NETLOGON.LOG
Netlogon.log has to offer – trying to track down the source of a user account’s lockouts or find subnets that haven’t been put into an Active Directory site yet.
DBFlag is set to
0x2080ffff, just like this TechNet article. That quick looks makes it look like your options are EVERYTHING! or nothing.
Data Source: http://support.microsoft.com/kb/109626
All descriptions as-is from Microsoft.
All descriptions as-is from Microsoft.
Basic Netlogon Flags
| Flag Name | Value | Description |
|---|---|---|
| NL_INIT | 0x00000001 | Initialization |
| NL_MISC | 0x00000002 | Misc debug |
| NL_LOGON | 0x00000004 | Logon processing |
| NL_SYNC | 0x00000008 | Synchronization and replication |
| NL_MAILSLOT | 0x00000010 | Mailslot messages |
| NL_SITE | 0x00000020 | Sites |
| NL_CRITICAL | 0x00000100 | Only real important errors |
| NL_SESSION_SETUP | 0x00000200 | Trusted Domain maintenance |
| NL_DOMAIN | 0x00000400 | Hosted Domain maintenance |
| NL_2 | 0x00000800 | |
| NL_SERVER_SESS | 0x00001000 | Server session maintenance |
| NL_CHANGELOG | 0x00002000 | Change Log references |
| NL_DNS | 0x00004000 | DNS name registration |
Verbose Netlogon Flags
| Flag Name | Value | Description |
|---|---|---|
| NL_WORKER | 0x00010000 | Debug worker thread |
| NL_DNS_MORE | 0x00020000 | Verbose DNS name registration |
| NL_PULSE_MORE | 0x00040000 | Verbose pulse processing |
| NL_SESSION_MORE | 0x00080000 | Verbose session management |
| NL_REPL_TIME | 0x00100000 | replication timing output |
| NL_REPL_OBJ_TIME | 0x00200000 | replication objects get/set timing output |
| NL_ENCRYPT | 0x00400000 | debug encrypt and decrypt across net |
| NL_SYNC_MORE | 0x00800000 | additional replication dbgprint |
| NL_PACK_VERBOSE | 0x01000000 | Verbose Pack/Unpack |
| NL_MAILSLOT_TEXT | 0x02000000 | Verbose Mailslot messages |
| NL_CHALLENGE_RES | 0x04000000 | challenge response debug |
| NL_SITE_MORE | 0x08000000 | Verbose sites |
Netlogon Control Flags
| Flag Name | Value | Description |
|---|---|---|
| NL_INHIBIT_CANCEL | 0x10000000 | Don’t cancel API calls |
| NL_TIMESTAMP | 0x20000000 | TimeStamp each output line |
| NL_ONECHANGE_REPL | 0x40000000 | Only replicate one change per call |
| NL_BREAKPOINT | 0x80000000 | Enter debugger on startup |
Right now, We need look at account lockouts and subnetless IPs, even on our busiest DCs. A very busy DC can blow through a 100MB log file allowance in a few hours, and even with Netlogon.bak
We need capture LESS diagnostic information, Because heavy logging can cause its own problems – read and think about this article from the Directory Services team.
