You want to enable NetLogon logging to help with troubleshooting client account logon, lockout, or domain controller location issues.
To enable Netlogon logging, use the following command:
> nltest /dbflag:0x2080ffff
To disable Netlogon logging, use the following command:
> nltest /dbflag:0x0
The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting client logon and related issues. When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration information, account lockout information, and even Kerberos failures.
The NetLogon logging level is stored in the following registry value:
If you set that registry value manually, instead of using nltest, you'll need to restart the NetLogon service for it to take effect.
One of the issues with the netlogon.log file is that it can quickly grow to several megabytes, which makes it difficult to peruse. A new tool available for Windows XP and Windows Server 2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain type of log entries. The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web site (assuming the tools haven't moved):
MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681)