471 Recipe 15.4 Enabling GPO Client Logging 15.4.1 Problem You want to troubleshoot GPO processing issues on a client or server by enabling additional logging in the Application event log. 15.4.2 Solution 15.4.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion. 3. If the Diagnostics key doesn't exist, right-click on CurrentVersion and select New Key. Enter Diagnostics for the name and hit enter. 4. Right-click on Diagnostics and select New DWORD value. Enter RunDiagnosticLoggingGroupPolicy for the value name. 5. In the right pane, double-click on RunDiagnosticLoggingGroupPolicy and enter 1. 6. Click OK. 15.4.2.2 Using a command-line interface > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v[RETURN] "RunDiagnosticLoggingGroupPolicy" /t REG_DWORD /d 1 15.4.2.3 Using VBScript ' This code enables GPO logging on a target computer ' SCRIPT CONFIGURATION strComputer = "<ComputerName>" ' e.g. rallen-w2k3 ' END CONFIGURATION const HKLM = &H80000002 strRegKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" set objReg = GetObject("winmgmts:\\" & strComputer _ & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "RunDiagnosticLoggingGroupPolicy", 1 WScript.Echo "Enabled GPO logging for " & strComputer 15.4.3 Discussion If you experience problems with client GPO processing, such as a GPO not getting applied even though you think it should, there aren't many tools that can help you troubleshoot the problem. One way to get detailed information about what GPOs are applied on a client is by enabling additional GPO event logging. If you set the RunDiagnosticLoggingGroupPolicy Registry value to 1, extensive logging will be done in the Application event log. Events detailing the beginning of the GPO processing cycle, what GPOs are applied, and any errors encountered will all be logged. Here is an example of a log message that shows which GPOs are going to be applied on 472 the host DC1. To disable this logging, either delete RunDiagnosticLoggingGroupPolicy or set the value to 0. Here is a sample event log message: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1031 Date: 5/26/2003 Time: 5:52:13 PM User: NT AUTHORITY\SYSTEM Computer: DC1 Description: Group Policy objects to be applied: "Default Domain Policy" "Default Domain Controllers Policy" . 15.4.4 See Also MS KB 186454 (How to Enable User Environment Event Logging in Windows 2000) Recipe 15.5 Enabling Kerberos Logging 15.5.1 Problem You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems. 15.5.2 Solution 15.5.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters. 3. If the LogLevel value doesn't already exist, right-click on Parameters and select New DWORD value. Enter LogLevel for the value name and click OK. 4. In the right pane, double-click on LogLevel and enter 1. 5. Click OK. 15.5.2.2 Using a command-line interface > reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN] /t REG_DWORD /d 1 15.5.2.3 Using VBScript ' This code enables Kerberos logging for the specified domain controller ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 473 ' END CONFIGURATION const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1 WScript.Echo "Enable Kerberos logging for " & strDC 15.5.3 Discussion If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476. Here is an example event: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 5/26/2003 Time: 5:53:43 PM User: N/A Computer: DC01 Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 0:53:43.0000 5/27/2003 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: RALLENCORP.COM Server Name: host/ dc01.rallencorp.com Target Name: host/dc01.rallencorp.com@RALLENCORP.COM Error Text: File: 9 Line: ab8 Error Data is in record data. 15.5.4 See Also MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS KB 262177 (HOW TO: Enable Kerberos Event Logging) 474 Recipe 15.6 Enabling DNS Server Debug Logging 15.6.1 Problem You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates. 15.6.2 Solution 15.6.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. Right-click on DNS in the left pane and select Connect to DNS Server. 3. Enter the server you want to connect to and click Enter. 4. Right-click on the server and select Properties. 5. Click on the Debug Logging tab (or the Logging tab for Windows 2000). 6. Select what you want to log and the location of the log file (the log file location is hardcoded to %systemroot%\system32\dns\dns.log on Windows 2000). 7. Click OK. 15.6.2.2 Using a command-line interface Use the following command to enable debug logging. You have to add together the event codes you want logged and specify the result in hex for the log level. The available event codes can be found in Table 15-3. > dnscmd <DNSServerName> /Config /LogLevel <EventFlagSumInHex> Use the following command to specify the location of the log file: > dnscmd <DNSServerName> /Config /LogFilePath <DirectoryAndFilePath> Use the following command to log only entries that pertain to certain IP addresses: > dnscmd <DNSServerName> /Config /LogIPFilterList <IPAddress1>[,<IPAddress2> . . . ] Use the following command to specify the maximum log file size: > dnscmd <DNSServerName> /Config /LogFileMaxSize <NumberOfBytesInHex> 15.6.2.3 Using VBScript ' This code enables DNS debug logging. ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1 ' The log level must be in decimal, not hex like dnscmd intLogLevel = <EventFlagSumInDecimal> ' e.g. 65535 arrFilterList = Array("<IPAddress1>") ' e.g. 192.168.1.12 strFilePath = <DirectoryAndFilePath> ' e.g. c:\dnslog.txt 475 intFileSize = <NumberOfBytesInDecimal> ' e.g. 50000000 ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") objDNSServer.LogLevel = intLogLevel objDNSServer.LogIPFilterList = arrFilterList objDNSServer.LogFilePath = strFilePath objDNSServer.LogFileMaxSize = intFileSize objDNSServer.Put_ WScript.Echo "Enabled DNS Debug Logging on " & strServer 15.6.3 Discussion With the DNS Server debug log, you can record all DNS operations received and initiated by the server, including queries, updates, zone transfers, etc. If you need to troubleshoot a particular host, you can use the LogIPFilterList setting in dnscmd or the WMI DNS Provider to restrict the log to operations performed only for or by that host. The most important debug log setting is the log level. With the DNS Console, you can select from a list of available options. With Windows Server 2003, the DNS Console provides an intuitive interface for selecting the required options. On Windows 2000, you are presented with a list of check boxes and you have to figure out which ones need to be used in conjunction with one another. You have a similar issue with CLI and VBScript solutions, where you need to determine what log level you want to set. Table 15-3 contains all of the event codes with their hexadecimal and decimal values. Table 15-3. DNS debug logging event codes Hexadecimal value Decimal value Description 0x0 0 No logging. This is the default. 0x1 1 Queries transactions. 0x10 16 Notifications transactions. 0x20 32 Updates transactions. 0xFE 254 Non-queries transactions. 0x100 256 Question packets. 0x200 512 Answer packets. 0x1000 4096 Send packets. 0x2000 8192 Receive packets. 0x4000 16384 UDP packets. 476 Table 15-3. DNS debug logging event codes Hexadecimal value Decimal value Description 0x8000 32768 TCP packets. 0xFFFF 65535 All packets. 0x10000 65536 AD write transactions. 0x20000 131072 AD update transactions. 0x1000000 16777216 Full packets. 0x80000000 2147483648 Write-through transactions. DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS server is processing. For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS server you think should be processing the updates. If you don't see any update transactions, that can indicate another server is processing the dynamic update requests. Transactions are not immediately written to the debug log file as they occur. They are buffered and written to the file after a certain number of requests are processed. 15.6.4 See Also MSDN: MicrosoftDNS_Server Recipe 15.7 Viewing DNS Server Performance Statistics 15.7.1 Problem You want to view DNS Server performance statistics. 15.7.2 Solution 15.7.2.1 Using a graphical user interface 1. Open the Performance Monitor. 2. Click on System Monitor in the left pane. 3. In the right pane, click the + button. This will bring up the page to add counters. 4. Under Select counters from computer, enter the DNS server you want to target. 5. Select the DNS performance object. 477 6. Select the counters you want to add and click the Add button. 7. Click Close. 15.7.2.2 Using a command-line interface > dnscmd <DNSServerName> /statistics 15.7.2.3 Using VBScript ' This code displays all statistics for the specified DNS server ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com ' END CONFIGURATION set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objStats = objDNS.ExecQuery("Select * from MicrosoftDNS_Statistic ") for each objStat in objStats WScript.Echo " " & objStat.Name & " : " & objStat.Value next 15.7.3 Discussion The Microsoft DNS Server keeps track of dozens of performance metrics. These metrics include the number of queries, updates, transfers, directory reads, and directory writes processed by the server. If you can pump these metrics into an enterprise management system, you can track DNS usage and growth over time. These statistics can also be useful to troubleshoot load-related issues. If you suspect a DNS Server is being overwhelmed with DNS update requests, you can look at the Dynamic Update Received/sec counter and see if it is processing an unusually high number of updates. 