How to identify missing subnets in Active Directory using Orchestrator

Introduction

DC Locator is an algorithm that runs in the context of the Netlogon service and allows locating the closest Domain Controllers. By using this algorithm, applications and systems avoid slowness when interacting with AD and that is why it is important for AD administrators and companies to have it properly working.

AD clients rely on DNS queries to find Domain Controllers in their AD site. These checks are based on the configuration of AD Sites and Subnets. If AD Subnets are missing, applications and systems using DC Locator algorithm would not be able to properly locate the closest Domain Controllers and this might result in slowness.

This Wiki article shows how to identify missing Subnets in AD using Orchestrator.

How to use Orchestrator to identify missing Subnets in AD

When a client is not able to locate the Closest Domain Controllers because of missing subnets in AD, this information is logged in netlogon.log file.

The logged information includes the following:

1. The date and time when the event was logged
2. The name of the computer that was not able to locate the closest Domain Controllers
3. The IP address of the computer

With the IP address of the computer, an AD administrator or a Network Engineer should be able to identify the missing subnet(s).

To collect these events, an administrator should extract the content of netlogon.log on all Domain Controllers within an AD domain and analyze them. This task could be simplified and automated by using Orchestrator.

To use Orchestrator to identify missing Subnets in AD, all you need are:

• Orchestrator Runbooks to identify clients that are not linked to an AD site
• Orchestrator Runbook to send mail notifications about clients that are not linked to an AD site

Configuration of Orchestrator

Identifying clients that are not linked to an AD site

You will need to have two Runbooks to identify clients that are not linked to an AD site:

• A Runbook to provide the list of Domain Controllers within the AD domain and invoke the second Runbook
• A Runbook to extract the content netlogon.log on a Domain Controller and analyze it in order to identify clients that are not linked to an AD site. The results will be stored in netlogon_temp.txt file

Let’s start with the second Runbook. You will need to use five (5) activities:

• Initialize Data: It will allow the Runbook to take the DC name as input

• Copy File: It will take a local copy of netlogon.log from a Domain Controller to analyze it (The default path of netlogon.log on a Domain Controller is \<DCNAME>\c$\Windows\debug\netlogon.log)

• Format Date/Time: It will get the current Date and time, convert the format to M/d h:mm:ss This is the Date and time format used in netlogon.log file) and adjust the Date to be minus one (1) Day (This will be used for comparison in order to extract the events dating from last day)

Remark: You can get the current date and time by using an Orchestrator variable where you set NOW() as value.

• Read Text Log: It will analyze the local copy of netlogon.log file in order to get the events that were logged starting from the last day. The comparison is done between the event date and time with the variable created in the previous activity

• Append Line: It will append the identified information about clients with no AD sites to netlogon_temp.txt file. The text to append is using the following format <DCNAME> <EVENT_MESSAGE> (This format allows identifying the Domain Controller on which the event was logged when reading netlogon_temp.txt file)

The link between Read Text Log and Append Line activities need to be set with the following include condition: Message of matching line from Read Text Log Contains NO_CLIENT_SITE. This allows filtering the events in netlogon.log file to show only the ones related to clients with no AD site.

Below is a screen capture of all the activities included in the second Runbook:

Once you have created the second Runbook, you can proceed with the creation of the first one. You will need to use four (4) activities:

• Monitor Date/Time: It will allow you to specify the time of when the Runbook need to start running

• Check Schedule: It allow you to specify the slot of days and hours when the Runbook can start running (By combining the settings in the activity and the ones from the previous activity, you will be able to precise the dates and times of when your runbook can start running)

• Execute PS Script: This activity will be available if you register and deploy Orchestrator Integration Pack for Powershell Script Execution (http://blogs.technet.com/b/orchestrator/archive/2013/10/02/the-orchestrator-integration-pack-for-powershell-script-execution-1-2-is-now-available.aspx This link is external to TechNet Wiki. It will open in a new window. ). It will allow you to get the list of the Domain Controllers within an AD Domain by running an LDAP query. The Powershell command to run is foreach ($DC in Get-ADComputer –SearchBase “DC=CONTOSO,DC=COM” -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))") {$DC.name} (“DC=CONTOSO,DC=COM” need to be replaced by your Domain DN).

• Invoke Runbook: It will allow you to run the second Runbook and to provide the Host name for every Domain Controller in the Domain as input

Below is a screen capture of all the activities included in the first Runbook:

Sending mail notifications about clients that are not linked to an AD site

You will need to have one Runbook that will send a mail notification when the previous Runbooks have identified clients that are not linked to an AD site. The condition to send mail notification is that netlogon_temp.txt was created (This text file is created only when Orchestrator identifies clients that are not linked to an AD Site).

The Runbook to create will have five (5) activities:

• Monitor Date/Time: It will allow you to specify the time of when the Runbook need to start running

• Check Schedule: It allows you to specify the slot of days and hours when the Runbook can start running (By combining the settings in the activity and the ones from the previous activity, you will be able to precise the dates and times of when your runbook can start running)

• Get File Status: It will allow checking if netlogon_temp.txt exists or not

• Move File: This will allow moving  netlogon_temp.txt to a new location (If it exists) before sending it by e-mail

• Send Email: It allows sending mail notification with netlogon_temp.txt in the attachment. The mail notification need to be configured to send the mail to AD administrator and/or Network Engineers

Below is a screen capture of all the activities included in the first Runbook:

Below is a screen capture with an example of mail notification and attachment content sent by Orchestrator to report missing AD subnets:

Conclusion

This Wiki article shares a way to identify missing subnets in Active Directory by identifying clients with no AD sites and sending this information via e-mail. The Runbooks can be scheduled to run on daily basis so that new findings will be reported and the correction will be done quickly.