What does the error "This machine's subnet is not known by AD." actually mean?
4 weeks ago
I'm getting this error on only two machines out of ten. The machines are all based on a standard image, are all getting addresses from DHCP, and I can't see any difference in their network settings on the computers themselves.
On the machines that are failing, the only error in the trace is this:
ADSITE : Check that this machine's subnet is in a site known by AD : Failed
: This machine's subnet is not known by AD.
The problem is I don't know what that actually means, because the same AD and the same subnet are not an issue for other computers.
Obviously there must be something different, but I have no idea where to even start looking.
4 weeks ago - last edited 4 weeks ago
The message means that the information in the "Active Directory Sites and Services" is incomplete.
Some AD basics
AD leverages information about sites and subnets stored in within (via DNS SRV records) to tell clients what's the "nearest provider" for a service. One such service is authentication. If the subnet that the system exists on, is not registered in AD, an authentication request for a system that is in California, may be fulfilled by a domain controller in Singapore (highly inefficient if the link between the sites is expensive).
From a process perspective, this may also indicate poor communication between the Networking and Directory Services teams. Each time a new subnet is created by the networking teams, as part of the change control, these need to be communicated to the directory services teams so they create the subnet and associate it with the apropriate site(s).
The more complete the information in AD, the faster and more efficient the authentication, MFA or privilege elevation operations will be. This is one of the checks done by adcheck.
Where to look?
- Determine the UNIX/Linux system's subnetID (e.g. 10.0.2.1/24).
- With this info, talk to your AD lead and see if this subnet exists and is associated with an AD site.
- Once this info is updated, wait for AD replication and re-run adcheck.
(If this is a small environment or lab, you can ignore the message and move on).