Today's topic:
Netlogon Debug helper
Sometimes it can be helpfull to get inforamtion about actions performed by the Netlogon service on a machine. To gather such information you need to enable Netlogon Debug Logging. Just to make things easier - you will find download links at the end of the article for a little helper program that:
- helps building the debug flag bit mask corresponding to your needs
- explains the bits int the debug flag bit mask
- sets the desired value in the registry
- restats Netlogon service
Some basics - to configrure Netlogn Debug Logging we need to set a DWORD value in the registry.
Path to parent registry key:
HKLMSYSTEMCurrentControlSetServicesNetlogonParameters
Registry value:
DBFlag = desired debug flag bit mask
The corresponding log entries can be found in:
%windir%debugnetlogon.log
To control log file size (default = 20 MB) we may use the follwing DWORD value in the same registry key:
MaximumLogFileSize = maximum log file size in bytes
There are many articles out there talking about this topic - but unfortunately they all miss detailed information about the valid debug flags that can be configured.
Most of the articles are suggesting to set value 0x2080ffff - which results in very verbose debug reporting -> white noise.
Apart form complexity of the analysis of the huge amount of the gathered data - your log file may be overwritten very quickly -> thus you may miss log entries of interest.
Therefore, I suggest to only set those bits for debug flags that will let netlogon log only the data you are interested in.
List of the debug flag bits:
[code lang="c-sharp"]
[Flags]
public enum DEBUG_FLAGS : uint
{
NL_INIT = 0x00000001, // Netlogon initialization
NL_MISC = 0x00000002, // Misc debug (like DCLocator)
NL_LOGON = 0x00000004, // Logon processing
NL_SYNC = 0x00000008, // Synchronization and replication
NL_MAILSLOT = 0x00000010, // Mailslot messages
NL_SITE = 0x00000020, // Sites
NL_MSA = 0x00000040, // Managed Service Account Scavenger processing
NL_1 = 0x00000080, // Unknown
NL_CRITICAL = 0x00000100, // Only real important errors
NL_SESSION_SETUP = 0x00000200, // Trusted Domain maintenance
NL_DOMAIN = 0x00000400, // Hosted Domain maintenance
NL_2 = 0x00000800, // UnKnown
NL_SERVER_SESS = 0x00001000, // Server session maintenance
NL_CHANGELOG = 0x00002000, // Change Log references
NL_DNS = 0x00004000, // DNS name registration
// Verbose bits
NL_VERBOSE = 0x00008000, // Enable verbose logging
NL_WORKER = 0x00010000, // Debug worker thread
NL_DNS_MORE = 0x00020000, // Verbose DNS name registration
NL_PULSE_MORE = 0x00040000, // Verbose pulse processing
NL_SESSION_MORE = 0x00080000, // Verbose session management
NL_REPL_TIME = 0x00100000, // replication timing output
NL_REPL_OBJ_TIME = 0x00200000, // replication objects get/set timing output
NL_ENCRYPT = 0x00400000, // debug encrypt and decrypt across net
NL_SYNC_MORE = 0x00800000, // additional replication dbgprint
NL_PACK_VERBOSE = 0x01000000, // Verbose Pack/Unpack
NL_MAILSLOT_TEXT = 0x02000000, // Verbose Mailslot messages
NL_CHALLENGE_RES = 0x04000000, // challenge response debug
NL_SITE_MORE = 0x08000000, // Verbose sites
// Control bits.
NL_INHIBIT_CANCEL = 0x10000000, // Don't cancel API calls
NL_TIMESTAMP = 0x20000000, // TimeStamp each output line
NL_ONECHANGE_REPL = 0x40000000, // Only replicate one change per call
NL_BREAKPOINT = 0x80000000 // Enter debugger on startup
}
[/code]
Example - you are interested in logon processing -> set debug flag value NL_TIMESTAMP | NL_LOGON (0x20000004).
Keep in mind - only if you set bit NL_TIMESTAMP (0x20000000) you will have the time stamp for each log entry in the netlogon.log.
FYI - white noise DBFlag value 0x2080fff translates to:
- NL_INIT
- NL_MISC
- NL_LOGON
- NL_SYNC
- NL_MAILSLOT
- NL_SITE
- NL_MSA
- NL_1
- NL_CRITICAL
- NL_SESSION_SETUP
- NL_DOMAIN
- NL_2
- NL_SERVER_SESS
- NL_CHANGELOG
- NL_DNS
- NL_VERBOSE
- NL_SYNC_MORE
- NL_TIMESTAMP
Netlogon Debug Helper Tool downloads:
- Compiled sample code (compiled targeting .Net frameworks 3.5 and 4.5) NetlogonDebug_Compiled
- Download Visual Studio sample code project CodingFromTheField.NetlogonDebug
All the best and have fun debugging.
Michael
PFE | Have keyboard. Will travel
from TechNet Blogs https://ift.tt/2rgisIc
No comments: