There’s normal troubleshooting and then there’s the stuff you do when the basic troubleshooting doesn’t get things resolved. Normal troubleshooting can be things like selecting “last known good” on a reboot after installing a new driver and having a blue screen. Or perhaps uninstalling and then reinstalling an application, or altering settings for the application or operating system to alleviate a problem.
Sometimes we have to dig in and find out more.
Many admins out there in the world live that every day. Which is why we add methods to find out more into our products. This post is all about listing all of the data gathering methods that a Directory Services person may ever need to know. Since there are so many it will be difficult to organize well in one uber post but I’m going to put it out there for you all anyway, disorganized or not.
A while back I created a spreadsheet which could be used to select the Directory Services technology which is being looked at as having a problem and then use the spreadsheet to narrow down what data should be looked at.
I broke this down into columns for Technology, Logging Name, General Problem Description, Short Description of Benefits, “Should be Done” (meaning how frequently that technique is done generally to fix an issue) and the URL or steps on how to set up that logging.
The original document was an Excel spreadsheet, but I saved it as a monolithic file web file. If you have Excel you can use the Microsoft Office Web Components (install them from the link for free if you don’t have them) and use the pull down menus to help easily narrow down how what data to gather.
A few caveats about this list. First, it doesn’t tell you how to read the results, only what data to gather and how to gather it. Second, it doesn’t focus on a specific operating system version. I have given a few posts on some of the logging (like USERENV) so you can refer to those if it helps. Third, this is not an entirely comprehensive list but it gets nearly all. There’s always going to be something new or rarely used, you know?
The file is available as a download from this blog post. Also, please forgive the formatting which I suspect may truncate some of the columns. It depends in part on your browser and the blog style sheet, but it may encourage you to download and use the Excel sheet for this instead.
I’m also pasting the information below. Again, for formatting purposes I hope you have multimon set up so that you can stretch the page since otherwise it may be difficult to read. But I wanted to be sure and post it in the page since I don’t want to unintentionally penalize a reader who doesn’t use Microsoft Office. Though you should readers, it’s a great product.
|Technology||Logging Name||General Problem Description||Short Description of Benefits||Should be done…||URL for Steps to Enable/Install|
|User Profiles||USERENV Logging||User Logon/Logoff Problems||This creates a log file with a step by step detail of the user logon process.||INITIALLY||http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833|
|User Profiles||MPS Reports DS||User Logon/Logoff Problems||MPS Reports DS gathers the USERENV.LOG, as well as the Application event log of that computer.||SOMETIMES||http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en|
|User Profiles||UPHClean in Diagnostic Mode||User Logon/Logoff Problems||UPHClean detects and closes open handles after logoff. In diagnostic mode it will display the PID of the offending process and stack last called for it.||SOMETIMES||http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en&Hash=RQY5N8C|
|Account Lockouts||Verbose Kerberos Event Logging||Kerberos Errors||Increases the verbosity of logging for the selected type of events in the System Event Log.||SOMETIMES||http://support.microsoft.com/kb/q262177/|
|Account Lockouts||NETLOGON Logging||Excessive account lockouts||Creates a NETLOGON.LOG file, detailing the verbose actions which the NETLOGON service is doing.||INITIALLY||http://support.microsoft.com/kb/109626/|
|Account Lockouts||Remote Event Monitoring (EventCombMT)||Excessive account lockouts||Allows the remote gathering of events from servers. Has builtin search macros for common issues, like Account Lockouts.||INITIALLY||http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e|
|Account Lockouts||MPS Reports DS||Excessive account lockouts||Gathers account lockout policy settings, NETLOGON.LOG, and event logs.||SOMETIMES||http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en|
|Group Policy||USERENV Logging||Group Policy application problems||This creates a log file with a step by step detail of the user logon process.||SOMETIMES||http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833|
|Group Policy||GPRESULT output (MPS REPORTS or Support Tools)||Group Policy application problems||Give a list of applied policies in contexts of user and computer, and settings from each.||INITIALLY||http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en|
|Group Policy||Security Settings (WINLOGON Logging)||Group Policy application problems||This log contains the complete list of security specific settings applying from policy.||INITIALLY||http://support.microsoft.com/kb/245422|
|Group Policy||Software Installation (AppMgmt Logging)||Group Policy application problems||This log will display a verbose log of policy-driven application install processes.||INITIALLY||http://support.microsoft.com/?id=249621|
|Certificate Svcs||Verbose Certificate Services Event Logging (only for 2003)||Certificate service problems||This increases the detail and number of events shown for certificate services activity on a computer.||INITIALLY||http://support.microsoft.com/?id=305018|
|Domain Controller Promotion (DCPROMO)||DCPROMO User Input Log (DCPROMOUI.LOG)||Problems promo/demoting DCs||This log will list the answers provided by the user upon running DCPROMO during the wizard.||INITIALLY||Enabled by default but can be increased in verbosity.|
