How to Find Missing Subnet for Active Directory ?

If your Active Directory environment is large and distributed with numerous network blocks, it is essential to add these network blocks as subnets in Active Directory Sites and Services.

Failing to add these subnets can result in several disadvantages.

Disadvantages of Missing Subnet Definitions in Active Directory Environments

In an Active Directory (AD) environment, missing or incomplete subnet definitions can lead to various issues and inefficiencies. Especially in large and complex networks, correctly defining subnets is critical for AD to function properly. Below are the key disadvantages:

1. Site and Replication Issues

  • In AD, sites are used to optimize network traffic. Subnet definitions associate specific subnets with sites to direct traffic efficiently.
  • If subnets are missing, clients and servers might be associated with incorrect sites, leading to unnecessary WAN traffic and replication delays.

2. Delayed Authentication and Group Policy Application

  • Missing or incorrect subnet definitions may prevent clients from locating the nearest Domain Controller (DC). As a result, clients may attempt to authenticate with a DC in a remote location.
  • This can lead to longer login times and delayed Group Policy Object (GPO) applications.

3. Performance Degradation and Bandwidth Overuse

  • Without accurate subnet definitions, clients and servers may connect to DCs in distant sites, which can impact performance, especially in environments with slow WAN links.
  • Replication traffic between incorrectly associated sites may also increase WAN bandwidth usage unnecessarily.

4. Incorrect Site-Link Utilization

  • Sites and subnets are interconnected using site links. Missing subnet definitions can result in clients using inappropriate site links to access DCs or other AD services.
  • This can cause replication delays and incorrect DC selection.

5. DNS Resolution Issues

  • DNS is vital for authentication and replication processes in an AD environment. Missing subnet definitions may cause clients to use inappropriate DNS servers, resulting in delayed or failed DNS queries.
  • This can lead to slow AD services or failures in certain processes.

6. Complications in Log Analysis and Network Management

  • Missing subnet definitions complicate log analysis and network management. For instance, identifying which site specific IP ranges belong to becomes challenging.
  • Troubleshooting network-related issues becomes more complex and time-consuming.

Result

Properly defining subnets in an Active Directory environment is crucial for authentication, replication, and traffic management. Missing subnet definitions, particularly in large and distributed networks, can lead to performance bottlenecks and operational challenges. To avoid these problems, it is essential to define and regularly update subnet configurations for each location.

To avoid encountering these disadvantages, we need to use the Netlogon.log file to identify missing subnets. It is not necessary to enable Netlogon debug parameters to obtain information about missing subnets. By default, No_Client_Site entries can be found in the Netlogon file.

While detecting No_Client_Site information in the Netlogon file is relatively straightforward in environments with a single Domain Controller, it can become time-consuming in environments with multiple Domain Controllers, as you would need to search each Netlogon file individually.

For large and distributed environments, the following PowerShell script can be used to gather missing subnet information:

The script retrieves all Domain Controllers in the environment and categorizes them as accessible or inaccessible.
For accessible Domain Controllers, it accesses the Windows\debug directory, extracts the No_Client_Site entries from the Netlogon.log file, deduplicates the data, and exports the results.

<#
This script analyzes missing subnets in an Active Directory environment.
It uses the Get-ADDomainController parameter to retrieve all Domain Controller servers in the environment.  
The output is divided into two categories based on their accessibility.  
For accessible Domain Controllers, the script examines the lines from the netlogon.log file within the last day.  
Only unique entries are included in the output.  
If you want to analyze the netlogon.log file for the last 5 days instead, you can update the relevant line in the script:  
$lastFiveDays = (Get-Date).AddDays(-5)
#>

#Active Directory Missing Subnet Analysis#
# Output files
$outputPathAccessible = "C:\script\MissingSubnet\Output\Accessible_DCs.txt"
$outputPathInaccessible = "C:\script\MissingSubnet\Output\Inaccessible_DCs.txt"
$outputPathNoClientSite = "C:\script\MissingSubnet\Output\Missing_Subnet.txt"
# Clear or create the output files
if (Test-Path $outputPathAccessible) { Clear-Content -Path $outputPathAccessible } else { New-Item -Path $outputPathAccessible -ItemType File }
if (Test-Path $outputPathInaccessible) { Clear-Content -Path $outputPathInaccessible } else { New-Item -Path $outputPathInaccessible -ItemType File }
if (Test-Path $outputPathNoClientSite) { Clear-Content -Path $outputPathNoClientSite } else { New-Item -Path $outputPathNoClientSite -ItemType File }
# Add header rows
Add-Content -Path $outputPathAccessible -Value "Accessible Domain Controllers"
Add-Content -Path $outputPathInaccessible -Value "Inaccessible Domain Controllers"
Add-Content -Path $outputPathNoClientSite -Value '"Domain Controller" | "Computer Name" | "IP Address"'
# Get all Domain Controllers
$servers = (Get-ADDomainController -Filter *).Hostname
$uniqueEntries = @()  # Temporary list to store unique entries
$yesterday = (Get-Date).AddDays(-1)  # Get the date for one day ago
# Check if each Domain Controller is accessible
foreach ($server in $servers) {
    $logPath = "\\$server\c$\Windows\debug\netlogon.log"
    # Check if the server is reachable by ping
    if (Test-Connection -ComputerName $server -Count 1 -Quiet) {
        # Write reachable servers to the file
        Add-Content -Path $outputPathAccessible -Value $server
        # Perform Netlogon processing
        if (Test-Path $logPath) {
            $lines = Get-Content -Path $logPath
            # Check each line in the log file
            foreach ($line in $lines) {
                # Extract date information from the line and compare with the last 1 day
                if ($line -match "^\d{2}/\d{2}") {
                    $datePart = $line.Substring(0, 5)  # Extract the date part (MM/dd format)
                    $timePart = $line.Substring(6, 8)  # Extract the time part
                    # Combine date and time and convert to a DateTime object
                    $entryDate = Get-Date -Month $datePart.Split("/")[0] -Day $datePart.Split("/")[1] -Hour $timePart.Split(":")[0] -Minute $timePart.Split(":")[1] -Second $timePart.Split(":")[2]
                    # Process only if the entry is within the last 1 day
                    if ($entryDate -ge $yesterday) {
                        if ($line -match "NO_CLIENT_SITE") {
                            # Extract client name and IP address
                            $client = $line.Split(":")[4].Trim().Split(" ")[0]
                            $ip = $line.Split(":")[4].Trim().Split(" ")[1]
                            # Create the entry format
                            $entry = "$server | $client | $ip"
                            # Add to unique list (ignore duplicates)
                            if ($uniqueEntries -notcontains $entry) {
                                $uniqueEntries += $entry
                            }
                        }
                    }
                }
            }
        } else {
            Write-Host "Log file not found: $logPath"
        }
    } else {
        # Write unreachable servers to the file
        Add-Content -Path $outputPathInaccessible -Value $server
        Write-Host "$server is not reachable."
    }
}
# Write unique entries to "No_client_site.txt"
$uniqueEntries | ForEach-Object { Add-Content -Value $_ -Path $outputPathNoClientSite }

 

Simple , Easy, Useful

Have a nice day !

How to Add Multiple Subnets to Active Directory Sites and Services

Your infrastructure may have multiple locations and, depending on those locations, many network subnets. In some cases, you may choose to use multiple network subnets to separate services even within a single data centre.

If you are using Active Directory as the directory service in your infrastructure, you need to add these subnets to ‘Sites’ under "Active Directory Sites and Services" and ‘Subnets’ under that.

You can add subnets most simply with a few right clicks on the "Active Directory Sites and Services" console. This is usually the method that everyone uses.

This process also has an equivalent in the PowerShell world. Although it is generally not preferred by those who do not like to work with scripts, there is no better method than this when you want to do batch processing.

If you have hundreds of subnets that you need to define, you can do it in seconds with the following script.

# CSVPath
$csvFilePath = "C:\Subnet.csv"

# CSVRead
$subnets = Import-Csv -Path $csvFilePath

#Created
foreach ($subnet in $subnets) {

$name = $subnet.Name
$site = $subnet.Site
$description = $subnet.Description

try
{
New-ADReplicationSubnet -Name $name -Site $site -Description $description
Write-Host "Subnet $name added."

}catch{
Write-Host "Subnet $name failed: $_"
}
}

 

For mote detailed information ;

Have a nice day!

Netlogon Protocol Changes – News !

