How to remove netlogon.log content on all Domain Controllers within an AD domain using Orchestrator
Introduction
Netlogon.log is a log file that exists on all Domain Controllers and is used to monitor the activity level of Active Directory or to investigation problems.
Netlogon.log file uses a circular logging: When netlogon.log reaches approximately 20 MB of its size (This is a default value that can be changed), it will be renamed to netlogon.bak file. If there is already a file named netlogon.bak then it will be overwritten. This process controls the size of the log file by setting a maximum value. However, an AD administrator might need to remove immediately netlogon.log content on all the Domain Controllers to get only new events (Example: An AD administrator may need to get only events about missing AD subnets after corrections he did).
This Wiki article shows how netlogon.log content can be removed on all Domain Controllers within an AD domain.
How to remove netlogon.log content
To remove netlogon.log content on a Domain Controllers, the following should be done:
- We stop Netlogon service
- We remove netlogon.log file
- We start Netlogon service
When Netlogon service is started, a new empty netlogon.log file will be created.
How to use Orchestrator to remove netlogon.log content on all Domain Controllers within an AD Domain
To use Orchestrator to remove netlogon.log content on all Domain Controllers within an AD Domain, all you need are Orchestrator Runbooks to:
- Identify the list of Domain Controllers within an AD Domain
- Process the service start / stop and file removal operations on each Domain Controller
The Runbooks can be configured to run on-demand or periodically. In this Wiki, we will be sharing how to create Runbooks that can be launched on-demand.
Configuration of Orchestrator
You will need to have two Runbooks to process netlogon.log content removal on all Domain Controllers within an AD Domain:
- A Runbook to get the list of Domain Controllers within an AD Domain
- A Runbook to stop Netlogon service, remove netlogon.log file and then start Netlogon service
Let’s start with the second Runbook. You will need to use four (4) activities:
- Initialize Data: It will allow the Runbook to take the Domain Controller name as input
- Start/Stop Service: It will stop Netlogon service on the Domain Controller specified as input in the previous activity
- Delete File: It will remove netlogon.log file (The path is the following \<DCNAME>\c$\Windows\debug\netlogon.log
- Start/Stop Service: It will start Netlogon service on the Domain Controller
Below is a screen capture of all the activities included in the second Runbook:
Once you have created the second Runbook, you can proceed with the creation of the first one. You will need to use two (2) activities:
- Execute PS Script: This activity will be available if you register and deploy Orchestrator Integration Pack for Powershell Script Execution (http://blogs.technet.com/b/orchestrator/archive/2013/10/02/the-orchestrator-integration-pack-for-powershell-script-execution-1-2-is-now-available.aspx ). It will allow you to get the list of the Domain Controllers within an AD Domain by running an LDAP query. The Powershell command to run is foreach ($DC in Get-ADComputer –SearchBase “DC=CONTOSO,DC=COM” -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))") {$DC.name} (“DC=CONTOSO,DC=COM” need to be replaced by your Domain DN).
- Invoke Runbook: It will allow you to run the second Runbook and to provide Host name for every Domain Controller in the Domain as input.
Below is a screen capture of all the activities included in the first Runbook:
Conclusion
This Wiki article shares a way to remove netlogon.log content on all Domain Controllers within an AD Domain. The described Runbooks can be launched when an AD administrator needs to initiate the removal of netlogon.log content on Domain Controllers and will automatically process all the required operations / changes.