How to find all hostnames (even laptops that aren't currently on the network) on a network?

networking domain-name-system hostname netbios arp

I manage a network that has a lot of laptops. The users that use the laptops are frequently traveling. When someone gets a new computer I run into a problem determining what the hostname should be. The hostname scheme is [companyname]xxx where xxx is the next available number. I usually ping starting whichever hostname I think is available and increase/decrease the number until I find an available hostname. However when a user's laptop isn't in the network this method doesn't work.

Is there a way I can check for all of the hostnames on the network, even the laptops that aren't currently connected? Or am I going about this all wrong?

Two things to note:

  • I've used the ARP cache in the past but sometimes a user's laptop is out of the office long enough that their MAC address is no longer in the ARP cache.
  • I keep fairly good documentation but sometimes a different tech will add a computer to the domain and not update the documentation.

I usually would just ping starting whichever hostname I think is available and increase/decrease the number until i find an open hostname.

You're doing this the hard way. It would be easier to use a spreadsheet to track the computer names you've assigned. If you have a team that is responsible for naming computers a shared Google Sheets or the equivalent would be perfect.

At places I've worked we've used this method and included in the spreadsheet helpful details like Date Created, Date Decommissioned, Assigned User and the like.

sometimes a different tech will add a computer to the domain and not update the documentation.

This problem is best addressed with a behavior solution. Attempts to solve human problems with technical solutions usually fail. If the process for identifying and assigning a new name is simple then it is not unreasonable to expect all technicians to adhere to it as an expectation of employment.


Possible places you can pull computer names from:

  1. DHCP allocations, although they will be removed after a while, they show hostnamed.
  2. DNS server / reverse DNS entries - Windows integrated DHCP adds entries into DNS, they will last for a few days depending on your scavenging settings.
  3. Domain controller security event log - each logon to a domain resource should generate a logon entry and have computer names in them. Assuming all laptops logon to a domain resource at some point for file or print shares, this is probably the most comprehensive, if it goes back far enough.
  4. Print Server Application Event Log, ID 307 - printed documents leave an entry with the computer name they were sent from.
  5. Email headers. If you know who uses the laptops, and have email from them, look in the headers for which machine it originated on.
  6. Anti-virus consoles - if you have a centralised antivirus, it might have a record of all the computers which connect to it
  7. Windows Server Update Services - it shows lists of all computers it talks to.

None of these will help you answer "what's the next available name right now", but they may help you build a more comprehensive view of which names you've used.


Apart from setting up a 3rd party or in-house 24/7 monitoring service, your best bet would be WINS.

As long as your DHCP hands out a WINS server, that WINS server will record and keep the computer name/address, whether or not it is a domain PC.

Using the WINS console, you can find all PCs that have been on your network within the last 12 days - a PC not seen for 6 days will be marked tombstoned, and that tombstoned entry will then be deleted after another 6 days.

WINS is deprecated but still available.


Source: https://nmap.org/nsedoc/scripts/smb-os-discovery.html

As you can see it'll get DNS name as well NetBIOS name.

nmap --script smb-os-discovery.nse -p445 10.1.1.0/27

Example output:

Nmap scan report for dell.domain.local (10.1.1.5)
Host is up (0.00026s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 78:2B:CB:E8:7E:42 (Dell)

Host script results:

| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: dell
|   NetBIOS computer name: DELL
|   Workgroup: NAME
|_  System time: 2015-06-16T17:00:44+02:00

Nmap scan report for mietek.domain.local (10.1.1.30)
Host is up (0.00036s latency).
PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: D4:CA:6D:F4:94:D4 (Routerboard.com)

It's not perfect as you need properly configured firewalls, but IHMO it's good point to start.

Another way could be using software called thedude and it's autodiscovery feature.

thedude_sample

I completely forgot about great tool called ntop, it has passive ways to collecting data about network, when placed @ local gateway it'll find everything.

ntop_sample

Of course connection to local network or VPN with default gateway redirection is necessary.

Related

RAID 10 - many slow disks vs fewer fast disks
Intel Xeon processors: Difference between 2S/4S and S2S/S4S scalability
How to set an IP address in server_name directive, not a domain name?
Deploying to multiple accounts with Terraform?
How to resize main filesystem
No space left on device - Fedora 23 [closed]
What do you do to verify that your network is secure? [closed]
General tips for interpreting error logs [closed]
Limit Transfer Speed on Windows 2008
Convince System Administrator that File Uploads can be Okay?
Advice for a start-up (VPS, Dedicatedm, Co-hosted?)
An effective method to clean XP, Win2k and Windows 2003 after Conflicker