Enabling debug logging for the Netlogon service
This article describes the steps to enable logging of the Netlogon service in Windows to monitor or troubleshoot authentication, DC locator, account lockout, or other domain communication-related issues.
Original product version: Windows 10 — all editions, Windows Server 2016, Windows Server 2019, Windows Server 2012 R2
Original KB number: 109626
More information
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To have us enable or disable debug logging for the Netlogon service for you, go to the Here’s an easy fix section. If you prefer to fix this problem manually, go to the Let me fix it myself section.
If you’re running Windows NT, you must use the debug version of Netlogon and the required debug DLLs.
Here’s an easy fix
To fix this problem automatically, click the Download button. In the File Download dialog box, select Run or Open, and then follow the steps in the easy fix wizard.
- The easy fix solution doesn’t work if your computer isn’t part of a domain. Netlogon logging doesn’t work if the computer is joined to a domain because the Netlogon service doesn’t start.
- This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
- If you’re not on the computer that has the problem, save the easy fix solution to a flash drive or a CD, and then run it on the computer that has the problem.
Let me fix it myself
The version of Netlogon.dll that has tracing included is installed by default on all currently supported versions of Windows. To enable debug logging, set the debug flag that you want by using Nltest.exe, the registry, or Group Policy. To do it, follow these steps:
For Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server
These steps apply to Windows 2000 Server and Windows Server 2003 only when the support tools are installed. They also apply to Windows XP (if support tools are installed), Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10.
To enable Netlogon logging:
Open a Command Prompt window (administrative Command Prompt window for Windows Server 2008 and later versions).
Type the following command, and then press Enter:
It’s typically not necessary to stop and restart the Netlogon service for Windows 2000 Server/Professional or later operating systems to enable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify new writes to this log to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and later versions of the operating system), and then run the following commands:
- In some circumstances, you may have to perform an authentication against the system in order to obtain a new entry in the log to verify that logging is enabled.
- Using the computer name may cause no new test authentication entry to be logged.
To disable Netlogon logging:
Open a Command Prompt window (administrative Command Prompt window for Windows Server 2008 and higher).
Type the following command, and then press Enter:
It’s typically not necessary to stop and restart the Netlogon service for Windows 2000 Server/Professional or later versions of the operating system to disable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify that no new information is being written to this log to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, then open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and later versions of the operating system), and then run the following commands:
Alternative methods to enable Netlogon logging:
In all versions of Windows, you can use the registry method that’s provided in the «For Windows NT, Windows 2000 Server (without the support tools), and Windows Server 2003 (without the support tools)» section.
On computers that are running Windows Server 2003 and later versions of the operating system, you can also use the following policy setting to enable verbose Netlogon logging (value is set in bytes):
Notes
A value of decimal 545325055 is equivalent to 0x2080FFFF (which enables verbose Netlogon logging). This Group Policy setting is specified in bytes.
The Group Policy method can be used to enable Netlogon logging on a larger number of systems more efficiently. We don’t recommend that you enable Netlogon logging in policies that apply to all systems (such as the Default Domain Policy). Instead, consider narrowing the scope to systems that may be causing problems by doing either of the following:
- Create a new policy by using this Group Policy setting, and then provide the Read and Apply Group Policy rights to a group that contains only the required computer accounts.
- Move computer objects into a different OU, and then apply the policy settings at that OU level.
For Windows NT, Windows 2000 Server (without the Support tools), and Windows Server 2003 (without the support tools)
These steps also apply to Windows NT Workstation, Windows 2000 Professional (without the support tools), Windows XP (without the support tools), and all newer versions of Windows that are already covered in the preceding steps. To enable logging on Windows NT and Windows 2000 (pre-service pack), you may have to obtain a checked build of Netlogon.dll.
To enable Netlogon logging:
Start Registry Editor.
If it exists, delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
It’s typically not necessary to stop and restart the Netlogon service for Windows 2000 Server/Professional or later versions of the operating system to enable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify the new writes to this log to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and above), and then run the following commands:
Notes
- In some circumstances, you may have to do an authentication against the system to obtain a new entry in the log to verify that logging is enabled.
- Using the computer name may cause no new test authentication entry to be logged.
To disable Netlogon logging:
In Registry Editor, change the data value to 0x0 in the following registry key:
Exit Registry Editor.
