Around the same time (but up to a 4-hour offset), you may receive Netlogon warning event 5807. This event indicates that many client IP addresses couldn’t be mapped to configured subnet definitions in Active Directory:As noted in the event, you may also receive many entries that have NO_CLIENT_SITE: in the Netlogon log when it is configured.
- 0 - Domain controllers will never perform address lookups.
- 1 - This is the default behavior. Domain controllers will perform an exhaustive address lookup to discover additional client IP addresses.
- 2 - Domain controllers will perform a fast, DNS-only address lookup to discover additional client IP addresses.
If the domain controller cannot find a matching subnet for the client IP, it performs its own name resolution with the client's NetBIOS name for potentially finding a different IP having a subnet match.
The name resolution is performed in accordance with the domain controller's available resolution mechanism. In addition to DNS, WINS and NetBIOS may also be used, including broadcasts. According to the name resolution response or time-out, the related LDAP ping is locking one of the threads of the limited Active Thread Queue (ATQ) pool. Many of these LDAP pings over a longer time may constantly exhaust the ATQ pool. Because the same pool is required for regular LDAP and Kerberos requests, the domain controller becomes almost unavailable to users.
The domain controllers stop responding to the following workloads when the worker thread pool is exhausted, because they all share the same ATQ worker thread pool:
- LDAP pings
- LDAP queries
You may also observe the following symptoms:
- Because the domain controller cannot perform workloads in this situation, CPU usage is lower than usual. (when Baseline Monitoring for comparison is in place)
- The NTDS\ATQ Threads LDAP counter in Perfmon is equal to NTDS\ATQ Threads Total.
- Domain controllers take about 2 seconds to service LDAP pings, as illustrated in the NETLOGON.LOG when debug logging is enabled by using "nltest /dbflag:0x2080FFFF." The log also contains frequent entries that contain "NO_CLIENT_SITE."
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
- Define subnets and site mapping for all client computers in your forest and also for client computers from a trusting forest in which a high rate of interactive user logon into your forest is initiated.
- Extend the ATQ pool from the default MaxPoolThreads=4 per CPU core to a maximum of 10, in accordance with 315071 How to view and set LDAP policy in Active Directory by using Ntdsutil.exe.
- Optimize the domain controller's name resolution. If WINS is required, use P-node, only avoiding broadcasts that have a higher response time-out. For more information, see Chapter 11 - NetBIOS over TCP/IP - Microsoft TechNet: Resources.
Article ID: 2922852 - Last Review: 5 Jun 2014 - Revision: 1