Logging with the Netlogon service

Hello all,

Hope this post finds you in good health and spirit. As we are at the end of 2019 year and it was a wonderful year for Windows Techno as well all of you. We also thankful to you all readers for your support and positive responses as well for your suggestions.

Happy new year 2020 to all our readers and may God fulfill your all dreams

This post is regarding to enable logging of the Netlogon service in Windows in order to monitor or troubleshoot authentication, DC locator, account lockout, or other domain communication-related issues.

The Netlogon service is one of the important Local Security Authority (LSA) processes that run on each and every domain controller. We can troubleshoot authentication problems, analyzing the Netlogon service log files can be useful.

These logs can be used to account lockout issue, authentication and also can tract the authentication request if there is any application or tools is hard coded with any of domain controllers. The NETLOGON log file will provide a detailed logging of all NETLOGON events and helps you to trace the originating device on which the logon attempts (and subsequent lockout) occurs.

To enable NETLOGON logging, run the following command (from an elevated command prompt):

NetLogon Debugging Command-Enabling .png

There is no need to restart the net logon service.Once command executed it will start to written the authentication details in this file.

The logging is written to a single file:  %SYSTEMROOT%\debug\Netlogon.log. By default the size of this file is 20 MB and once logs reached to 20 MB it start overwritten the old log files.

NetLogonLogs.png

You can see the above netlogon debugging logs file under %SYSTEMROOT%\debug folder.Open the file and you will get details information about authentication or lockout issue.

NetLogonLogs-Authentication.png

You can also increase or decrease the size of this file by adding the DWORD value MaximumLogFileSize in registry key of domain controllers.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters) specifies the maximum log file size in bytes. Do note that the actual disk space needed is two times that value: when the Netlogon.log reached the maximum size, it is rotated to Netlogon.bak.

LogFileIncreaseRegistry-.png

Once you’re finished debugging, run the following command to disable debug logging:

nltest /dbflag:0x0

NetLogonDebuggingCommand-Disabling.png

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!