Thursday, May 3, 2018

Netlogon Debug helper

Today's topic:

Netlogon Debug helper

Sometimes it can be helpfull to get inforamtion about actions performed by the Netlogon service on a machine. To gather such information you need to enable Netlogon Debug Logging. Just to make things easier - you will find download links at the end of the article for a little helper program that:

  • helps building the debug flag bit mask corresponding to your needs
  • explains the bits int the debug flag bit mask
  • sets the desired value in the registry
  • restats Netlogon service

Some basics - to configrure Netlogn Debug Logging we need to set a DWORD value in the registry.
Path to parent registry key:

HKLMSYSTEMCurrentControlSetServicesNetlogonParameters

Registry value:

DBFlag = desired debug flag bit mask

The corresponding log entries can be found in:

%windir%debugnetlogon.log

To control log file size (default = 20 MB) we may use the follwing DWORD value in the same registry key:

MaximumLogFileSize = maximum log file size in bytes

There are many articles out there talking about this topic - but unfortunately they all miss detailed information about the valid debug flags that can be configured.
Most of the articles are suggesting to set value 0x2080ffff - which results in very verbose debug reporting -> white noise.
Apart form complexity of the analysis of the huge amount of the gathered data - your log file may be overwritten very quickly -> thus you may miss log entries of interest.

Therefore, I suggest to only set those bits for debug flags that will let netlogon log only the data you are interested in.

List of the debug flag bits:

[code lang="c-sharp"]
[Flags]
public enum DEBUG_FLAGS : uint
{
NL_INIT = 0x00000001, // Netlogon initialization
NL_MISC = 0x00000002, // Misc debug (like DCLocator)
NL_LOGON = 0x00000004, // Logon processing
NL_SYNC = 0x00000008, // Synchronization and replication
NL_MAILSLOT = 0x00000010, // Mailslot messages
NL_SITE = 0x00000020, // Sites
NL_MSA = 0x00000040, // Managed Service Account Scavenger processing
NL_1 = 0x00000080, // Unknown
NL_CRITICAL = 0x00000100, // Only real important errors
NL_SESSION_SETUP = 0x00000200, // Trusted Domain maintenance
NL_DOMAIN = 0x00000400, // Hosted Domain maintenance
NL_2 = 0x00000800, // UnKnown
NL_SERVER_SESS = 0x00001000, // Server session maintenance
NL_CHANGELOG = 0x00002000, // Change Log references
NL_DNS = 0x00004000, // DNS name registration
// Verbose bits
NL_VERBOSE = 0x00008000, // Enable verbose logging
NL_WORKER = 0x00010000, // Debug worker thread
NL_DNS_MORE = 0x00020000, // Verbose DNS name registration
NL_PULSE_MORE = 0x00040000, // Verbose pulse processing
NL_SESSION_MORE = 0x00080000, // Verbose session management
NL_REPL_TIME = 0x00100000, // replication timing output
NL_REPL_OBJ_TIME = 0x00200000, // replication objects get/set timing output
NL_ENCRYPT = 0x00400000, // debug encrypt and decrypt across net
NL_SYNC_MORE = 0x00800000, // additional replication dbgprint
NL_PACK_VERBOSE = 0x01000000, // Verbose Pack/Unpack
NL_MAILSLOT_TEXT = 0x02000000, // Verbose Mailslot messages
NL_CHALLENGE_RES = 0x04000000, // challenge response debug
NL_SITE_MORE = 0x08000000, // Verbose sites
// Control bits.
NL_INHIBIT_CANCEL = 0x10000000, // Don't cancel API calls
NL_TIMESTAMP = 0x20000000, // TimeStamp each output line
NL_ONECHANGE_REPL = 0x40000000, // Only replicate one change per call
NL_BREAKPOINT = 0x80000000 // Enter debugger on startup
}
[/code]

Example - you are interested in logon processing -> set debug flag value NL_TIMESTAMP | NL_LOGON (0x20000004).
Keep in mind - only if you set bit NL_TIMESTAMP (0x20000000) you will have the time stamp for each log entry in the netlogon.log.

FYI - white noise DBFlag value 0x2080fff translates to:

  • NL_INIT
  • NL_MISC
  • NL_LOGON
  • NL_SYNC
  • NL_MAILSLOT
  • NL_SITE
  • NL_MSA
  • NL_1
  • NL_CRITICAL
  • NL_SESSION_SETUP
  • NL_DOMAIN
  • NL_2
  • NL_SERVER_SESS
  • NL_CHANGELOG
  • NL_DNS
  • NL_VERBOSE
  • NL_SYNC_MORE
  • NL_TIMESTAMP

Netlogon Debug Helper Tool downloads:

All the best and have fun debugging.

Michael

PFE | Have keyboard. Will travel



from TechNet Blogs https://ift.tt/2rgisIc

No comments:

Post a Comment