Parse Windows DNS Debug logs for Client IP and hitcount
If you have had to decommission AD Domain controllers that have been around for some time, you have probably ran into concern for systems that may have been statically configured to connect to those legacy DCs. Though turning down a DC is a relatively straightforward task, assuring all systems with static pointers to those DCs have been changed can be difficult if those pointers have not been documented. Although many DC services can have logging enabled to check what is connecting, this is typically not a viable solution for making determinations about what those systems could be, since most DC services are discoverable via DNS using SRV records that are registered automatically while the systems retain the DC role.
One exception is DNS itself; Information about the queries to the DNS server can be logged via use of ‘debug logging’ on the DC DNS services. The DNS debug logs do not have headers so tools like Logparser are not very useful.