It’s typically not necessary to stop and restart the Netlogon service for Windows Server 2003, Windows XP, or later versions of the operating system to disable Netlogon logging. Netlogon-related activity is logged to %windir%\debug\netlogon.log. Verify that no new information is being written to this log to determine whether a restart of the Netlogon service is necessary. If you have to restart the service, open a Command Prompt window (administrative Command Prompt window for Windows Server 2008/Windows Vista and later versions of the operating system), and then run the following commands:
Setting the maximum log file size for Netlogon logs:
The MaximumLogFileSize registry entry can be used to specify the maximum size of the Netlogon.log file. By default, this registry entry doesn’t exist, and the default maximum size of the Netlogon.log file is 20 MB. When the file reaches 20 MB, it’s renamed to Netlogon.bak, and a new Netlogon.log file is created. This registry entry has the following parameters:
Remember that the total disk space that’s used by Netlogon logging is the size that’s specified in the maximum log file size times two (2). It’s required to accommodate space for the Netlogon.log and Netlogon.bak file. For example, a setting of 50 MB can require 100 MB of disk space. Which provides 50 MB for Netlogon.log and 50 MB for Netlogon.bak.
As mentioned earlier, on Windows Server 2003 and later versions of the operating system, you can use the following policy setting to configure the log file size (value is set in bytes):
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
247811 How domain controllers are located in Windows
Did this fix the problem
Check whether the problem is fixed. If the problem is fixed, you’re finished with this section. If the problem isn’t fixed, you can contact support.
Не запускается автоматически служба netlogon в windows server 2008
В общем, после рестарта контроллера домена находится в состоянии «приостановлена» служба Сетевого входа в систему.
Так же не стартует служба времени
Много было перечитано, переискано, перепробовано, результатов положительных нет. Опасаюсь, как бы не сделать еще хуже. Много времени заниматься этим нет, собственно как и большого опыта по решению такого рода проблем, так что решил прибегнуть к помощи данного сообщества.
Начну с того что выложу результат dcdiag
Диагностика сервера каталогов
Выполнение начальной настройки:
Выполняется попытка поиска основного сервера.
Основной сервер = server
* Идентифицирован лес AD.
Сбор начальных данных завершен.
Выполнение обязательных начальных проверок
Сервер проверки: Default-First-Site\SERVER
Запуск проверки: Connectivity
. SERVER — пройдена проверка Connectivity
Выполнение основных проверок
Сервер проверки: Default-First-Site\SERVER
Запуск проверки: Advertising
Неустранимая ошибка: сбой при вызове DsGetDcName (SERVER), ошибка 1355
Локатору не удается найти сервер.
. SERVER — не пройдена проверка Advertising
Запуск проверки: FrsEvent
За последние 24 часа после предоставления SYSVOL в общий доступ
зафиксированы предупреждения или сообщения об ошибках. Сбои при
репликации SYSVOL могут стать причиной проблем групповой политики.
. SERVER — пройдена проверка FrsEvent
Запуск проверки: DFSREvent
. SERVER — пройдена проверка DFSREvent
Запуск проверки: SysVolCheck
. SERVER — пройдена проверка SysVolCheck
Запуск проверки: KccEvent
Возникло событие Warning. Код события (EventID): 0x80000B46
Время создания: 03/04/2015 19:26:04
Строка события:
The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest)
LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
Возникло событие Error. Код события (EventID): 0xC0000837
Время создания: 03/04/2015 19:26:44
Строка события:
The Active Directory Domain Services database has been restored usin
g an unsupported restoration procedure.
Возникло событие Warning. Код события (EventID): 0x80000B46
Время создания: 03/04/2015 19:34:37
Строка события:
The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest)
LDAP binds that do not request signing (integrity verification) and LDAP simple
binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
Возникло событие Error. Код события (EventID): 0xC0000837
Время создания: 03/04/2015 19:35:17
Строка события:
The Active Directory Domain Services database has been restored usin
g an unsupported restoration procedure.
