Windows 2000 domain controllers do not log any authentication requests by default. Windows Server 2003 is somewhat better in this regard since it logs successful authentication requests by default, but it does not log any denied requests. Thankfully, Microsoft provides very detailed logging facilities that can be enabled. A Windows domain controller can log the Kerberos KDC activity as well as domain logon and logoff events. We’ll take a look at both, from a Kerberos perspective.
First, let’s enable the logging of authentication requests for your domain. The first thing to configure is the Security Log’s maximum log file size. On Windows 2000, machines in your domain will only keep a 512 KB rotating log file by default (overwriting events that are more than 7 days old). With today’s large hard drives, there is no reason to constrain log files to less than a megabyte, so we’ll increase the file size limit to 10 megabytes in this example.
To change the maximum log file size for the security log, follow these steps:
Log into a Windows machine that has the Active Directory administrative snap-ins installed. You must have Domain Administrator privileges in order to modify these settings.
Open MMC and load the Active Directory Users and Computers snap-in.
Right-click on your domain, and choose Properties.
Select the Group Policy tab.
Select the Default Domain Policy GPO, and click Edit.
Navigate to Computer Configuration → Windows Settings → Security Settings → Event ...