As you know, Microsoft Netlogon protocol change process was activated with the November 8, 2022 updates (KB5021130 – CVE-2022-38023 ).

In previous announcements, “Enforcement by Default” would be activated with the April 11, 2023 updates, but it was postponed with new announcement which is 13 June, 2023.

 

By the way after the Windows updates that are dated on or after November 8, 2022 Windows updates are installed, you can add the “RequireSeal” key below.

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value: RequireSeal

Data Type: REG_DWORD

Data:  0 – Disabled

 1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts.

2 – Enforcement mode. All clients are required to use RPC Seal, unless they are added to the “Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).

If you have more than one Domain Controller in your environment, you can distribute the registry key with the group policy method.

Or you can choose to use Powershell :

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name RequireSeal -Value DATA -PropertyType DWORD –Force

 

Note: Events 5838,5839 and 5840,5841 can be checked in the System Event Log on DCs with November 2022 updates installed to detect applications that may have problems.

 

 

Have a nice day!

About Domain Controller November 2022 Patch LSASS Memory Leak

As you know, Microsoft had released a possible memory leak in the “Local Security Authority Subsystem Service (LSASS.exe)” in various Windows Server versions as of November 2022 and confirming the memory leak in “Local Security Authority Subsystem Service (LSASS.exe)“.

 

The update information is as follows;

  • Windows Server 2019: Update KB5019966
  • Windows Server 2016: Update KB5019964
  • Windows Server 2012 R2: Update KB5020023, Update KB5020010
  • Windows Server 2012: Update KB5020009, Update KB5020003
  • Windows Server 2008 R2 SP1: Update KB5020000, Update KB5020013
  • Windows Server 2008 SP2: OOB-Update KB5021657

The problem can be mitigated with a workaround but issue was resolved in KB5021235.

If you used the above workaround, please see KB5020805:
How to manage Kerberos protocol changes related to CVE-2022-37967 for further information on how to configure KrbtgtFullPacSignature.

Possible memory leak in Local Security Authority Subsystem Service (LSASS.exe) for Windows Server 2016

Possible memory leak in Local Security Authority Subsystem Service (LSASS.exe) for Windows Server 2019

 

Have a nice day!

How to Find Local Group Members from Remote Servers

If you need to list local group members belonging to remote servers , you can use two different powershell commands below.

By the way If the Windows Remote Management (WinRM) service is turned off on your remote servers, “Invoke-Command” doesn’t work.

$Servers = Get-Content C:\Temp\BulkServers.txt
Foreach ($Server in $Servers)
{
Invoke-Command -ComputerName $Server -ScriptBlock {Get-LocalGroupMember -Group "Remote Desktop Users"} | Select PSComputerName,Name
}

or

$Servers = Get-Content C:\Temp\BulkServers.txt
Foreach ($Server in $Servers)
{
$Groups = Get-WmiObject Win32_GroupUser –Computer $Server
$RDPUsers = $Groups | Where GroupComponent –like '*"Remote Desktop Users"'

Write-Host "Server: $Server"
Write-Host " "
$RDPUsers |% {

$_.partcomponent –match ".+Domain=(.+)\,Name=(.+)$" > $null
$matches[1].trim('"') + "\" + $matches[2].trim('"')
}
Write-Host " "
}

To list other group members, simply change the “Remote Desktop Users” group information.

Have a nice day !

How to Bulk Add DNS A Records

If you want to add A records in bulk, you must first edit the A records you want to add as a “.csv” file.

Then it will be enough to run the following powershell line.

Import-Csv .\dns.csv | ForEach-Object { Add-DnsServerResourceRecordA -Name $_.Name -IPv4Address $_.IPv4Address -ZoneName yusufustundag.com -ComputerName PDC -CreatePtr}

If you want to check the A records run the following powershell line.

Get-DnsServerResourceRecord -ZoneName yusufustundag.com -RRType A

Have a nice day!

How to your organization mitigate the risk of a Pass-the-Hash (PtH) attack?

This mitigation strategies that you can use in your organization to help prevent both lateral movement and privilege escalation by decreasing the impact of credential theft.

Lateral Movement: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.

Privilege Escalation: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.

These mitigations are effective, practical, and broadly applicable to different domain configurations.

These mitigations are defense-in-depth measures designed to ensure that your environment is protected even if these measures fail.

