All The Logging In The World

All The Logging In The World

  • Comments 1
  • Likes

There’s normal troubleshooting and then there’s the stuff you do when the basic troubleshooting doesn’t get things resolved.  Normal troubleshooting can be things like selecting “last known good” on a reboot after installing a new driver and having a blue screen.  Or perhaps uninstalling and then reinstalling an application, or altering settings for the application or operating system to alleviate a problem.

 

Sometimes we have to dig in and find out more. 

 

Many admins out there in the world live that every day.  Which is why we add methods to find out more into our products.  This post is all about listing all of the data gathering methods that a Directory Services person may ever need to know.  Since there are so many it will be difficult to organize well in one uber post but I’m going to put it out there for you all anyway, disorganized or not.

A while back I created a spreadsheet which could be used to select the Directory Services technology which is being looked at as having a problem and then use the spreadsheet to narrow down what data should be looked at.

I broke this down into columns for Technology, Logging Name, General Problem Description, Short Description of Benefits, "Should be Done" (meaning how frequently that technique is done generally to fix an issue) and the URL or steps on how to set up that logging.

 The original document was an Excel spreadsheet, but I saved it as a monolithic file web file.  If you have Excel you can use the Microsoft Office Web Components (install them from the link for free if you don't have them) and use the pull down menus to help easily narrow down how what data to gather.

 A few caveats about this list.  First, it doesn't tell you how to read the results, only what data to gather and how to gather it.  Second, it doesn't focus on a specific operating system version.  I have given a few posts on some of the logging (like USERENV) so you can refer to those if it helps.  Third, this is not an entirely comprehensive list but it gets nearly all.  There's always going to be something new or rarely used, you know?

 The file is available as a download from this blog post.  Also, please forgive the formatting which I suspect may truncate some of the columns.  It depends in part on your browser and the blog style sheet, but it may encourage you to download and use the Excel sheet for this instead.

 I'm also pasting the information below.  Again, for formatting purposes I hope you have multimon set up so that you can stretch the page since otherwise it may be difficult to read.  But I wanted to be sure and post it in the page since I don't want to unintentionally penalize a reader who doesn't use Microsoft Office.  Though you should readers, it's a great product.

