PowerShell
Edit|Remove
function GetDomainsInNetlogonLog  
{ PARAM ( [string]$NetlogonLog = "c:\Windows\debug\netlogon.log" ) 
    $NetlogonLines = Get-Content -Path $NetlogonLog 
    $Domains = @() 
    $SamLogonArray = @() 
    Select-String -Path $NetlogonLog -Pattern 'SamLogon: Network logon of' | % {$SamLogonArray +$_.Line } 
     
    foreach ($SamLogonLine in $SamLogonArray) 
        { 
        $SplitLine = $SamLogonLine.Split(' ') 
         
        if ($SplitLine[3] -match "(?<=[[]).*?(?=[]])") 
            { 
            $DomainUser = $SplitLine[8] 
            $Domain = $DomainUser.Split('\')[0] 
            } 
            else 
            { 
            $DomainUser = $SplitLine[7] 
            $Domain = $DomainUser.Split('\')[0]     
            } 
            if ($Domains -notcontains $Domain) 
                {$Domains +$Domain} 
        } 
             
                     
    return     $Domains 
}
 

 Windows servers can run into situations where it may be mighty handy to get a better understanding of what computers are connecting to a server for services.  Auditing can give you a 1:1 idea of which users a logging onto a server and from where, but collating that into a more holistic view is more difficult using in box tools.

Worse still is situations like ‘MaxConcurrentApi’ authentication performance bottlenecks where a server is having to perform so many NTLM password validations or Kerberos PAC validations that some of them time out and give errors. Errors like credential prompts or simple “spinning donut” waits.

This script is intended to help give you supplemental information so that you can know what is happening to your servers in aggregate.  The script parses NetLogon debug log files to give that info. Netlogon debug logging can be enabled using the KB article: Enabling Debug Logging for the Net Logon Service.

More information on how network logons work and what options are available for auditing can be found in this TechNet article.

An example of the switches to run the script:

PS C:\Scripts> .\MaxConcurrentApiNetlogonParser.ps1 -NetlogonFilePath $Log -DomStats $true -AuthFailureDetails $true

Frequently Asked Questions

 

Here’s an example:

 Netlogon Analysis of SamLogon Entries

  Analysis will show a percentage breakdown of the domains from which users are logging onto the server.

 The logon sessions are Network logon sessions.

 NOTE: Computers may show up as domains if the auth is from non-domain joined clients or apps which submit authn improperly.

 Analysis of Netlogon Log File C:\windows\debug\netlogon.log

Log start time 04/10 06:55:31

Log end time 04/10 07:38:39

 **********************************************************

 Total Samlogon (network logon) entries were: 58482

 Domain CHILD.TREYRESEARCH.COM : 14 %

 Domain (null) : 1 %

 Domain TREYRESEARCH.COM : 30 %

 Domain CHILD.CONTOSO.COM : 30 %

 Domain CONTOSO.COM : 2 %

 Domain TAILSPIN : 2 %

 Domain TAILSPINTOYS.COM : 13 %

 Domain RESEARCH.TAILSPINTOYS.COM : 1 %

 Domain CONTOSO : 4 %

Analysis of Netlogon Log File C:\windows\debug\netlogon.log

Log start time 04/10 06:55:31

Log end time 04/10 07:38:39

*******************************************

Summary of User Failures by Domain (estimated):

Note: Computers names may appear as domains if the authentication is improperly submitted by the client.

NTLM user auth failures for domain:REGIONAL

NTLM user auth failures count:6

NTLM user auth failures for domain:CHILD.TREYRESEARCH.COM

NTLM user auth failures count:4044

NTLM user auth failures for domain:(null)

NTLM user auth failures count:5

NTLM user auth failures for domain:TREYRESEARCH.COM

NTLM user auth failures count:164

NTLM user auth failures for domain:RESEARCH.TAILSPINTOYS.COM

NTLM user auth failures count:7942

NTLM user auth failures for domain: CONTOSO

NTLM user auth failures count:7932

NTLM user auth failures from Problematic NTLM Auth

Count of NTLM user timeouts from (null)\ domain:5

 User names of users whose computers or devices submitted problematic NTLM auth (without a domain name)

Null user is shakala

Null user is billy.bob@contoso.com

Null user is junie.may@treyresearch.com

Null user is eeriend

Null user is sally.sue@tailspintoys.com

Computers or devices from where users submitted problematic NTLM auth (without a domain name).

Null computer is shakalapc-1

 Null computer is CCFNG-WIN7-2

 Null computer is RSRCH2008

 Null computer is EMEA-WS66342

 Null computer is JIMMYSTABLET