Home > MS: AD, Group Policies, PKI, MS: Server OS (W2008/W2008R2) > AD: Enable NETLOGON Debug logging / Kerberos Logging

AD: Enable NETLOGON Debug logging / Kerberos Logging


http://support.microsoft.com/kb/942564

 

W2008 R2: How to enable Kerberos event logging

http://support.microsoft.com/kb/262177

 

Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003:

http://support.microsoft.com/kb/837361

 

I know exactly what are you talking about, your problem is with LSASS.log right ?

Directory Services support indicate that the LSASS.log will not work in Win 2008 R2 and they rplace it with with ETL tracing "The down side of this is that the ETL trace is not human readable and must be decoded, which means you would need to talk to us, or me, (Microsoft CSS) to do that."

http://www.activedir.org…/view/topic/Default.aspx

Someone wrote that:

"I actually managed to enable lsass log. The main gotcha there was that you need to create LogToFile value under CurrentControlSet\Control\Lsa (not under CurrentControlSet\Control\Lsa\Kerberos or CurrentControlSet\Control\Lsa\Kerberos\Parameters as some sources tell you to)."

http://social.technet.mi…-412c-9a8e-fdc1ef218cfd/

This is true but the file will be empty because of the logging architecture changes in LSASS.exe

The following changes are relevant to NTLM and Kerberos, if you want to enable NTLM and Kerberos logging to send it to CSS do the following:

NTLM: tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0×15003 -ft 1

Kerberos: tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0×43 -ft 1

This will still work on Win 2008 R2 for sure!

Netlogon Debugging
Output: %SystemRoot%\Debug\Netlogon.log
Value Path: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: DBFlag
Value Type: REG_SZ
Value Data: 0x2080FFFF
Besides editing the registry directly, you can use the Nltest tool (part of the Support Tools) to enable it:
nltest /dbflag:0x2080ffff
To disable it run:
nltest /dbflag:0×0

Winlogon Debugging
Output: %SystemRoot%\Security\Logs\Winlogon.log
Value Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Value Name: ExtensionDebugLevel
Value Type: REG_DWORD
Value Data: 2

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: