15.3. Enabling NetLogon Logging
Problem
You want to enable NetLogon logging to help with troubleshooting client account logon, lockout, or domain controller location issues.
Solution
Using a command-line interface
To enable Netlogon logging, use the following command:
> nltest /dbflag:0x2080ffff
To disable Netlogon logging, use the following command:
> nltest /dbflag:0x0
Discussion
The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting client logon and related issues. When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration information, account lockout information, and even Kerberos failures.
The NetLogon logging level is stored in the following registry value:
HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag
If you set that registry value manually, instead of using
nltest
, you’ll need to
restart the NetLogon service for it to take effect.
One of the issues with the netlogon.log file is
that it can quickly grow to several megabytes, which makes it
difficult to peruse. A new tool available for Windows XP and Windows
Server 2003 called nlparse
can filter the contents
of the netlogon.log file so
that you’ll only see certain type of log entries.
The nlparse
tool is part of the Account Lockout and Management Tools that Microsoft made available from ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.