So,
reg add \\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v DBFlag /t REG_DWORD /d 0x2080ffdf /f
0x2080ffff - 0x00000020 = 0x2080ffdf. I tried the nice .NET/PowerShell way, but it failed against a 2003 server. Back to the old-fashioned way – still possible from within a PowerShell script.reg add \\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v DBFlag /t REG_DWORD /d 0x2080ffdf /f
reg add "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v MaximumLogFileSize /t REG_DWORD /d 100000000 /freg query "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v DBFlagreg query "\\$computerName\HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters" /v MaximumLogFileSize
Finish up by stopping and starting the Netlogon service, You need to use sc.exe in PowerShell, because sc is an alias for Set-Content:
sc.exe \\computerName stop netlogonsc.exe \\computerName start netlogon
Find the table of the result codes to interpret the [LOGON] entries (Log File Error Codes” http://technet.microsoft.com/en-us/library/cc776964.aspx )
| Log Code | Description |
|---|---|
| 0x0 | Successful login |
| 0xC0000064 | The specified user does not exist |
| 0xC000006A | The value provided as the current password is not correct |
| 0xC000006C | Password policy not met |
| 0xC000006D | The attempted logon is invalid due to a bad user name |
| 0xC000006E | User account restriction has prevented successful login |
| 0xC000006F | The user account has time restrictions and may not be logged onto at this time |
| 0xC0000070 | The user is restricted and may not log on from the source workstation |
| 0xC0000071 | The user account’s password has expired |
| 0xC0000072 | The user account is currently disabled |
| 0xC000009A | Insufficient system resources |
| 0xC0000193 | The user’s account has expired |
| 0xC0000224 | User must change his password before he logs on the first time |
| 0xC0000234 | The user account has been automatically locked |
The most important ones to distinguish between are
0xC000006A (bad password was entered this time – these ARE the droids you’re looking for) and 0xC0000234 (a logon attempt has been made with a user account that has been locked out, but this says nothing about whether this current attempt used a good or bad password).
The cmdlet I use to collect NetLogon logs for analysis on my local machine. It must be used in an Powershell instance that was started as a Domain Admin or other account with access to the DC’s %Windows%\Debug directory. Combine in a pipeline with a list of your DCs to speed it up.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| function Get-NetLogonLog {Param($computerName,$destinationPath="C:\temp\netlogon") if (-not (Test-Path $destinationPath) ) { New-Item -Path $destinationPath -ItemType Directory } if (Test-Path "\\$computerName\c$\WINDOWS\Debug\Netlogon.log") { Copy-Item -Path "\\$computerName\c$\WINDOWS\Debug\Netlogon.log" -Destination "$destinationPath\$computerName-Netlogon.log" } elseif (Test-Path "\\$computerName\c$\WINNT\Debug\Netlogon.log") { Copy-Item -Path "\\$computerName\c$\WINNT\Debug\Netlogon.log" -Destination "$destinationPath\$computerName-Netlogon.log" } else { "Could not find Netlogon.log for $computerName" | Out-File -FilePath "$destinationPath\errors.log" -Append }} |
Finally, here are functions to separate the entries I want into different files – separate from the function to gather the NetLogon.log files because it does NOT need to be run as someone with access to your DCs’ c:\Windows\Debug directories…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| function Test-NetLogonEntryBadSubnet {PROCESS { if ($_ -like "*NO_CLIENT_SITE*") { $_ } }}function Test-NetLogonEntryBadLogon {PROCESS { if ($_ -like "*\[LOGON\]*0xC000006A*" -or $_ -like "*\[LOGON\]*0xC0000234*") { $_ } }}Function Test-NonTransitiveLogon {Param($PcNamePrefix = "P0")PROCESS { if (($_ -like "*\[LOGON\]*$PcNamePrefix*0x0*") -and ($_ -notlike "*transit*")") { $_ } }}function Get-NetLogonBadLogonOrSubnet {PROCESS { if ($_ -like "*NO_CLIENT_SITE*" -or $_ -like "*\[LOGON\]*0xC000006A*" -or $_ -like "*\[LOGON\]*0xC0000234*") { $_ } }}function Write-NetlogonExtracts {Param($directory="c:\temp\netlogon", $computerName, $sourceFile="$directory\$computerName-netlogon.log", $targetBadSubnetFile="$directory\$computerName-BadSubnets.txt", $targetBadLogonFile="$directory\$computerName-BadLogons.txt", $targetDirectLogonFile="$directory\$computerName-DirectLogons.txt", $PcNamePrefix = "P0")# Faster to only filter for one match at a time. Not sure why. Get-Content $sourceFile | Test-NetLogonEntryBadSubnet | Out-File -FilePath $targetBadSubnetFile Get-Content $sourceFile | Test-NetLogonEntryBadLogon | Out-File -FilePath $targetBadLogonFile Get-Content $sourceFile | Test-NonTransitiveLogon -PcNamePrefix $PcNamePrefix | Out-File -FilePath $targetDirectLogonFile} |
Comments
Post a Comment