. SERVER — не пройдена проверка KccEvent
Запуск проверки: KnowsOfRoleHolders
. SERVER — пройдена проверка
KnowsOfRoleHolders
Запуск проверки: MachineAccount
. SERVER — пройдена проверка MachineAccount
Запуск проверки: NCSecDesc
Ошибка — NT AUTHORITY\КОНТРОЛЛЕРЫ ДОМЕНА ПРЕДПРИЯТИЯ не имеет
Replicating Directory Changes In Filtered Set
прав доступа для контекста именования:
DC=TAPI3Directory,DC=domain,DC=local
Ошибка — NT AUTHORITY\КОНТРОЛЛЕРЫ ДОМЕНА ПРЕДПРИЯТИЯ не имеет
Replicating Directory Changes In Filtered Set
прав доступа для контекста именования:
DC=ForestDnsZones,DC=domain,DC=local
Ошибка — NT AUTHORITY\КОНТРОЛЛЕРЫ ДОМЕНА ПРЕДПРИЯТИЯ не имеет
Replicating Directory Changes In Filtered Set
прав доступа для контекста именования:
DC=DomainDnsZones,DC=domain,DC=local
. SERVER — не пройдена проверка NCSecDesc
Запуск проверки: NetLogons
. SERVER — пройдена проверка NetLogons
Запуск проверки: ObjectsReplicated
. SERVER — пройдена проверка ObjectsReplicated
Запуск проверки: Replications
. SERVER — пройдена проверка Replications
Запуск проверки: RidManager
. SERVER — пройдена проверка RidManager
Запуск проверки: Services
Служба w32time в [SERVER] остановлена
Служба NETLOGON в [SERVER] приостановлена
. SERVER — не пройдена проверка Services
Запуск проверки: SystemLog
Возникло событие Error. Код события (EventID): 0x0000041E
Время создания: 03/04/2015 18:38:10
Строка события:
The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name Sysytem (DNS) is configured and working correctly.
Возникло событие Warning. Код события (EventID): 0x825A000C
Время создания: 03/04/2015 19:05:36
Строка события:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
Возникло событие Error. Код события (EventID): 0xC004000B
Время создания: 03/04/2015 19:07:39
Строка события:
The driver detected a controller error on \Device\Ide\IdePort2.
Возникло событие Warning. Код события (EventID): 0x80060005
Время создания: 03/04/2015 19:25:32
Строка события:
The Virtual Storage Filter Driver is disabled through the registry.
It is inactive for all disk drives.
Возникло событие Warning. Код события (EventID): 0x000003EB
Время создания: 03/04/2015 19:26:25
Строка события:
Your computer was not able to renew its address from the network (fr
om the DHCP Server) for the Network Card with network address 444553544F53. The
following error occurred:
Возникло событие Warning. Код события (EventID): 0x8000A000
Время создания: 03/04/2015 19:26:41
Строка события:
The Security System detected an authentication error for the server
ldap/server.domain.local. The failure code from authentication protocol Kerb
eros was «Отсутствуют серверы, которые могли бы обработать запрос на вход в сеть
.
Возникло событие Warning. Код события (EventID): 0x8000A000
Время создания: 03/04/2015 19:26:46
Строка события:
The Security System detected an authentication error for the server
ldap/server.domain.local/domain.local@domain.LOCAL. The failure code
from authentication protocol Kerberos was «Отсутствуют серверы, которые могли б
ы обработать запрос на вход в сеть.
Возникло событие Error. Код события (EventID): 0xC25A002E
Время создания: 03/04/2015 19:26:46
Строка события:
The time service encountered an error and was forced to shut down. T
he error was: 0x80070700: Попытка входа в сеть при отключенной сетевой службе вх
ода.
Возникло событие Error. Код события (EventID): 0x00000469
Время создания: 03/04/2015 19:27:01
Строка события:
The processing of Group Policy failed because of lack of network con
nectivity to a domain controller. This may be a transient condition. A success m
essage would be generated once the machine gets connected to the domain controll
er and Group Policy has succesfully processed. If you do not see a success messa
ge for several hours, then contact your administrator.
Возникло событие Error. Код события (EventID): 0x0000041E
Время создания: 03/04/2015 19:27:27
Строка события:
The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name Sysytem (DNS) is configured and working correctly.
Возникло событие Error. Код события (EventID): 0xC0001B6F
Время создания: 03/04/2015 19:27:31
Строка события:
The Служба времени Windows service terminated with the following err
or:
Возникло событие Warning. Код события (EventID): 0x000727AA
Время создания: 03/04/2015 19:28:51
Строка события:
The WinRM service failed to create the following SPNs: WSMAN/server.
domain.local; WSMAN/server.
Возникло событие Warning. Код события (EventID): 0x825A000C
Время создания: 03/04/2015 19:31:52
Строка события:
Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
Возникло событие Warning. Код события (EventID): 0x000727A5
Время создания: 03/04/2015 19:32:51
Строка события:
The WinRM service is not listening for WS-Management requests.