15.7.3.1 Using a command-line interface You can obtain a subset of the statistics by providing a "statid" after the /statistics option. Each statistics category has an associated number (i.e., statid). For a complete list of categories and their statid, run the following command: > dnscmd /statistics /? Here is an example of viewing the Query (statid = 2) and Query2 (statid = 4) statistics: > dnscmd /statistics 6 DNS Server . statistics: Queries and Responses: Total: Queries Received = 14902 Responses Sent = 12900 UDP: Queries Recvd = 14718 478 Responses Sent = 12716 Queries Sent = 23762 Responses Recvd = 0 TCP: Client Connects = 184 Queries Recvd = 184 Responses Sent = 184 Queries Sent = 0 Responses Recvd = 0 Queries: Total = 14902 Notify = 0 Update = 2207 TKeyNego = 184 Standard = 12511 A = 1286 NS = 29 SOA = 2263 MX = 0 PTR = 1 SRV = 8909 ALL = 0 IXFR = 0 AXFR = 0 OTHER = 23 Command completed successfully. 15.7.3.2 Using VBScript You can obtain a subset of statistics by adding a where clause to the WQL query. The following query would match only counters that start with "Records": select * from MicrosoftDNS_Statistic where Name like 'Records%' 15.7.4 See Also MSDN: MicrosoftDNS_Statistic Recipe 15.8 Enabling Inefficient and Expensive LDAP Query Logging 15.8.1 Problem You want to log inefficient and expensive LDAP queries to the Directory Services event log. 479 15.8.2 Solution To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle. To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5. See Recipe 15.2 for more on enabling diagnostics logging. 15.8.3 Discussion A search is considered expensive if it has to visit a large number of objects in Active Directory. A search is considered inefficient if it returns less than 10% of the total objects it visits. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. The default bottom limit for an inefficient query is 1,000. If a query visited 1,000 objects and only returned 99 of them (less than 10%), it would be considered inefficient. If it returned 900 instead, it would not be considered inefficient. To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient. Here is an example summary report event that is logged when 15 Field Engineering is set to 4: Event Type: Information Event Source: NTDS General Event Category: Field Engineering Event ID: 1643 Date: 5/24/2003 Time: 7:24:24 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: DC1 Description: Internal event: Active Directory performed the following number of search operations within this time interval. Time interval (hours): 9 Number of search operations: 24679 During this time interval, the following number of search operations were characterized as either expensive or inefficient. Expensive search operations: 7 Inefficient search operations: 22 480 If you set 15 Field Engineering to 5, the summary event is logged during the garbage collection cycle, and event 1644 every time an expensive or inefficient search occurs. Notice that this event provides details on all aspects of the search including the client IP, authenticating user, search base DN, search filter, attributes, controls, number of entries visited, and number of entries returned. This was taken from a Windows Server 2003 domain controller. Windows 2000 does not provide quite as much detail. Event Type: Information Event Source: NTDS General Event Category: Field Engineering Event ID: 1644 Date: 5/24/2003 Time: 7:50:40 PM User: RALLENCORP\rallen Computer: DC1 Description: Internal event: A client issued a search operation with the following options. Client: 192.168.4.14 Starting node: DC=rallencorp,DC=com Filter: (description=*) Search scope: subtree Attribute selection: cn Server controls: Visited entries: 10340 Returned entries: 1000 With the default settings, the query shown in the above event is considered both expensive and inefficient. It is expensive because it visited more than 10,000 entries. It is inefficient because it returned less than 10% of those entries. You can customize what a domain controller considers expensive and inefficient by creating a couple registry values under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key. You can create a value named Expensive Search Results Threshold of type DWORD, and specify the number of entries a search would need to visit to be considered expensive. Similarly, you can create a value named Inefficient Search Results Threshold of type DWORD, and specify the minimum number of entries visited where a match returning less than 10% would be considered inefficient. If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to . to DNS Server. 3. Enter the server you want to connect to and click Enter. 4. Right-click on the server and select Properties. 5. Click on the Debug Logging tab (or the Logging tab for Windows. strServer & " ootMicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS _Server. Name="".""") objDNSServer.LogLevel = intLogLevel objDNSServer.LogIPFilterList. processed. 15.6.4 See Also MSDN: MicrosoftDNS _Server Recipe 15.7 Viewing DNS Server Performance Statistics 15.7.1 Problem You want to view DNS Server performance statistics. 15.7.2 Solution 15.7.2.1