This has been a very common pain point for Active Directory administrators. AD is perfectly planned according to Microsoft’s best practices and successfully deployed. But as time goes on, network admins change the network topology, devices are added here and there and if there is no formal process of adding new networks, AD Sites and Services will mostly likely not be updated to reflect these changes.
Cloud Environments
Where I’ve seen this problem popping up again and again is in Azure or other virtual environments. Why? This is due to the blurring of traditional job responsibilities between network engineer and systems engineer/administrators. Admins can now log into their management consoles and easily create new networks, assign VLANS and deploy a VM to them. Life is grand, what took a few minutes used to take hours or days.
If AD Sites and Subnets are not correctly defined, a device will attempt to authenticate with a domain controller, randomly somewhere on your network. If the DC see’s a request from a device and it cannot locate it’s subnet, it reports this into a simple text file, C:\Windows\Debug\netlogon.log. Viewing this text file can be tedious to go through and has to be done on each domain controller.
Solution
The following PowerShell code is quite straight forward but was built to run from a single server and remotely connect to each DC. It will remotely connect to a given DC and show any missing IPs from that file.
The basic idea is to
1. Remotely read the C:\Windows\Debug\Netlogon.log text file into a variable
2. Read from the bottom of the file contents until we hit $FromDate (which is 30 days in the example)
3. Build an array of a simple PowerShell object
4. Once you have the results, you can then display it to the screen, Out-File it to a file server for central reporting, or even email it to yourself
The downside to the log file is that it displays the raw IP. This is because the AD server does not know the network topology and subnet mask of the devices failing to find their proper DC. This holds true for the PowerShell code below. It will display all IPs that have attempted, but you will still have to make the final decision on what type of network and netmask you assign in Active Directory Sites and Services.
Things to thing about
After running this script you’ll hopefully find and fix everything. Perhaps you may want to thinking about creating a script, run it as a scheduled task and centralize the results for further auditing.
# Search Back 30 days on DemoDC01 $DomainController = "DemoDC01" $FromDate = (Get-Date).AddDays(-30) $Content = Get-Content "\\$DomainController\c$\Windows\Debug\netlogon.log" # Run through the netlogon.log (in reverse order, think about speed/performance) while the dates are greater than $FromDate $MissingEntry = @{} For ($counter = $Content.Count; $counter -ge 0; $counter--) { If ($Content[$counter] -match "(\d\d)/(\d\d) (\d\d):(\d\d):(\d\d)") { $EntryDate = Get-Date -Month $matches[1] -Day $matches[2] -Hour $Matches[3] -Minute $Matches[4] -Second $Matches[5] if ($EntryDate -lt $FromDate) { break } # Within the timeframe, let's save the IP and Date attempted in a hashtable. Only keep the first hit, which is the latest failed site attempt $ip = $Content[$counter] -Replace ".* (.*)$", '$1' If ($MissingEntry[$ip] -eq $null) { $MissingEntry[$ip]= $EntryDate } } } # Sort the missing IPs $MissingEntry = $MissingEntry.GetEnumerator() | Sort-Object -Property Name # Output the missing IPs and failed date attempt $MissingEntry | Select-Object @{name="DC"; expression={$DomainController}}, @{name="IP"; expression={$_.Name}}, @{name="Last Failed Site Attempt"; expression={$_.Value}}
Here are the results from $MissingEntry
DC IP Last Failed Site Attempt -- -- ------------------------ DemoDC01 192.168.100.11 10/26 21:35:08 DemoDC01 192.168.31.100 10/26 22:01:35 DemoDC01 192.168.31.110 10/26 21:53:16 DemoDC01 172.16.2.100 10/26 17:07:02 DemoDC01 172.16.2.101 10/26 22:05:55 DemoDC01 172.16.2.103 10/26 21:49:23 DemoDC01 172.16.2.104 10/26 21:38:14 DemoDC01 172.16.2.11 10/26 22:00:28 DemoDC01 172.16.2.12 10/26 21:55:08 DemoDC01 172.16.2.13 10/26 21:39:09 DemoDC01 172.16.2.14 10/26 22:01:40 DemoDC01 172.16.2.15 10/26 21:46:33 DemoDC01 172.16.2.16 10/26 22:03:43 DemoDC01 172.16.2.17 10/26 22:02:22 DemoDC01 172.16.2.18 10/26 21:34:52 DemoDC01 172.16.2.19 10/26 21:53:05 DemoDC01 172.16.2.20 10/26 14:10:05 DemoDC01 172.16.2.21 10/26 22:06:03 DemoDC01 172.16.2.22 10/26 22:06:25 DemoDC01 172.16.2.23 10/26 21:53:03 DemoDC01 172.16.2.24 10/26 16:32:10 DemoDC01 172.16.2.25 10/26 21:59:13 DemoDC01 172.16.4.10 10/26 22:04:26 DemoDC01 172.18.244.58 11/02 18:23:53 DemoDC01 172.18.65.232 11/02 18:23:55
Works great – Thanks!
You are the man. Thanks bro!