Computer Support » logging

Enabling Diagnostics Logging

admin — Tue, 04 Mar 2008 19:51:23 +0000

A useful way to troubleshoot specific problems you are encountering with Active Directory is to increase the diagnostics logging level. Diagnostics logging can be enabled by component. For example, if you determine the KCC is not completing every 15 minutes, you can enable diagnostics logging for the one Knowledge Consistency Checker setting.

These settings are stored under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. By default, all settings are set to 0, which disables diagnostic logging, but you can increase any one of them by setting it to a number from 1 through 5. As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging. It is a good practice to ease your way up to 5 because some diagnostics logging settings can generate a huge number of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller.

Here is the complete list of diagnostics logging settings for Windows Server 2003. Note that settings 20-24 are not available on Windows 2000-based domain controllers.

1 Knowledge Consistency Checker
 2 Security Events
 3 ExDS Interface Events
 4 MAPI Interface Events
 5 Replication Events
 6 Garbage Collection
 7 Internal Configuration
 8 Directory Access
 9 Internal Processing
 10 Performance Counters
 11 Initialization/Termination
 12 Service Control
 13 Name Resolution
 14 Backup
 15 Field Engineering
 16 LDAP Interface Events
 17 Setup
 18 Global Catalog
 19 Inter-site Messaging
 20 Group Caching
 21 Linked-Value Replication
 22 DS RPC Client
 23 DS RPC Server
 24 DS Schema

Using a graphical user interface

Run regedit.exe from the command line or Start Run.
In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Services NTDS Diagnostics.
In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0-5) based on how much you want logged.
Click OK.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "

" /t REG_DWORD /d <0-5>

Using VBScript

' This code sets the specified diagnostics logging level
' ------ SCRIPT CONFIGURATION ------
strDC   = ""  ' e.g., dc01
strLogSetting = ""  ' e.g., 1 Knowledge Consistency Checker
intFlag =                ' Flag value in decimal, e.g., 5
' ------ END CONFIGURATION ---------
const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, strLogSetting, intFlag
WScript.Echo "Diagnostics logging for " & strLogSetting _
             & " set to " & intFlag

Enabling DHCP Audit Logging

admin — Fri, 22 Feb 2008 19:59:00 +0000

After you enable auditing on a DHCP Server, all DHCP requests, database maintenance events, and various errors will be logged to a file. By default, a separate file is generated for each day of the week and stored in %SystemRoot%\system32\dhcp. The files are named DhcpSrvLog-xxx.log where xxx is the day of the week (e.g., DhcpSrvLog-Mon.log). After the first week, the previous week’s file is overwritten.

The events logged to the audit log (a plain text file) have the following format:

ID,Date,Time,Description,IP Address,Host Name,MAC Address

The DHCP Server monitors how the log files grow and the available disk space to determine if it should stop logging prematurely to prevent it from consuming too much space. There are two conditions that cause auditing to stop:

When disk space runs below 20 MB on the filesystem the log files are on.
When a single log file reaches the preset maximum size (the default is 1 MB).

Fortunately, you can modify these default values by editing the registry. There are three registry values that control DHCP Server disk monitoring located under HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters:

DhcpLogDiskSpaceCheckInterval

This specifies the number of audit entries recorded between disk verification checks. The default is 50, which means 50 events have to be recorded before the disk verification check occurs.

DhcpLogFilesMaxSize

The maximum size in megabytes for all seven log files. By default, this is 7, which means each log file can only grow to be 1 MB before the DHCP Server stops logging for that day.

DhcpLogMinSpaceOnDisk

The minimum size in megabytes that must exist on the filesystem for logging to continue. The default is 20, which means the DHCP Server will stop logging altogether if disk space goes below 20 MB on the filesystem.

You may need to create these values (as REG_DWORD) if they don’t already exist.

Using a graphical user interface

Open the DHCP snap-in.
In the left pane, right-click on DHCP and select Add Server.
Type in the name of the DHCP Server you want to target and click OK.
Right-click the server node and select Properties.
On the General tab, check the box beside Enable DHCP audit logging.
Click OK.

Using a command-line interface

Surprisingly, netsh doesn’t allow you to enable DHCP audit logging. You can only modify the audit log file path. However, this setting is controlled via the registry. The following command enables auditing by setting the ActivityLogFlag value:

> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v
 ActivityLogFlag /t REG_DWORD /d 1

To disable auditing, use the same command except use /d 0 in place of /d 1.