351
Table 11-4. Attributes of siteLink objects
Attribute Description
siteList
Multivalued list of distinguished names of each site that is associated with the
site link. See Recipe 11.8
for more information.
Table 11-5. Attributes of server objects
Attribute Description
bridgeheadTransportList
Multivalued attribute that contains the list of transports (e.g., IP or
SMTP) for which the server is a preferred bridgehead server.
cn
RDN of the object. This is set to the hostname of the associated
server.
dNSHostName
Fully qualified domain name of the server. This attribute is
automatically maintained for domain controllers.
serverReference
Distinguished name of the corresponding computer object
contained within one of the domain-naming contexts.
Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects
Attribute Description
cn
RDN of the object, which is always equal to NTDS Settings.
invocationID
GUID that represents the DIT (ntds.dit) on the domain controller.
hasMasterNCs
Multivalued attribute containing the list of writeable naming
contexts (does not include application partitions) stored on the

domain controller.
hasPartialReplicaNCs
Multivalued attribute containing the list of read-only naming
contexts stored on the domain controller. This will be populated only
if the domain controller is a global catalog server.
msDS-Behavior-Version
Number that represents the functional level (i.e., operating system)
of the domain controller. This attribute is new to Windows Server
2003.
msDS-HasDomainNCs
Contains the distinguished name of the writeable Domain naming
context stored on the domain controller. This attribute is new to
Windows Server 2003.
msDs-
HasInstantiatedNCs

A combination of all available read-only and writeable naming
contexts stored on the domain controller. This attribute is new to
Windows Server 2003.

352
Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects
Attribute Description
msDS-
hasPartialReplicaNCs

Multivalued attribute that contains distinguished names of each
read-only naming context stored on the domain controller. This will
be populated only if the domain controller is a global catalog server.
This attribute is new to Windows Server 2003.

msDS-hasMasterNCs
Multivalued attribute that contains distinguished names of each
writeable naming context and application partition stored on the
domain controller. This attribute is new to Windows Server 2003.
options
Bit flag that determines if domain controller is a global catalog
server.
queryPolicyObject
If set, the distinguished name of LDAP query policy object to be
used by the domain controller.
Table 11-7. Attributes of nTDSConnection objects
Attribute Description
cn
RDN of the object. For Knowledge Consistency Checker (KCC)
generated connections, this is a GUID.
enabledConnection
Boolean that indicates if the connection is available to be used.
fromServer
Distinguished name of the NTDS Settings object of the domain
controller this connection replicates with.
ms-DS-
ReplicatesNCReason

Multivalued attribute that stores reason codes for why the connection
exists. There will be one entry per naming context the connection is
used for.
options
Bit flag where a value of 1 indicates the connection was created by
the KCC and a value of 0 means the connection was manually
created. See Recipe 11.22

for more information.
schedule
Octet string that represents the replication schedule for the site link.
transportType
Distinguished name of the transport type (e.g., IP or SMTP) that is
used for the connection.
Recipe 11.1 Creating a Site
11.1.1 Problem
You want to create a site.

353
11.1.2 Solution
11.1.2.1 Using a graphical user interface
1. Open the Active Directory Sites and Services snap-in.
2. Right-click on the Sites container and select New Site.
3. Beside Name, enter the name of the new site.
4. Under Link Name, select a site link for the site.
5. Click OK twice.
11.1.2.2 Using a command-line interface
Create an LDIF file called create_site.ldf with the following contents:
dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: site

dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,
<ForestRootDN>
changetype: add
objectclass: licensingSiteSettings

dn: cn=NTDS Site

Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: nTDSSiteSettings

dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: serversContainer
then run the following command:
> ldifde -v -i -f create_site.ldf
11.1.2.3 Using VBScript
' This code creates the objects that make up a site.
' SCRIPT CONFIGURATION
strSiteName = "<SiteName>" ' e.g. Dallas
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://RootDSE")
set objSitesCont = GetObject("LDAP://cn=sites," & _
objRootDSE.Get("configurationNamingContext") )
' Create the site
set objSite = objSitesCont.Create("site","cn=" & strSiteName)
objSite.SetInfo

' Create the Licensing Site Settings object
set objLicensing = objSite.Create("licensingSiteSettings", _
"cn=Licensing Site Settings")

354
objLicensing.SetInfo

' Create the NTDS Site Settings object

set objNTDS = objSite.Create("nTDSSiteSettings","cn=NTDS Site Settings")
objNTDS.SetInfo

' Create the Servers container
set objServersCont = objSite.Create("serversContainer","cn=Servers")
objServersCont.SetInfo

WScript.Echo "Successfully created site " & strSiteName
11.1.3 Discussion
To create a site in Active Directory, you have to create a number of objects. The first is a site
object, which is the root of all the other objects. The
site object contains the following:
licensingSiteSettings
This object isn't mandatory, but is created automatically when creating a site with AD
Sites and Services. It is intended to point clients to a license server for the site.
nTDSSiteSettings
This object stores replication-related properties about a site, such as the replication
schedule, current ISTG role holder, and whether universal group caching is enabled.
serversContainer
This container is the parent of the
server objects that are part of the site. All the domain
controllers that are members of the site will be represented in this container.
After these objects are created, you've essentially created an empty site. If you didn't do anything
else, the site would not be of much value. To make it usable, you need to assign
subnet objects
to it (see Recipe 11.4), and add the site to a siteLink object to link the site to other sites (see
Recipe 11.7). At that point, you can promote or move domain controllers into the site, and it
should be fully functional.
11.1.4 See Also
MS KB 318480 (HOW TO: Create and Configure an Active Directory Site in Windows 2000)

Recipe 11.2 Listing the Sites
11.2.1 Problem
You want to obtain the list of sites.

