Old Computers accounts that were reconnected

  • 92 Views
  • Last Post 04 January 2017
jkolenda posted this 03 January 2017

I know this most likely has come up in the past...so sorry to ask this again but having a hard time finding this out.
So we have some old computers that someone connected to the network that were deleted over a year ago.  We have secure DNS enabled so they do not register to DNS.  I am trying to find out the IP address for them in the event viewer on the DC's.  I enabled net logon debug thinking that is how I did this in the past but that's is not showing the IP address for the computers.
AD 2008 R2 Forest Level and we have some 2012 R2 as well.
Event ID's are in the logs are 5805 or 5723.
Thanks in advanced,Jeff Kolenda

Order By: Standard | Newest | Votes
kurtbuff posted this 03 January 2017

Get their MAC addresses if you can, and check the DHCP servers. Even
if you don't have the MAC addresses, I think the old machines should
still register their names with DHCP, even though the names don't get
registered in DNS - and if they don't register their names in DHCP,
you should still be able to find them there, with blank name entries.

Kurt

show

jkolenda posted this 04 January 2017

Kurt,
That was a good tip I found a few that way, not sure why I did not think about that.  I am guessing the others are static and some admin/developer installed some hypervisor on their desktop computer and made a static address of some unused IP on the subnet they are on.  Guessing they had some desktop guy add to the domain at one point. 
Not sure the best way to find the others. 
Thanks,Jeff


show

kurtbuff posted this 04 January 2017

Last ditch efforts:

o- Plunder your switches/routers for their ARP and MAC address tables.
- Filter out the matching DNS/DHCP entries, and what's left will
be your culprits. This assumes you've also filtered out the switches,
printers, etc., but those should have static (or DHCP reserved) IP
addresses and matching DNS addresses anyway, though a lot of places
don't do that, unfortunately. This also won't be effective for desktop
VMs running in NAT mode. That's one of the biggest reasons I tell my
engineers not to NAT their VMs.. Another is that even if otherwise the
VM is well-behaved and normal, if it's NATed, I can't get at it
remotely to manage it - and my rule is that if it's on my network, I
have root/admin on it and can get at it at any time.

o- NMAP the crap out of your subnets, and do the same as above.
- You might have better luck with NATed VMs with NMAP, as it
might be able to detect the NATing, though I'm not sure if it will
tell you the details you want. You'll need to do a bit of research on
that.


Kurt

show

jkolenda posted this 04 January 2017

Kurt,
Yeah the issue with that is I am not 100% sure where these computers are.  We have 100's of remote sites and the ones left are I cant tell what site they might be at the naming of them. 
I opened a case with Microsoft on this seeing how to track these but no luck from them....
I know in the past there was a way to enable some logging to get the IP addresses in AD for these type of events.  Just not sure what that is or maybe that was back in the 2000/2003 days.
Heck a DC diag shows the accounts that are bad.. I cant believe MS does not have a quick way to track these down.
Thanks,Jeff


show

kurtbuff posted this 04 January 2017

You knew the job was dangerous when you took it. :)

Kurt

show

Close