Hello all,
I'm trying to optimize my AD Sites and Services subnets, and I was curious if anyone knew if there was some kind of built-in functionality to monitor for authentications that have a source IP address that is outside the defined subnet range for a given site. Note that I'm not asking for authentications from a subnet with no defined site. What I am asking for is how to tell when an IP address in analready-defined subnet in a site authenticates against a Domain Controllerin another site. Here is an example:
Consider a domain with 2 sites, Site 1 and Site 2.
Consider Workstation1 with IP address 1.1.1.1 which is located in Site 1 along with DC1. Let's also say that I have the Workstation1 IP address strictly defined in AD Sites and Services, e.g. 1.1.1.1/32 pointed to Site 1.
Consider a similar situation in Site 2, where Workstation2 has IP address 2.2.2.2 and is located in Site 2 along with DC2, and Workstation2 is strictly defined in AD Sites and Services, e.g. 2.2.2.2/32 pointed to Site 2.
Now of course, using DC Locator, Workstation1 and Workstation2 would always be assigned the local DC in their site (unless the link were down and Next Closest Site was used, but assume the links are up).
However, let's consider a scenario where Workstation1 has installed a new application, and the application does not use DC Locator, but instead has LDAP configuration settings that need to be manually set. One of these settings is an LDAP URL to use when performing LDAP queries/authentications against the domain.
Let’s say the user did not put in a URL to a Domain Controller, but instead just puts in the name of the domain, e.g. ldap://contoso.com:389.
Now, when the application attempts LDAP queries/authentications, it will first attempt to resolve contoso.com to an IP address. Of course, every Domain Controller in a domain registers an A record for the domain name, so the application will rely on DNS to perform its round-robin resolution of contoso.com and consequently return an IP address of one of the Domain Controllers in the domain.
In this case, because of the LDAP manual settings that forced DNS round-robin, the application running on Workstation1 is returned the IP address of DC2 to use in connecting to contoso.com. Of course, DC2 is in a different site than Workstation1, and is not the most optimal DC for Workstation1 to use in this case.
So, I am curious if there is any built-in functionality in Windows (or AD or SCOM or whatever) that can monitor and alert on these kinds of situations, where an authentication attempt is made from an IP address outside of the subnet range for a given site.
I could probably write some PS code against a debug-level Netlogon.log file, but I was hoping there was a more “native” way to check for this?