355
11.2.2 Solution
11.2.2.1 Using a graphical user interface
1. Open the Active Directory Sites and Services snap-in.
2. Click on the Sites container.
3. The list of sites will be displayed in the right pane.
4. Double-click on a site to view its properties.
11.2.2.2 Using a command-line interface
Run the following command to list the sites:
> dsquery site
Run the following command to view the properties for a particular site:
> dsget site "<SiteName>"
11.2.2.3 Using VBScript
' This code lists all of the site objects.

set objRootDSE = GetObject("LDAP://RootDSE")
set objSitesCont = GetObject("LDAP://cn=sites," & _
objRootDSE.Get("configurationNamingContext") )
objSitesCont.Filter = Array("site")
for each objSite in objSitesCont
Wscript.Echo " " & objSite.Get("cn")
next
11.2.3 Discussion
Site objects are stored in the Sites container (e.g.,
cn=sites,cn=configuration,dc=rallencorp,dc=com) in the Configuration Naming Context (CNC).
For more information on creating sites, see Recipe 11.1.

Recipe 11.3 Deleting a Site
11.3.1 Problem
You want to delete a site.
11.3.2 Solution
11.3.2.1 Using a graphical user interface
1. Open the Active Directory Sites and Services snap-in.
2. Click on the Sites container.

356
3. In the right pane, right-click the site you want to delete and select Delete.
4. Click Yes twice.
11.3.2.2 Using a command-line interface
> dsrm <SiteDN> -subtree -noprompt
11.3.2.3 Using VBScript
' This code deletes a site and all child containers.
' SCRIPT CONFIGURATION
strSiteName = "<SiteName>" ' e.g. Dallas
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://RootDSE")
set objSite = GetObject("LDAP://cn=" & strSiteName & ",cn=sites," & _
objRootDSE.Get("configurationNamingContext") )
objSite.DeleteObject(0)
WScript.Echo "Successfully deleted site " & strSiteName
11.3.3 Discussion
When deleting a site, be very careful to ensure that no active server objects exist within it. If
you delete a site that contains domain controllers, it will disrupt replication for all domain
controllers in that site. A more robust VBScript solution would be to first perform an ADO query
for all server objects using the distinguished name of the site as the base DN. If no servers were
returned, then you could safely delete the site. If server objects were found, you should move

them before deleting the site.
It is also worth noting that deleting a site does not delete any of the subnets or site links that were
associated with the site. This would be another good thing to add to the VBScript solution. That
is, before you delete the site, delete any subnets and site links that are associated with site.
Recipe 11.4 Creating a Subnet
11.4.1 Problem
You want to create a subnet.
11.4.2 Solution
11.4.2.1 Using a graphical user interface
1. Open the Active Directory Sites and Services snap-in.
2. Right-click on the Subnets container and select New Subnet.
3. Enter the Address and Mask and then select which site the subnet is part of.
4. Click OK.
11.4.2.2 Using a command-line interface

357
Create an LDIF file called create_subnet.ldf with the following contents:
dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: subnet
siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
then run the following command:
> ldifde -v -i -f create_subnet.ldf
11.4.2.3 Using VBScript
' This code creates a subnet object and associates it with a site.
' SCRIPT CONFIGURATION
strSubnet = "<Subnet>" ' e.g. 10.5.3.0/24
strSite = "<SiteName>" ' e.g. Dallas
' END CONFIGURATION


set objRootDSE = GetObject("LDAP://RootDSE")
set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _
objRootDSE.Get("configurationNamingContext") )
set objSubnet = objSubnetsCont.Create("subnet", "cn=" & strSubnet)
objSubnet.Put "siteObject", "cn=" & strSite & ",cn=sites," & _
objRootDSE.Get("configurationNamingContext")
objSubnet.SetInfo

WScript.Echo "Successfully created subnet " & strSubnet
11.4.3 Discussion
Subnet objects reside in the Subnets container (e.g.,
cn=subnets,cn=sites,cn=configuration,dc=rallencorp,dc=com) in the CNC. The relative
distinguished name (RDN) of the subnet should be the subnet address and bit-mask combination
(e.g., 10.5.3.0/24). The other important attribute to set is siteObject, which should contain the
DN of the site that the subnet is associated with.
11.4.4 See Also
MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory)
Recipe 11.5 Listing the Subnets
11.5.1 Problem
You want to list the subnet objects in Active Directory.
11.5.2 Solution
11.5.2.1 Using a graphical user interface