Technology Logging Name General Problem Description Short Description of Benefits Should be done… URL for Steps to Enable/Install
User Profiles USERENV Logging User Logon/Logoff Problems This creates a log file with a step by step detail of the user logon process. INITIALLY  http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833  
User Profiles MPS Reports DS  User Logon/Logoff Problems MPS Reports DS gathers the USERENV.LOG, as well as the Application event log of that computer. SOMETIMES http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
User Profiles UPHClean in Diagnostic Mode User Logon/Logoff Problems UPHClean detects and closes open handles after logoff.  In diagnostic mode it will display the PID of the offending process and stack last called for it. SOMETIMES http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en&Hash=RQY5N8C  
Account Lockouts Verbose Kerberos Event Logging Kerberos Errors Increases the verbosity of logging for the selected type of events in the System Event Log. SOMETIMES http://support.microsoft.com/kb/q262177/
Account Lockouts NETLOGON Logging Excessive account lockouts Creates a NETLOGON.LOG file, detailing the verbose actions which the NETLOGON service is doing. INITIALLY http://support.microsoft.com/kb/109626/
Account Lockouts Remote Event Monitoring (EventCombMT) Excessive account lockouts Allows the remote gathering of events from servers.  Has builtin search macros for common issues, like Account Lockouts. INITIALLY http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
Account Lockouts MPS Reports DS Excessive account lockouts Gathers account lockout policy settings, NETLOGON.LOG, and event logs. SOMETIMES http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
Group Policy USERENV Logging Group Policy application problems This creates a log file with a step by step detail of the user logon process. SOMETIMES  http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
Group Policy GPRESULT output (MPS REPORTS or Support Tools) Group Policy application problems Give a list of applied policies in contexts of user and computer, and settings from each. INITIALLY http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en
Group Policy Security Settings (WINLOGON Logging) Group Policy application problems This log contains the complete list of security specific settings applying from policy. INITIALLY http://support.microsoft.com/kb/245422
Group Policy Software Installation (AppMgmt Logging) Group Policy application problems This log will display a verbose log of policy-driven application install processes. INITIALLY http://support.microsoft.com/?id=249621
Certificate Svcs Verbose Certificate Services Event Logging (only for 2003) Certificate service problems This increases the detail and number of events shown for certificate services activity on a computer. INITIALLY http://support.microsoft.com/?id=305018
Domain Controller Promotion (DCPROMO) DCPROMO User Input Log (DCPROMOUI.LOG) Problems promo/demoting DCs This log will list the answers provided by the user upon running DCPROMO during the wizard. INITIALLY Enabled by default but can be increased in verbosity.
Domain Controller Promotion (DCPROMO) DCPROMO Debug Log (DCPROMO.LOG) Problems promo/demoting DCs This is the DCPROMO debug log; it will show each action the local system takes to promote itself as a new DC. INITIALLY Enabled by default.
DNS DNS Client Service Logging Problems resolving DNS (client-side) This logging provides more detail on DNS client lookup behavior in a separate log. RARELY http://support.microsoft.com/?id=260969
Group Policy Folder Redirection Debug logging (Fdeploy) Group Policy application problems Provides a debug log of the folder redirection process. INITIALLY http://www.microsoft.com/technet/community/newsgroups/upfrfaq.mspx
File Replication Service FRS Debug Log Severity Problems replicating SYSVOL/DFS Increases the verbosity of the file replication service default debug logs. RARELY http://support.microsoft.com/?id=221112
File Replication Service FRS Debug Log Files Problems replicating SYSVOL/DFS These logs detail the actions FRS does as it copies and asses files for inbound and outbound file replication for all replica sets on that server. SOMETIMES http://support.microsoft.com/?id=221112
File Replication Service FRS Debug Maximum Log Messages Problems replicating SYSVOL/DFS This setting controls the number of entries retained before the log FIFOs. SOMETIMES http://support.microsoft.com/?id=221112
Group Policy Group Policy Object Editor (GPEDIT) Group Policy editing problems Creates a detailed log of what takes place when a policy is edited in GPEDIT.MSC. SOMETIMES  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx
Group Policy Registry Settings (USERENV Logging) Group Policy application problems Displays registry specific client side engine information in the USERENV.LOG. SOMETIMES http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx
Group Policy Group Policy Management Console Debug Logging (GPMC) Group Policy editing problems Creates a detailed log of what takes place when a policy is edited in GPMC.MSC. RARELY http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx
IPSec IPSec Policy Agent Logging (Oakley.log) Problems with IPSec settings taking affect Creates a log showing information regarding the application of IPSec settings on a computer. RARELY http://support.microsoft.com/?id=257225
Kerberos Verbose Kerberos Event Logging Kerberos Errors Increases the verbosity of logging for the selected type of events in the System Event Log. RARELY http://support.microsoft.com/?id=262177
Microsoft Directory Synchronization Services Debug logging in the MSDSS tool Errors or problems using MSDSS Creates a debug log file of what the tool is doing. RARELY http://support.microsoft.com/?id=269536
AD Replication Active Directory Diagnostic Event Logging Errors in AD replication Increases the verbosity of logging for the selected type of events in the DS Event Log. SOMETIMES http://support.microsoft.com/?id=314980
Directory Service Performance ADPERF (Windows 2000 DCs Only) Slow performance or hangs in LSASS.EXE Gives a detailed report on what the directory service was doing as the report was ran. OFTEN This is a legacy tool; contact MS for a copy.
Directory Service Performance Server Performance Advisor (Windows Server 2003 DCs Only) Slow performance or hangs in LSASS.EXE Gives a detailed report on what the directory service was doing as the report was ran. OFTEN http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&DisplayLang=en
Domain Controller Discovery NETLOGON Logging Problems with clients or DCs finding DCs for services Creates a NETLOGON.LOG file, detailing the verbose actions which the NETLOGON service is doing. SOMETIMES http://support.microsoft.com/kb/109626/
SSL/TLS (Network Session Security) Schannel Debug Logging Problems establishing SSL sessions succesfully Provides a debug log of the SSL session setup. RARELY http://support.microsoft.com/?id=260729
Group Policy Software Restriction Policy (SAFER) Logging Problems processing software restriction settings Logs the processing of software restriction settings in a file. RARELY http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx (under Advanced Logging)
Windows Time Service W32Time Logging Problems with the time service keeping in synch Creates a debug log file for the Windows Time Service. SOMETIMES http://support.microsoft.com/?id=816043
Kerberos Network Capture Kerberos Errors When filtered for Kerberos traffic, the capture will show ticket requests and replies and details on each. SOMETIMES http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818 or http://www.ethereal.com/
SSL/TLS (Network Session Security) Network Capture Problems establishing SSL sessions succesfully When filtered for SSL/TLS traffic, the capture will show session setup in detail. RARELY http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818  or http://www.ethereal.com/
User Profiles Network Capture User Logon/Logoff Problems A capture of user logon and logoffo will display all communication to and from client, DC and profile server (if separate). RARELY http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818  or http://www.ethereal.com/
DNS Network Capture Problems resolving DNS (client-side and server) When filtered for DNS, the capture will show forward and reverse queries and responses. RARELY http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818  or http://www.ethereal.com/
Domain Controller Promotion (DCPROMO) NETDIAG.EXE /V output Problems promo/demoting DCs Used to verify DNS settings, host name and bindings. SOMETIMES http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displaylang=en
 

*****************************************

I hope this helps everyone out.  If you come across a logging, or have a question on this just post a comment.  Let me add one more thing too:  thanks for using Microsoft products for your needs.  We appreciate it, and want to help if they're not working as you want them to.  Enough said.

Attachment: DirectoryServicesLogging.mht
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Tim,

    Wow, excellent and very thorough list.   This is definitely going to come in handy.  This is a blog posting that will definitely be stared, favorited, and forwarded.

    Great blog posting as usual!

    Mike Kline