Solved

AD and DNS Logging

Posted on 2011-02-28
6
820 Views
Last Modified: 2012-05-11
How do I found out what IP addresses are authenticating to a Windows Server 2003 Domain Controller. I am retiring a Domain and need to verify how many machines are still actively logging into this Domain so that these users can be contacted prior to retiring. I turned on DNS Log Queries but this does not give me much.

Thanks!
0
Comment
Question by:Darrell Kirby
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35002198
There are different logging levels you can look at  http://support.microsoft.com/kb/314980  or the security event logs

....but really you don't need to users don't need to do anything.  You updated their DNS server IPs (if those change) but the client (XP, 7, etc) is smart enough to pick another DC for authentication.

Thanks

Mike
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35002262
Another suggestion would be to check Active Directory Sites and Services and see if there are any defined sites and subnets in AD.  Even then, that is a suggested server, not a "mandated only" server.  Mike is correct in that it should just be safe to remove.

DrUltima
0
 
LVL 11

Expert Comment

by:Renato Montenegro Rustice
ID: 35002916
Try raizing the net logon logging:

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

I usually use this to find out what ip addresses with no AD sites are logging to a domain controller (no modification to logging level is needed). Maybe you can do it by raizing the logging.

I'm wondering something. Maybe you can create an additional AD site. Then, do not associate any subnets to it. Move your domain controller to this new site. The log may start to show you what IP addresses are logging on your server.

Another clear choices would be to use tcpview, netmon or wireshark.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Expert Comment

by:elawad
ID: 35004754
is the forward lookup zone of the retired domain still exists or you also deleted it, if its still exists the computers that are still joined to that domain will register themselves in the zone. and that is how you can check who is still on that domain. and if you delete it just recreate it and you should be fine.
0
 
LVL 3

Expert Comment

by:InterframeGap
ID: 35008314
I would look at using WMI or ADSI -

Many scripts at the scripting center which may help you here is the dhcp specific scripts:
http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=SearchText&f%5B0%5D.Value=dhcp&x=0&y=0

Read the information well and understand the scripts intentions and make sure that you are comfortable using the script in its current form.  If you have questions, the forum there is very good and well respected.

DMT
0
 
LVL 11

Accepted Solution

by:
Renato Montenegro Rustice earned 250 total points
ID: 35009857
I did the test. It seems to work just fine. Here is the step by step:

1) Raise the netlogon debug level in the domain controller:

nltest /dbflag:0x2080ffff

2) Restart the netlogon service in order to the flag take effect:

net stop netlogon && net start netlogon

3) Leave the flag for a period of time collecting the data. When you think it's enough, just turn it off and restart the netlogon:

nltest /dbflag:0x0
net stop netlogon && net start netlogon

----------------------

Ok, you can inspect the netlogon file while the logging is running or after some hours. You pick.

To summarize the results, run a findstr to collect only the authentication:

findstr -l "NetrServerAuthenticate returns Success" C:\Windows\Debug\netlogon.log > auths.txt

You can now open this txt in Excel and filter the data (extract the computer names, eliminate the duplicates, etc).

See if that works for you.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question