong to me, somehow. But I thought I'd ask the experts on this alias to see if you had any thoughts. Thanks in advance for your thoughts and help. Scott List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
