Home > MS: AD, Group Policies, PKI, MS: Server OS (W2008R2, W2012R2, W2016, Windows Server) > AD: Enable NETLOGON Debug logging / Kerberos Logging

AD: Enable NETLOGON Debug logging / Kerberos Logging



W2008 R2: How to enable Kerberos event logging



Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003:



I know exactly what are you talking about, your problem is with LSASS.log right ?

Directory Services support indicate that the LSASS.log will not work in Win 2008 R2 and they rplace it with with ETL tracing "The down side of this is that the ETL trace is not human readable and must be decoded, which means you would need to talk to us, or me, (Microsoft CSS) to do that."


Someone wrote that:

"I actually managed to enable lsass log. The main gotcha there was that you need to create LogToFile value under CurrentControlSet\Control\Lsa (not under CurrentControlSet\Control\Lsa\Kerberos or CurrentControlSet\Control\Lsa\Kerberos\Parameters as some sources tell you to)."


This is true but the file will be empty because of the logging architecture changes in LSASS.exe

The following changes are relevant to NTLM and Kerberos, if you want to enable NTLM and Kerberos logging to send it to CSS do the following:

NTLM: tracelog.exe -kd -rt -start ntlm -guid #5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1

Kerberos: tracelog.exe -kd -rt -start kerb -guid #6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1

This will still work on Win 2008 R2 for sure!

Netlogon Debugging
Output: %SystemRoot%\Debug\Netlogon.log
Value Path: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: DBFlag
Value Type: REG_SZ
Value Data: 0x2080FFFF
Besides editing the registry directly, you can use the Nltest tool (part of the Support Tools) to enable it:
nltest /dbflag:0x2080ffff
To disable it run:
nltest /dbflag:0x0

Winlogon Debugging
Output: %SystemRoot%\Security\Logs\Winlogon.log
Value Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Value Name: ExtensionDebugLevel
Value Type: REG_DWORD
Value Data: 2

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: