Sunday, 2 April 2017

Enable Diagnostic and Logging Windows Logs

Hello Professionals,

Today sharing a very useful details with all you guys, which seriously helps out in difficult troubleshooting,. Logging help admins to troubleshoot the issue of the failure or possible cause of the failure. with some advanced options you can get very details information of the possible cause of the issue.
Analytic and Debug logs are disabled by default. When enabled, they quickly fill the disk space with large number of log files with huge size.Its recommended that after finishing the troubleshooting  steps disable the logging settings settings.

1. Enabling Kerberos Event Logging on a Specific Computer
    Start Registry Editor.
    Add the following registry value:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerberos
    \Parameters
    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x1

2.To enable Windows Time Service debug logging: First Create a folder to config to save the log file location. I made it like D:\W32Time_Log file, and then press ENTER. Then
 w32tm /debug /enable /file:d:\W32Time_Log\w32time.log /size:10000000 /entries:0-116

3. Verbose logging: Verbose logging tracks all changes and settings applied using Group Policy and its extension to the local computer and to users who log on to the computer and  SystemDrive \Debug
To Enable browse to below reg path
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/Current Version/Winlogon key then Add Value , and enter the value name UserenvDebugLevel and  Data Type to REG_DWORD with number 30002 in HEX value.
30002 value is for verbose logging, 30001 value is for errors and warnings only, and 30000 logs nothing.

To disable verbose logging, delete the UserenvDebugLevel from below path.
    HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/Current Version/Winlogon

4.Netlogon Logging to troubleshooting Authentication Issue
run command with administrative privilege
Nltest /DBFlag:2080FFFF
then net stop netlogon
then net start  netlogon

Stop Netlogon Logging
Nltest /DBFlag:0x0

The netlogon.log file located in %SystemRoot%\Debug and The NetLogon logging level is stored in the following registry value:
HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

Computers that are running Windows Server 2003 and after versions of the MS operating system, you can use the following policy setting to enable verbose Netlogon logging Browse to
\Computer Configuration\Administrative Templates\System\Net Logon\Specify log file debug output level
and type 0x2080FFFF in bytes value.

The Above method can also be used to enabling the netlogon by group policy to multiple computer, but its not recommended with the concern of practical scenario to do this by Group Policy.

5. Enable Analytic and Debug Logs:
 a.Open event viewere
 b.On the Action menu, click Properties
 c.On the properties dialogue box, select Enable logging and click OK

this can be done by giving the command as administrative privilege
  wevtutil sl <logname> /e:true

6.Diagnostic logging for domain controllers is drive for the following registry path:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Logging can be configured by modifying these REG_DWORD entries:
1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
16 LDAP Interface Events
18 Global Catalog
19 Inter-site Messaging
20 Group Caching
21 Linked-Value Replication
22 RPC Client
23 RPC Server
24 Schema
25 Transformation Engine
26 Claims-Based Access Control

Diagnostic Logging Settings: The values below are used to configure the level of diagnostic logging provided by the host:
If you put 0 (Zero) then its not collecting any data and this is by default settings on the server.
If you put 1 (One) then its configured to collect that events that includes message/alert/information/warning for task that is performed by the service.
If you put 2 (Two) that means its configured to collect the Basic type of event details for each task.    
If you put 3 (Three) that means its configured to collect the detailed information than the lower levels,This is very helpful and recommended when you have an issue and you want to go to depth of diagnose with the question like how, why and what.
If you put 4 (Four) that means its configured to collect the Verbose logging for task and activity.    
If you put 5 (Five) then its configured for all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.

DCPromoUI.log :The DcpromoUI.log file contains a detailed progress report of the Active Directory installation and removal processes. Its default location is the % SystemRoot %\Debug folder.
Its Start with the dcpromo command. This file contains below important details
    1.The name of the source domain controller for replication.
    2.The directory partitions that were replicated to the target server
    3.The number of items that were replicated in each directory partition
    4.The services configured on the target domain controller
    5.The access control entries (ACEs) set on the registry and files
    6.The SYSVOL directories
    7.Applicable error messages
    8.Applicable selections that were entered by the Administrator during the installation or removal process

Netsetup.log:When joining a computer to a domain, the Networking Setup (NetSetup) installs all the necessary Microsoft supported networking components.
Userenv.log: This log file can be helpful in troubleshooting problems with user profiles and Group Policy processing. The log file resides in the % SystemRoot %\Debug folder.

Enabling LDAP logging :This is a great feature included in 2012 server.

Reg setting path
Domain controller: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
LDS: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Diagnostics.

Learn, Earn and share the knowledge. Never let sleep your zeal to learn.
please comment and feedback will be really helpful for us. I will be very happy to listen from you.

many many thanks for you guys to support.

Saturday, 1 April 2017

Active Directory Replication and Lingering Objects

Hello Professionals,
Today we will discuss about the Active Directory Object who will be responsible for replication failure in your environment most of time in the domain.
When there is a replication failure from long time in domain, there will a objects that will be created automatically called Lingering objects. In very straight forward you can say the attributes updates of active directory that failed to replicate in the domain controller from Root to child or other available domain controllers. As an example if user added to any security or distribution group from any domain controller but the updates are not showing to other available domain controllers.
For replication you can wait for 15 to 20 min but if it not updated then there is a case of failure.
There are different inbuilt windows tools and command, which gives youa better output of the replication status.
   1. command to check repadmin /showrepl * /csv >showrepl.csv,
   2. AD health analyser
   3. AD inbuilt tool
There are couple of ways too to detect and remove that culprit lingering objects. You can run this command to see what are the objects that are not replicated
repadmin /removelingeringobjects <ServerName ServerGUID DirectoryPartition> /advisory_mode

repadmin /showrepl <DomainControllerName> { to check GUID of Domain controller}  
There is a registry key called StrictReplicationConsistency -- which we'll refer to as Strict Mode -- that will protect a DC from lingering objects:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
ValueName = Strict Replication Consistency
Data Type = Reg_DWORD
Value Data = 1 = Strict 0=Loose


If this value is set to 1, it will prevent a partner from replicating lingering objects to the DC it is defined on. Thus, if every domain controller has Strict Mode enabled, they are protected from lingering objects being propagated to them. If the value is set to 0, however, it is said to be in Loose Mode, and will allow the lingering objects to be replicate and update in environment.
To check and troubleshoot any issue in windows servers, admin should follow and go through with event logs first. For Replication and Lingering Object there are couple of event which am sharing here.
Event ID 1864:This event will indicate if there are lingering objects are all-ready there or starting. Note that it contains a count of how many DCs have not replicated in a day, week, month, two months, or the tombstone lifetime. The last entry is important. Unfortunately, the event will not tell us the name of the domain controller that hasn't replicated in the tombstone lifetime.

 Event 2042 (Error)Source: NTDS Replication: This identifies that strict replication is enabled, the "source DC" has not replicated in tombstone lifetime days and is attempting to replicate, thus replication has been disabled from the source. The event provides the GUID of the source in the format of the CName (alias) DNS record.

 Event ID 1388 (Error) Source: NTDS Replication: Description: Another domain controller (DC) has attempted to replicate into this DC an object which is not present in the local Active Directory database. The object may have been deleted and already garbage collected (a tombstone lifetime or more has past since the object was deleted) on this DC.

 Event 1988 (Error)Source: NTDS Replication: Description: Active Directory Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory database.  This event is being logged because the source DC contains a lingering object which does not exist on the local DCs Active Directory database.

A very brief event logs details with there meaning and solution from Ask Active Directory Team 

Fantastic tool from Microsoft to check Health check and Lingering Objects. You have to login with your Microsoft ID and check it,
If you are good with powershell command and script you can get and fix the issue very easily, let me know if you need any kind of help there.

I experienced this situation and very frankly it was very irritating to find this objects.As precaution your AD environment should healthy. There are lots of script and tool, where you can schedule to check and send email for replication status. The worst and horrible activity was when Group Policy folder was missing on branch domain controllers and policy folder were not matched with root Domain Controller. 

Personally and on base of issue i faced AD Replication tool of 2012R2 and commnad repadmin /showrepl * /csv >showrepl.csv is awesome, they give you more deep data with details.Never get irritated when you are doing AD troubleshooting because for that you need to think act very smartly.
There are lots of real time issues on Replication, please free to ask or comment on the blog.We will be happy to listen from you. 


Learn, Earn and Share the Knowledge. comment and feedback for this section will help me more. Really happy to listen from your side.