MitigationEffectivenessEffort RequiredPrivilege EscalationLateral Movement
Restrict and protect local accounts with Administrative PrivilegesExcellentMedium
Restrict and protect local accounts with Administrative PrivilegesExcellentLow
Restrict inbound traffic using the Windows FirewallExcellentMedium
More RecommendationsEffectivenessEffort RequiredPrivilege EscalationLateral Movement
Remove standard users from the local Administrators GroupExcellentHigh
Limit the number and use of privileged Domain AccountsGoodMedium
Configure outbound proxies to deny internet to Privileged AccountsGoodLow
Ensure Administrative Accounts don’t have email accountsGoodLow
Use remote management tools that don’t place reusable credentials on a remote computers memoryGoodMedium
Avoid logons to less secure computers that are potentially compromisedGoodLow
Update applications and operating systemsPartialMedium
Secure and manage Domain ControllersPartialMedium
Remove LM hashesPartialLow
Other MitigationEffectivenessEffort RequiredPrivilege EscalationLateral Movement
Disable the NTLM ProtocolMinimalHigh
Smart cards and multifactor authentication (MFA)MinimalHigh
Jump serversMinimalHigh
Rebooting workstations and serversMinimalLow

Have a nice day!

How to Force Active Directory Replication

If you make a changes on DC01 and you want to replicate those to other DCs instantly, run command repadmin /syncall /APeD on DC01.

A = All Partitions
P = Push
e = Enterprise (Cross Site)
D = Identify servers by distinguished names

If DC01 is out of sync, you should run command repadmin /syncall /AeD on DC01.
This will do a pull replication, which means it will pull updates from DC02 to DC01.

Supported flags case sensitive.

Have a nice day!

How to Check Active Directory Replication

Repadmin.exe helps system administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

For more about repadmin.exe

If you want view replication status and general health status, using command “/replsummary”.
This command will show you the percentage of replication attempts (Largest Delta/ Fails/Total/Error).
repadmin /replsummary

If you want view replication partner and status, using command “/showrepl”.
This command displays the GUID of each object that was replicated and it’s result.
repadmin /showrepl

Only to see the fail;
repadmin /showrepl /errorsonly

For other commands

If you don’t want to use commands, try this “Active Directory Replication Status Tool” 🙂

Have a nice day!

How to Get Domain Controller Information with Powershell

You can use the script below to discover your Domain Controller servers in your system.

(Get-ADForest).Domains | % { Get-ADDomainController -Discover -DomainName $_ } | % { Get-ADDomainController -server $_.Name -filter * }

ComputerObjectDN : Domain Controller Object Distinguished Name
DefaultPartition : Domain Partition
Domain : Domain Name
Enabled : Domain Status
Forest : Active Directory Forest Name
HostName : Domain Controller Host Name
InvocationId : The invocation ID identifies the version or the instantiation of the Active Directory database that is running on a given domain controller.
IPv4Address : Domain Controller IPv4 Address
IPv6Address : Domain Controller IPv6 Address
IsGlobalCatalog : Active Directory Global Catalog Status
IsReadOnly : Read-Only Domain Controllers Status
LdapPort : Domain Controller Ldap Port Number
Name : Domain Controller Computer Name
NTDSSettingsObjectDN : NTDS Settings Object Distinguished Name
OperatingSystem : Domain Controller Operation System
OperatingSystemHotfix : Domain Controller Operation Hotfix
OperatingSystemServicePack : Domain Controller Operation System Service Pack
OperatingSystemVersion : Domain Controller Operation System Version Build Number
OperationMasterRoles : Active Directory Flexible Single Master Operation (FSMO) Roles
Partitions : Domain Controller Partitions
ServerObjectDN : Server Object Distinguished Name
ServerObjectGuid : Server Object GUID Vaule
Site : Active Directory Site Name
SslPort : Domain Controller Ssl Port Number

You can customize the above criteria according to your needs and list them using the select command.

Example shell :

(Get-ADForest).Domains | % { Get-ADDomainController -Discover -DomainName $_ } | % { Get-ADDomainController -server $_.Name -filter * } | Select Name, Domain, Forest, IPv4Address, Site ,OperatingSystem, Operating
SystemVersion, OperationMasterRoles,IsGlobalCatalog | ft ( or Out-GridView)

Have a nice day!