0

My question is simple as it sounds. Is there any tool to know the total amount of computers that belong to a certain domain in a network? I scanned the network using nmap (Zenmap) and then look at the FQDN to check the domain name but the result wasn't accurate because by the time I did it some computers were offline (down). I'm talking about almost 1000 computers.

I need any tool capable of scan the network actively and saving the hosts in a database. So I used OSSIM from AlienVault during a week and exported the result as a .csv file (containing all the computers). So far I'm good but there is a catch, when a computer joins a domain, the Domain Controller keeps the computer's name associated to an IP, even if the computer "leaves" the network. So when OSSIM (or nmap) asks for the name of the 192.X.Y.Z IP it gets the name of the prior computer. This leads to think that the new machine (with the prior machine's IP address) is in the domain and it's not. Please correct me if I'm wrong. So I would be counting that machine as a domain machine and getting the wrong total amount of computers joined in the domain.

So, is there a more technical (not parsing FQDN) way to "ask" a machine: Are you in the "domain.net" domain? I just want to "hear" is a Yes or No (Coming from the machine).

Ophion
  • 35
  • 1
  • 11
  • `So, is there a more technical (not parsing FQDN) way to "ask" a machine: Are you in the "domain.net" domain?` - Yes. – joeqwerty Mar 06 '17 at 20:18

1 Answers1

1

Answering this question is harder than it seems because whether a machine is "joined" can be interpreted many different ways. And the answer you want sort of depends on what the purpose of the resulting data is.

At a fundamental level, a machine is only joined to a domain for as long as it has a valid computer account credential it can use to authenticate to a domain controller with.

If an external process changes the password on that computer account, disables the account, or just plain deletes it from AD, the client computer will still think it's joined until it tries to authenticate and can't anymore. So you can't really rely on the client to answer the question reliably unless the client actually performs a successful authentication as itself in order to provide the answer. Doing this in a large scale domain would also be a huge waste of resources.

I need any tool capable of scan the network actively and saving the hosts in a database.

You're in luck. Active Directory already does this for you natively. Among other things, it keeps track of the computers that are joined in its own database. It even knows the last time those computers successfully authenticated. If you need that data exported to a different database, you're much better off just querying Active Directory for the data than scanning your entire network.

There are varying ways to do this, each with pros and cons in terms of temporal accuracy and difficulty. Querying any DC for the lastLogonTimestamp attribute is the easiest, but least accurate method because of the way it was designed. The lastLogon attribute is much more accurate, but you have to ask every DC individually for the value and use whichever value is the most recent as your answer. If you need near real-time updates, it basically requires processing all of the DCs' security event logs for computer login events as they happen. This generally involves using a centralized event log collection service of some sort.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • When my boss told me I need you to find out the computers joined to the domain I said: Easy! Then I found out all the things related to the resources and the time to spend. – Ophion Mar 06 '17 at 20:56
  • You should ask him *why* he needs that information. Is he looking for a number to calculate potential license costs on a new piece of software? Is he looking to find inactive computers that can be deleted? The why is the important piece that decides what hoops you need to jump through for the data. – Ryan Bolger Mar 06 '17 at 21:52
  • I've been working in this job for a month barely and I think he needs this info because his boss told him to do it I guess. Might seem a little weird but I don't feel this is the time for me to question that decision :) :) – Ophion Mar 07 '17 at 14:14
  • You're not questioning a decision, you're getting additional information. Without any additional information, you should just query AD for all computer accounts with a lastLogonTimestamp value no older than 30-45 days. – Ryan Bolger Mar 07 '17 at 21:19