Querying domain controller event logs with PowerShell

Most of Active Directory admins have worked with Active Directory Risk Assessment Program (PDF download), a tool designed to perform a complete health check of an Active Directory forest. However, the ADRAP tool is available only to the Microsoft Premier customers. One of the checks performed by the ADRAP tool is to check domain controller event logs. ADRAP checks event logs on the domain controllers to ensure there are no warnings and errors reported related to Active Directory functionality such as replication, KCC, KDC, and other components of the Active Directory. If you do not have access to the ADRAP tool and want to check event logs on all the domain controllers, you can use a PowerShell script that we will be explaining in this article. The PowerShell script can help you collect event logs from all domain controllers and prepare a nice CSV report to help you understand the errors and warnings reported on all the domain controllers.

Requirements

Before you can run the script, please make sure to meet the requirements mentioned below:

  • Ensure you are running the script from a Windows Server 2012 R2 member server or domain controller.
  • Make sure to create a folder by the name “C:\Temp” on the computer from where you will run the script.
  • Collect all Domain Controller names from the Active Directory forest and specify them in the C:\Temp\DCList.TXT file.
  • Create a text file called QueryLogs.TXT and add the event logs that you would like to query on the destination domain controller. The QueryLogs.TXT should look like the one in the screenshot below:

Domain Controller Event Logs

What does the script do?

This PowerShell script connects to each domain controller specified in the DCList.TXT file and then collects the name of the event log to query the destination domain controllers from the QueryLogs.TXT file. To collect the domain controller names from the Active Directory Forest, you can run DSQuery Server –O RDN > C:\Temp\DCList.TXT command. It is necessary to specify the event log short name in the QueryLogs.TXT file. QueryLogs.TXT file looks like the one in the screenshot below:

Once you have met the above requirements, execute the script from an elevated command prompt. Note that it might take a considerable amount of time to collect the event logs messages and information from each domain controller. It also depends on the number of domain controllers you are running the script against.

### Script Starts Here ###

$TestCSVFile = “C:\Temp\DCLogStatus.CSV”
Remove-item $TestCSVFile -ErrorAction SilentlyContinue
$ThisStr=”Domain Controller,Connection,Command Status, Log Name, Number Of Errors Since last 10 Days, Number Of Warnings Since last 10 Days, Final Status”
Add-Content “$TestCSVFile” $ThisStr
$GDCList = “C:\Temp\DCList.TXT”
$DCLogs=”C:\Temp\QueryLogs.DPC”
$AfterDate = (get-date).AddDays(-10)

$TotNo=0
$ItemCount=0
$TestText = “”
$TestStatus=””
$SumVal = “”
$AnyGap = “No”
$ErrorOrNot = “No”
$AnyOneOk = “No”
$TotDCsInError = 0

Foreach ($ItemName in Get-Content “$GDCList”)
{
$DCConError = “Ok”
$DCConStatus = “Ok”
$ProceedOrNot = “Yes”
$Error.Clear()
$AllServices = Get-WMIObject Win32_Service -computer $ItemName
IF ($Error.Count -ne 0)
{
$ProceedOrNot = “No”
$TotDCsInError++
$DCConError = $Error[0].Exception.Message

$FinalSTR = $ItemName+”,Not OK: Error: $DCConError”
Add-Content “$TestCSVFile” $FinalSTR
}

IF ($ProceedOrNot -eq “Yes”)
{
$ComConError=”Ok”

ForEach ($ThisLog in Get-Content $DCLogs)
{
$Error.Clear()
$LogError = Get-eventlog -ComputerName $ItemName -log “$ThisLog” -EntryType Error -After $AfterDate
IF ($Error.count -eq 0)
{
$FinStatus = “Ok”
$AnyOneOk=”Yes”
$LogErrCnt = $LogError.Count
IF ($LogErrCnt -ne 0)
{
$IsErrAva = “Yes”
$AnyGap = “Yes”
$FinStatus = “Not Ok”
}

$LogWarnings = Get-eventlog -ComputerName $ItemName -log “$ThisLog” -EntryType Warning -After $AfterDate
$LogWarningsCnt = $LogWarnings.Count

$ThisSTr = $ItemName+”,”+$DCConError+”,”+$ComConError+”,”+$ThisLog+”,”+$LogErrCnt+”,”+$LogWarningsCnt+”,”+$FinStatus
Add-Content “$TestCSVFile” $ThisStr

IF ($AnyGap -eq “Yes”)
{
$TotNo++
}
}
else
{
$ComConError = $Error[0].Exception.Message
$FinalSTR = $ItemName+”,$DCConError,”+$ComConError
Add-Content “$TestCSVFile” $FinalSTR
}
}
}
else
{
$ComConError = $Error[0].Exception.Message
$FinalSTR = $ItemName+”,$DCConError,”+$ComConError
Add-Content “$TestCSVFile” $FinalSTR
}
}

$OthText = “”
IF ($TotDCsInError -ne 0)
{
$OthText = “Some Domain Controllers have not been checked due to connectivity or command issues.”
}
IF ($AnyGap -eq “Yes”)
{
$TestText = “Domain Controllers have errors in Event Logs. Please load and check result. $OthText”
$SumVal = $TotNo
$TestStatus=”High”
}
IF ($AnyGap -eq “No”)
{
$TestText = “There are no errors found in Event Logs of Domain Controllers. $OthText”
$SumVal = “”
$TestStatus=”Passed”

IF ($AnyOneOk -eq “No”)
{
$TestText = “Error Executing Dynamic Pack.”
$SumVal = “”
$TestStatus=”Completed with Errors.”
}
}

$STR = $ADTestName +”,”+$TestStartTime+”,”+$TestStatus+”,”+$SumVal +”,”+$TestText

### Script Ends Here ###

Once the script has been executed successfully, you can open C:\Temp\DCLogStatus.CSV and look at the report. The report will include each domain controller name, log name, number of errors reported in the last 10 days, number of warnings reported in the last 10 days and final status as shown in the screenshot below:

Domain Controller Event Logs

Note that the script collected errors and warnings count from each domain controller for last 10 days. If you wish to modify the collection date, you can do so by modifying the $AfterDate = (get-date).AddDays(-10) line in the script. It is recommended that you modify the collection date value to two days and see if there are any errors or warnings reported on the domain controllers recently.

Getting to ‘OK’

By using this PowerShell script, you can know the event log status on each domain controller. Although the script does not collect the error and warning messages reported on the domain controllers, it helps you understand the overall status of domain controllers.

About The Author

1 thought on “Querying domain controller event logs with PowerShell”

  1. error running script

    ———————————-

    Mode LastWriteTime Length Name
    —- ————- —— —-
    d—- 8/9/2023 9:39 AM ReqPortTest
    Get-Content : Cannot bind argument to parameter ‘Path’ because it is an empty string.
    At C:\temp\TestAD.ps1:15 char:35
    + Foreach ($ItemName in Get-Content “$GDCList”)
    + ~~~~~~~~~~
    + CategoryInfo : InvalidData: (:) [Get-Content], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.GetContentCommand

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top