When troubleshooting Active Directory the first place that most people look is the Windows Server event logs, the event logs can provide a wealth of information about the state of an Active Directory, but by default the recorded information is limited to the logging of critical and error events.

To enable detailed diagnostic logging there are a series of registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics which when set to a defined value will populate the information to the event logs.

The defined values are:

Option Description
0 (None) Only critical events and error events are logged. (Default)
1 (Minimal) Very high-level events are recorded in the event log
2 (Basic) Events with a logging level of 2 or lower are logged.
3 (Extensive) Events with a logging level of 3 or lower are logged.
4 (Verbose) Events with a logging level of 4 or lower are logged.
5 (Internal) All events are logged, including debug strings and configuration changes received.

Any logging above level 3 can generate a lot of additional logged information and should be used with caution.

These values can be set against the one or more of these 24 keys

clip_image002[4]

Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

1 Knowledge Consistency Checker

The KCC derives its input configuration from objects in the directory (for example, sites, servers and site links). The KCC reports if these objects are incorrect or missing. Events occurring during a run of the KCC.

Messages fall into the following categories:

KCC runtime errors, such as inconsistencies, resource errors or directory access problems. KCC output configuration problems. The new configuration cannot be built or is incomplete in some way.  Perhaps too many servers are down to build a complete topology at this time.

2 Security Events

Events related to security such as a user who tries to read or write an attribute with insufficient permissions, a user binding through MAPI, or a domain that has been changed to native mode.

3 ExDS Interface Events

Events related to communication between Active Directory and Exchange clients.

4 MAPI Interface Events

Events related to communication between Active Directory and Exchange clients.

5 Replication Events

Events related to outbound replication, where changed objects are found and inbound replication, where these changes are applied to a local database. “Normal” errors during the course of replication, such as a domain controller being down, are not logged. They are kept as status and are available through the replication tools. The errors logged during replication are generally critical inconsistencies that require user intervention, as database errors. The other kind of events logged by the replication category are information about which objects and attributes were updated and why.  Note that many attributes are updated each time replication occurs. Logging detail about attributes can generate a great deal of messages very quickly.

A level of 1 is safe and might be informative as to the general types of operations occurring for replication. A level higher than level 2 can result in filling up the log file and performance degradation.

6 Garbage Collection

Events generated when objects marked for deletion are actually deleted.

7 Internal Configuration

Interpretation and display of the internal directory service operations.

8 Directory Access

Reads and writes directory objects from all sources.

9 Internal Processing

Events related to the internal operation of Active Directory code such as processing security descriptor propagation. Error events in this category might be an indicator of serious problems in Active Directory. When the directory returns the status of “internal error,” this category can be used to identify the problem for Microsoft support. Set this category to 1 on all computers involved (client and server) and reproduce the problem. Note the point in the code where the internal error was raised.

10 Performance Counters

Events related to loading and unloading the NTDS performance object and performance counters.

11 Initialization/Termination

Events related to starting and stopping Active Directory.

12 Service Control

Processes Active Directory service events.

13 Name Resolution

Resolution of addresses and Active Directory names.

14 Backup

Events related to the backup of Active Directory. Specifically, errors occurring when ESE database records are read or written for backup purposes. Generally only logged when a backup operation is underway.

15 Field Engineering

Internal debugging trace.

16 LDAP Interface Events

Events related to LDAP. An example of events logged include the following: the LDAP server closed a socket to a client, unable to initialize LDAP Simple Bind Authentication, and LDAP over SSL is now available.

17 Setup

Events related to running the Active Directory Installation Wizard.

18 Global Catalog

Events related to Global Catalog. For example, “Promotion of this server to a Global Catalog will be delayed for %1 minutes. This delay is necessary so that the required partitions can be made ready before the GC is advertised.

The operations that occurs during this time include the KCC being run to generate the new topology, all read-only partitions in the enterprise being added to this server, and the contents of these partitions being replicated into this system.  If you want to promote the GC immediately without enforcing this precondition, set the registry variable

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\
GlobalCatalogDelayAdvertisement

(sec) to a DWORD value of 0. The GC will be promoted on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before promoting to a GC.”

19 Inter-site Messaging

These messages are logged by the “Intersite Message” service, which is a separate service from the directory itself. There are two kinds of messages that are generated in this category:
The ISM Service is responsible for transporting replication messages between sites.
The ISM Service is also responsible for calculating site routes for the KCC to use. Note that the messages in this category are either fatal configuration errors, or informational messages about the amount of traffic being carried.

20 Group Caching

Events related to Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.

21 Linked-Value Replication

Events related to Linked-Value Replication.

22 DS RPC Client

Events related to RPC Client

Controls the logging of events that are related to communication with the Directory Service.
Examples of logged events include remote procedure call (RPC) errors, cancelled calls, and service principal name (SPN)– related operations.

Real world example: Only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set diagnostics registry value to 1.

23 DS RPC Server

Controls the logging of events that are related the RPC server service.

Example, during outbound replication and replication setup operations.

24 DS Schema

Events related to the Active Directory schema.

Example of an event logged includes a successful Active Directory Schema updates which records the event with and Event ID of 1582

Posted by markparris

Microsoft MVP - Enterprise mobility.

2 Comments

  1. nice one Mark – very useful

    Reply

  2. Yea Nice one Mark, Thanks.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s