358
1. Open the Active Directory Sites and Services snap-in.
2. Click on the Subnets container.
3. The list of subnets will be displayed in the right pane.
4. To view the properties of a specific subnet, double-click on the one you want to view.
11.5.2.2 Using a command-line interface
The following command will list all subnets:

> dsquery subnet
The following command will display the properties for a particular subnet. Replace <Subnet>
with the subnet address and mask (e.g., 10.5.3.0/24):
> dsget subnet "<Subnet>"
11.5.2.3 Using VBScript
' This code lists all the subnets stored in Active Directory.
set objRootDSE = GetObject("LDAP://RootDSE")
set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _
objRootDSE.Get("configurationNamingContext") )
objSubnetsCont.Filter = Array("subnet")
for each objSubnet in objSubnetsCont
Wscript.Echo " " & objSubnet.Get("cn")
next
11.5.3 Discussion
To display the site that subnets are associated with, include the siteObject attribute as one of
the attributes to return from the query. For example, the second to last line of the VBScript
solution could be modified to return the site by using this code:
Wscript.Echo " " & objSubnet.Get("cn") & " : " & objSubnet.Get("siteObject")
11.5.4 See Also
MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory)
Recipe 11.6 Finding Missing Subnets
11.6.1 Problem
You want to find the subnets that are missing from your site topology. Missing subnets can result
in clients not authenticating against the most optimal domain controller, which can degrade
performance.

359
11.6.2 Solution
Having all of your subnets in Active Directory is important because a client that attempts to
logon from a subnet that is not associated with any site may authenticate with any domain

controller in the domain. This can result in the logon process taking longer to complete.
Unfortunately, Microsoft has not provided an easy way to rectify this problem.
Under Windows 2000, the only source of missing subnet information was the System event 5778.
Here is an example:
Event Type: Information
Event Source: NETLOGON
Event Category: None
Event ID: 5778
Date: 1/27/2003
Time: 12:07:04 AM
User: N/A
Computer: DC2
Description:
'JSMITH-W2K' tried to determine its site by looking up its IP address
('10.21.85.34')
in the Configuration\Sites\Subnets container in the DS. No subnet matched
the IP
address. Consider adding a subnet object for this IP address.
The only way to dynamically determine missing subnets is to query each domain controller for
5778 events and map the IP addresses specified within the events to a subnet you add to the site
topology.
With Windows Server 2003 things are not that much better. One of the issues with the 5778
events under Windows 2000 is that they could easily fill up your System event log if you had
many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event
5807 that states that some number of connection attempts have been made by clients that did not
map to a subnet in the site topology. Here is an example:
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5807

Date: 1/10/2003
Time: 10:59:53 AM
User: N/A
Computer: DC1
Description:
During the past 4.18 hours there have been 21 connections to this Domain
Controller
from client machines whose IP addresses don't map to any of the existing
sites in the
enterprise. Those clients, therefore, have undefined sites and may connect to
any
Domain Controller including those that are in far distant locations from the
clients.

360
A client's site is determined by the mapping of its subnet to one of the
existing
sites. To move the above clients to one of the sites, please consider
creating subnet
object(s) covering the above IP addresses with mapping to one of the existing
sites.
The names and IP addresses of the clients in question have been logged on
this
computer in the following log file '%SystemRoot%\debug\netlogon.log' and,
potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the
former
log becomes full. The log(s) may contain additional unrelated debugging
information.
To filter out the needed information, please search for lines which contain
text

'NO_CLIENT_SITE:'. The first word after this string is the client name and
the second
word is the client IP address. The maximum size of the log(s) is controlled
by the
following registry DWORD value
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The
current
maximum size is 20000000 bytes. To set a different maximum size, create the
above
registry value and set the desired maximum size in bytes.

For more information, see Help and Support Center at

events.asp.
Instead of scraping the event logs on every domain controller, you can look at the
%SystemRoot%\debug\netlogon.log file on each domain controller and parse out all the
NO_CLIENT_SITE entries. This is still far from an easy process, but at least the event logs are
no longer cluttered with 5778 events.
Here is an example of some of the NO_CLIENT_SITE entries from the netlogon.log file:
01/16 15:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 15:50:29 RALLENCORP: NO_CLIENT_SITE: SJC-BACKUP 44.25.26.142
01/16 16:19:58 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:20:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 16:57:00 RALLENCORP: NO_CLIENT_SITE: JSMITH-W2K1 10.61.80.19
01/16 17:20:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
01/16 17:50:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157
If you wanted to get creative and automate a solution to do this, you could write a script that goes
out to each domain controller, opens the netlogon.log file and retrieves NO_CLIENT_SITE

entries. You can then examine all of the IP addresses and create subnets in Active Directory that
would contain them. You could associate all of those subnets with a default site or even use the
Default-First-Site-Name site. Then once a week (or whenever), you could look at the sites