Возникло событие Warning. Код события (EventID): 0x825A0081
Время создания: 03/04/2015 19:32:51
Строка события:
NtpClient was unable to set a domain peer to use as a time source be
cause of discovery error. NtpClient will try again in 15 minutes and double the
reattempt interval thereafter. The error was: Диспетчер защиты (SAM) или локальн
ый сервер (LSA) не смог выполнить требуемую операцию. (0x80070548)
Возникло событие Warning. Код события (EventID): 0x00000FA1
Время создания: 03/04/2015 19:32:51
Строка события: WLAN AutoConfig service has successfully stopped.
Возникло событие Warning. Код события (EventID): 0x80060005
Время создания: 03/04/2015 19:34:05
Строка события:
The Virtual Storage Filter Driver is disabled through the registry.
It is inactive for all disk drives.
Возникло событие Warning. Код события (EventID): 0x000003EB
Время создания: 03/04/2015 19:34:59
Строка события:
Your computer was not able to renew its address from the network (fr
om the DHCP Server) for the Network Card with network address 444553544F53. The
following error occurred:
Возникло событие Warning. Код события (EventID): 0x8000A000
Время создания: 03/04/2015 19:35:14
Строка события:
The Security System detected an authentication error for the server
ldap/server.domain.local. The failure code from authentication protocol Kerb
eros was «Отсутствуют серверы, которые могли бы обработать запрос на вход в сеть
.
Возникло событие Warning. Код события (EventID): 0x8000A000
Время создания: 03/04/2015 19:35:19
Строка события:
The Security System detected an authentication error for the server
ldap/server.domain.local/domain.local@domain.LOCAL. The failure code
from authentication protocol Kerberos was «Отсутствуют серверы, которые могли б
ы обработать запрос на вход в сеть.
Возникло событие Error. Код события (EventID): 0xC25A002E
Время создания: 03/04/2015 19:35:19
Строка события:
The time service encountered an error and was forced to shut down. T
he error was: 0x80070700: Попытка входа в сеть при отключенной сетевой службе вх
ода.
Возникло событие Error. Код события (EventID): 0x00000469
Время создания: 03/04/2015 19:35:34
Строка события:
The processing of Group Policy failed because of lack of network con
nectivity to a domain controller. This may be a transient condition. A success m
essage would be generated once the machine gets connected to the domain controll
er and Group Policy has succesfully processed. If you do not see a success messa
ge for several hours, then contact your administrator.
Возникло событие Error. Код события (EventID): 0x0000041E
Время создания: 03/04/2015 19:35:56
Строка события:
The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name Sysytem (DNS) is configured and working correctly.
Возникло событие Error. Код события (EventID): 0xC0001B6F
Время создания: 03/04/2015 19:36:15
Строка события:
The Служба времени Windows service terminated with the following err
or:
. SERVER — не пройдена проверка SystemLog
Запуск проверки: VerifyReferences
. SERVER — пройдена проверка VerifyReferences
Выполнение проверок разделов на: TAPI3Directory
Запуск проверки: CheckSDRefDom
. TAPI3Directory — пройдена проверка
CheckSDRefDom
Запуск проверки: CrossRefValidation
. TAPI3Directory — пройдена проверка
CrossRefValidation
Выполнение проверок разделов на: ForestDnsZones
Запуск проверки: CheckSDRefDom
. ForestDnsZones — пройдена проверка
CheckSDRefDom
Запуск проверки: CrossRefValidation
. ForestDnsZones — пройдена проверка
CrossRefValidation
Выполнение проверок разделов на: DomainDnsZones
Запуск проверки: CheckSDRefDom
. DomainDnsZones — пройдена проверка
CheckSDRefDom
Запуск проверки: CrossRefValidation
. DomainDnsZones — пройдена проверка
CrossRefValidation
Выполнение проверок разделов на: Schema
Запуск проверки: CheckSDRefDom
. Schema — пройдена проверка CheckSDRefDom
Запуск проверки: CrossRefValidation
. Schema — пройдена проверка
CrossRefValidation
Выполнение проверок разделов на: Configuration
Запуск проверки: CheckSDRefDom
. Configuration — пройдена проверка
CheckSDRefDom
Запуск проверки: CrossRefValidation
. Configuration — пройдена проверка
CrossRefValidation
Выполнение проверок разделов на: domain
Запуск проверки: CheckSDRefDom
. domain — пройдена проверка CheckSDRefDom
Запуск проверки: CrossRefValidation
. domain — пройдена проверка
CrossRefValidation