Missing Subnets

Use the Netlogon.log file and Log Analytics to be alerted to clients that do not have a subnet for

Active Directory uses Sites and Services in order to direct users to their nearest resources, particularly domain controllers. It does this by having a list of sites, a list of subnets and these being associated with each other. When a client connects from an unknown subnet it gets logged in the Netlogon.log file found under c:\Windows\Debug. It’s recommended to check this log file periodically for any missing subnets and then you can add them.

But … Why should I check this file every however long? Wouldn’t it be better if you could get something to tell you when something is amiss? Well, fear not, it can!

In previous posts I have discussed setting up Log Analytics (formerly known as Operations Management Suite). One of the features of Log Analytics is the ability to import custom logs, including plain text files. So, I have configured my Log Analytics to do exactly that. This is done through the Azure portal, by going to the workspace, clicking on advanced settings, select Data then Custom Logs. You upload a sample log (copy one from your domain controller), set the record delimiter as new line (\n), tell it the path (C:\Windows\debug\netlogon.log) and then give it a friendly name (NetLogon_CL).

Once Log Analytics has imported the logs, you can use the following query to find the entries:

| where RawData contains "NO_CLIENT_SITE"
| project Computer, domain=trim(@":", substring(extract("\\b(\\]\\s)(.*?)(\\:)", 0, RawData), 2, 50)), ip_address=extract("\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b", 0, RawData)
| where domain !contains "DnsZones"
| distinct domain, ip_address
| order by domain desc

This query find anything flagged as “NO_CLIENT_SITE” which is the missing subnet message that gets logged. In my environment I have multiple domains that report in to a single Log Analytics instance so did some RegEx and Trimming to extract the name of the domain before removing some DNS Zone entries I found. Finally it is displaying a list of unique domains and IP addresses that do not have a site associated with them.

First time that Log Analytics runs it will import the entire history so you will probably want to let things calm down before you configure alerts. You can either run the above query on a regular basis or set up an alert. Log Analytics allows you to run it once a day.

At least now if the network team don’t notify you of a subnet change or addition, Log Analytics will and you can establish the subnet and assign it to the correct site.

1 thought on “Missing Subnets

Leave a Reply

Your email address will not be published. Required fields are marked *