|Domain Controller Promotion (DCPROMO)||DCPROMO Debug Log (DCPROMO.LOG)||Problems promo/demoting DCs||This is the DCPROMO debug log; it will show each action the local system takes to promote itself as a new DC.||INITIALLY||Enabled by default.|
|DNS||DNS Client Service Logging||Problems resolving DNS (client-side)||This logging provides more detail on DNS client lookup behavior in a separate log.||RARELY||http://support.microsoft.com/?id=260969|
|Group Policy||Folder Redirection Debug logging (Fdeploy)||Group Policy application problems||Provides a debug log of the folder redirection process.||INITIALLY||http://www.microsoft.com/technet/community/newsgroups/upfrfaq.mspx|
|File Replication Service||FRS Debug Log Severity||Problems replicating SYSVOL/DFS||Increases the verbosity of the file replication service default debug logs.||RARELY||http://support.microsoft.com/?id=221112|
|File Replication Service||FRS Debug Log Files||Problems replicating SYSVOL/DFS||These logs detail the actions FRS does as it copies and asses files for inbound and outbound file replication for all replica sets on that server.||SOMETIMES||http://support.microsoft.com/?id=221112|
|File Replication Service||FRS Debug Maximum Log Messages||Problems replicating SYSVOL/DFS||This setting controls the number of entries retained before the log FIFOs.||SOMETIMES||http://support.microsoft.com/?id=221112|
|Group Policy||Group Policy Object Editor (GPEDIT)||Group Policy editing problems||Creates a detailed log of what takes place when a policy is edited in GPEDIT.MSC.||SOMETIMES||http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx|
|Group Policy||Registry Settings (USERENV Logging)||Group Policy application problems||Displays registry specific client side engine information in the USERENV.LOG.||SOMETIMES||http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx|
|Group Policy||Group Policy Management Console Debug Logging (GPMC)||Group Policy editing problems||Creates a detailed log of what takes place when a policy is edited in GPMC.MSC.||RARELY||http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/0907105e-7856-4c93-b97f-a9a306623af5.mspx|
|IPSec||IPSec Policy Agent Logging (Oakley.log)||Problems with IPSec settings taking affect||Creates a log showing information regarding the application of IPSec settings on a computer.||RARELY||http://support.microsoft.com/?id=257225|
|Kerberos||Verbose Kerberos Event Logging||Kerberos Errors||Increases the verbosity of logging for the selected type of events in the System Event Log.||RARELY||http://support.microsoft.com/?id=262177|
|Microsoft Directory Synchronization Services||Debug logging in the MSDSS tool||Errors or problems using MSDSS||Creates a debug log file of what the tool is doing.||RARELY||http://support.microsoft.com/?id=269536|
|AD Replication||Active Directory Diagnostic Event Logging||Errors in AD replication||Increases the verbosity of logging for the selected type of events in the DS Event Log.||SOMETIMES||http://support.microsoft.com/?id=314980|
|Directory Service Performance||ADPERF (Windows 2000 DCs Only)||Slow performance or hangs in LSASS.EXE||Gives a detailed report on what the directory service was doing as the report was ran.||OFTEN||This is a legacy tool; contact MS for a copy.|
|Directory Service Performance||Server Performance Advisor (Windows Server 2003 DCs Only)||Slow performance or hangs in LSASS.EXE||Gives a detailed report on what the directory service was doing as the report was ran.||OFTEN||http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&DisplayLang=en|
|Domain Controller Discovery||NETLOGON Logging||Problems with clients or DCs finding DCs for services||Creates a NETLOGON.LOG file, detailing the verbose actions which the NETLOGON service is doing.||SOMETIMES||http://support.microsoft.com/kb/109626/|
|SSL/TLS (Network Session Security)||Schannel Debug Logging||Problems establishing SSL sessions succesfully||Provides a debug log of the SSL session setup.||RARELY||http://support.microsoft.com/?id=260729|
|Group Policy||Software Restriction Policy (SAFER) Logging||Problems processing software restriction settings||Logs the processing of software restriction settings in a file.||RARELY||http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx (under Advanced Logging)|
|Windows Time Service||W32Time Logging||Problems with the time service keeping in synch||Creates a debug log file for the Windows Time Service.||SOMETIMES||http://support.microsoft.com/?id=816043|
|Kerberos||Network Capture||Kerberos Errors||When filtered for Kerberos traffic, the capture will show ticket requests and replies and details on each.||SOMETIMES||http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818 or http://www.ethereal.com/|
|SSL/TLS (Network Session Security)||Network Capture||Problems establishing SSL sessions succesfully||When filtered for SSL/TLS traffic, the capture will show session setup in detail.||RARELY||http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818 or http://www.ethereal.com/|
|User Profiles||Network Capture||User Logon/Logoff Problems||A capture of user logon and logoffo will display all communication to and from client, DC and profile server (if separate).||RARELY||http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818 or http://www.ethereal.com/|
|DNS||Network Capture||Problems resolving DNS (client-side and server)||When filtered for DNS, the capture will show forward and reverse queries and responses.||RARELY||http://support.microsoft.com/default.aspx?scid=kb;en-us;q294818 or http://www.ethereal.com/|
|Domain Controller Promotion (DCPROMO)||NETDIAG.EXE /V output||Problems promo/demoting DCs||Used to verify DNS settings, host name and bindings.||SOMETIMES||http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displaylang=en|
I hope this helps everyone out. If you come across a logging, or have a question on this just post a comment. Let me add one more thing too: thanks for using Microsoft products for your needs. We appreciate it, and want to help if they’re not working as you want them to. Enough said.