Event Viewer in serve 2003 registers a Warning Netlogon ID 5807. The time frame of above event isn't registered in netlogon.log. How do we track down IPs that are tring to access AD that trigers the Netlogon ID 5807 alert? Thanks in advance.

Hello, You can stop the netlogon service on DCs and delete the netlogon.log file. See that: http://www.petri.co.il/forums/showthread.php?t=25727 Once done, inspect new logs. More about this event ID: http://support.microsoft.com/kb/889031 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

follow this kb: http://support.microsoft.com/kb/889031 with reference from above KB: If you examine the Netlogon.log file on the Windows Server 2003-based domain controller, you may find text entries that are similar to the following in the Netlogon.log file: 07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress 07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress 07/22 10:03:07 netbios_Domain_Name: NO_CLIENT_SITE: Client_Name Client_IPaddress Note <var>netbios_Domain_Name</var> is the NetBIOS name of the domain. <var>Client_Name</var> is the name of the client computer. <var>Client_IPaddress</var> is the IP address of the client computer.Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

follow this kb: http://support.microsoft.com/kb/889031 with reference from above KB: If you examine the Netlogon.log file on the Windows Server 2003-based domain controller, you may find text entries that are similar to the following in the Netlogon.log file: 07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress 07/22 10:02:32 netbios_Domain_Name: NO_CLIENT_SITE: Client_NameClient_IPaddress 07/22 10:03:07 netbios_Domain_Name: NO_CLIENT_SITE: Client_Name Client_IPaddress Note <var>netbios_Domain_Name</var> is the NetBIOS name of the domain. <var>Client_Name</var> is the name of the client computer. <var>Client_IPaddress</var> is the IP address of the client computer. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights. The link was already provided :) This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

The IP address of the client computer is not defined anywhere: neither in the Netlog alert, nor in the netlogon.log. How can the IP and/or MAC address of the unknown client be determined?. Is an intruder whose IP addresses doesn't map to any of the existing sites in the enterprise trying to access the Domain Controller? How can an IP on a different subnet be allowed to the DC's subnet? In Event Viewer, the NETLOGON Event ID 5807 is time stamped at 2:57:44. The netlogon.log registered events at 14:52:10 and 14:58:40, thus the NETLOGON Event ID from Event Viewer was not logged. Kindly advise.

The names and IP addresses of the clients in question have been logged on this computer in the following log file :'SystemRoot\debug\netlogon.log' and, potentially, in the log file :'SystemRoot\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes.To set a different maximum size, create the above registry value and set the desired maximum size in bytes. -------- If u want to track everything on the DC : u can use IDS/IPS which track and keep all the required information (ip address/mac address) u can use SNORT on the system. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

Why isn't the IP and subnet of the client that triggers the NETLOGON ID 5807 recorded in 'SystemRoot\debug\netlogon.log' ?

Hi, By default the netlogon service logging is not enabled. we need enable this by using registry or Nltest tool (support tools) but u can use the help Enable debug logging (MS Fix Me tool) to enable it. for Enabling debug logging for the Net Logon service : refer to the KB: http://support.microsoft.com/kb/109626 and pls refer to the above post to change The maximum size of the log -------------- FYI Utility used to query the Netlogon log File is nlparse.exe. It is a GUI tool that comes with ALTools.exe file at http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en nlparse contains the most common Netlogon error codes and stores the output in two files – %windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.txt Hope the above information Helps.. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

Netlogon.log seems to be enabled, however the NETLOGON 5807 incidents from Event Viewer doesn't register in the log. The Event Viewer's NETLOGON alert time stamp is not registered/not found in the netlogon.log. Thus we are not able to determine the Ip of client and its subnet mask, which is trying to access active directory. Any Advise would be appreciated.