Recipe 15.3 Enabling NetLogon Logging

15.3.1 Problem

You want to enable NetLogon logging to help with troubleshooting client account logon, lockout, or domain controller location issues.

15.3.2 Solution Using a command-line interface

To enable Netlogon logging, use the following command:

> nltest /dbflag:0x2080ffff

To disable Netlogon logging, use the following command:

> nltest /dbflag:0x0

15.3.3 Discussion

The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting client logon and related issues. When enabled at the highest setting (0x2000ffff), it logs useful information, such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration information, account lockout information, and even Kerberos failures.

The NetLogon logging level is stored in the following registry value:

HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

If you set that registry value manually, instead of using nltest, you'll need to restart the NetLogon service for it to take effect.

One of the issues with the netlogon.log file is that it can quickly grow to several megabytes, which makes it difficult to peruse. A new tool available for Windows XP and Windows Server 2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain type of log entries. The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web site (assuming the tools haven't moved):

15.3.4 See Also

MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List