Parse Windows DNS Debug logs for Client IP and hitcount

If you have had to decommission AD Domain controllers that have been around for some time, you have probably ran into concern for systems that may have been statically configured to connect to those legacy DCs.  Though turning down a DC is a relatively straightforward task, assuring all systems with static pointers to those DCs have been changed can be difficult if those pointers have not been documented.  Although many DC services can have logging enabled to check what is connecting, this is typically not a viable solution for making determinations about what those systems could be, since most DC services are discoverable via DNS using SRV records that are registered automatically while the systems retain the DC role. 

One exception is DNS itself;  Information about the queries to the DNS server can be logged via use of 'debug logging' on the DC DNS services.  The DNS debug logs do not have headers so tools like Logparser are not very useful. 

Recently I created a simple script with the intent of parsing the Windows DNS debug logs for client IP along with a hitcount.   In addition to outputting the IPs, it also strips any public IPs from the report.  You can find the script here;

After output you can further check into what the systems are using tools like NMAP, or NBTSTAT (if it is a windows system).