Using SCOM to detect missing Active Directory site IP subnet allocations

• Author
• Recent Posts

Ruben Zimmermann

Ruben is an infrastructure specialist with strong backround in Active Directory, PKI, and System Center Operations Manager. He automates in VBS, PowerShell and C#.
You can follow him on Twitter @Ruben8Z.

Latest posts by Ruben Zimmermann (see all)

• Monitoring Microsoft 365 with SCOM and the NiCE Active 365 Management Pack - Tue, Feb 7 2023
• SCOM.Addons.MailIn: Monitor anything that can send email with SCOM - Mon, May 25 2020
• Display a user’s logged-on computer in Active Directory Users and Computers (ADUC) - Mon, Jan 21 2019

By default, you can only use VBScript to create monitors and rules. Because we will use PowerShell in this guide, you have to download and install the free, open-source PowerShell Community Management Pack on GitHub.

PowerShell script to parse netlogon.log

Crucial for our script is the log file netlogon.log located in C:\Windows\debug\ that contains information about clients with missing subnet allocations. A typical record could look like this:

04/08 16:11:14 Contoso: NO_CLIENT_SITE: Wks-01127 10.20.12.34
Month/Day   Hour:Minute:Second   AuthenticationTarget   NO_CLIENT_SITE   ClientName   ClientIP

The following script parses the log file and stores all entries of the current day in a list. If there is an entry in the list, it will send the overthreshold state to SCOM and underthreshold if not.

$scomAPI       = New-Object -comObject "MOM.ScriptAPI"
$propertyBag   = $scomAPI.CreatePropertyBag()

$computerName  = $env:COMPUTERNAME

$cleanedList   = New-Object -TypeName 'System.Collections.Generic.List[psobject]'
$uniqueList    = New-Object -TypeName 'System.Collections.Generic.List[psobject]'

try {

	$logContent    = Get-Content -Path C:\Windows\debug\netlogon.log
	$noClientSite  = $logContent -match 'NO_CLIENT_SITE'

	$today         = Get-Date -Format 'MM/dd'
	$todaysRecords = $noClientSite -match "$($today).*"

	foreach ($record in $todaysRecords) {

			$recordItems   = $record -split '\s{1}'
			$itmDate       = $recordItems[0]
			$itmAuthTarget = $recordItems[2]
			$itmClientName = $recordItems[4]
			$itmClientIP   = $recordItems[5]

			$recordHash = @{'DomainController' = $computerName}
			$recordHash.Add('Date', $itmDate)
			$recordHash.Add('AuthenticationTarget', $itmAuthTarget)
			$recordHash.Add('ClientName', $itmClientName)
			$recordHash.Add('ClientIP', $itmClientIP)
			$recordObj = New-Object -TypeName psobject -Property $recordHash
			$null      = $cleanedList.Add($recordObj)

	}

	$cleanedList | Sort-Object -Property ClientIP -Unique | ForEach-Object {
			$null = $uniqueList.Add($_)
	}

	$messageText  = "The following computers could not find a DC that matches their IP range and where authenticated against $($computerName) `n`n"
	$messageText += "Please map the IP ranges to Sites in the Active Directory Sites & Services MMC. `n`n"

	foreach ($client in $uniqueList) {
			$messageText += "Client Name: $($client.ClientName) `t, Client IP: $($client.ClientIP) `t Authentication Target $($client.AuthenticationTarget) `tDate: $($client.Date) `n"
	}

} catch {
	
	$messageText = "Failed to parse logfile with error message $($error)"

}

$propertyBag.AddValue("MessageText",$messageText)
$propertyBag.AddValue("ComputerName",$computerName)

if($uniqueList.count -gt 0) {
  $propertyBag.AddValue("Result","OverThreshold")
} else {
  $propertyBag.AddValue("Result","UnderThreshold")
}

$propertyBag

Creating the SCOM alert rule

With the help of our PowerShell script, we can now create a new SCOM rule. In the SCOM Management Console, switch to the Authoring pane, expand Management Pack Objects, and right-click on Rules. Choose Create a New Rule.

Expand Alert Generating Rules and PowerShell Based. Select PowerShell Script Alert Generating Rule (Community), and click on New to create new management pack (MP) to store the configuration in.

Select PowerShell Script Alert Generating Rule and click on New

Use a descriptive name for the management pack, such as ActiveDirectory.Custom.RulesAndMonitors. This helps keep an overview of MPs.

Maintain the name and description of the management pack

Optionally, maintain additional content as part of the knowledge component of each MP. Proceed by clicking on Create.

Optional: add MP knowledge and click Create

Back in the rule wizard click on Next to proceed with rule authoring.

In the rule wizard, proceed with Next

Enter a rule name such as Discover Active Directory Missing IP Range <-> Site Allocations, a description, and choose the rule target. The rule target defines on which computers the rule will execute. In our case it must be the Windows domain controller.

Name the rule and target the Windows Domain Controller

In the Schedule section choose twice a day for example.

Schedule the rule execution time

In the Script section choose a file name, for instance, Parse-NetlogonLog.ps1. Set the timeout to two minutes and paste in the script from above. Proceed with Next.

Choose a script name and paste the content

Keep the Criteria section unchanged and proceed with Next.

Leave the criteria unchanged

Last, configure the alert with a severity of Warning and the Alert description containing a least the following information:

$Data/Property[@Name='MessageText']$

Configure the alert description and severity

Creating a new alert view

Next, we have to create a new alert view about missing IP subnet allocations.

Change to the Monitoring pane, right-click the ActiveDirectory.Custom.RulesAndMonitors container, and select New –> Alert View.

Build the alert view

Name it Missing IP Range <-> Site Allocations for example. Specify the target Windows Domain Controller and filter it to show only those alerts with the string %Active Directory Missing IP Range%.

Configure the alert view

After a while, all domain controllers will have downloaded the management pack. This screen will show the first alerts.

Alert view showing Missing IP Range Site Allocations

If you have questions, please post a comment below.