none
Enable netlogon debug or not RRS feed

  • Question

  • Hi all.

    If I want to catch client details that have IP addresses that are not mapped to any AD sites do I need to enable Netlogon Level i.e. NLtest /DNFlag:0x0  or is this information captured by default with logging turned off?

    Thanks

    Monday, November 21, 2016 11:20 AM

Answers

  • > If I want to catch client details that have IP addresses that are not
    > mapped to any AD sites do I need to enable Netlogon Level i.e. NLtest
     
    To finally answer your question: No. This is a message that is captured
    without logging enabled.
     
    • Marked as answer by Palmer_001 Monday, November 21, 2016 4:04 PM
    Monday, November 21, 2016 2:43 PM
  • > 1. My view is that logging is enabled only when trouble shooting a
    > problem but otherwise have it disabled. Would you say that would be the
    > MSFT recommendation as I can't find it written anywhere?
     
    This questions is answered in the KB Burak linked above :)
     
    Cite: "We do not recommend that you enable Netlogon logging in policies
    that apply to all systems (such as the Default Domain Policy). Instead,
    consider narrowing the scope to systems that may be causing problems."
     
    > 2. I have trawled the net and have a few books an AD but I can't find
    > anywhere which tells me what type of information is captured as default
    > without enabling the logging. Would you have any decent links you can
    > point in the direction off perhaps?
     
    Didn't find anything, too. Maybe
    but that's a 28k pages PDF file :()
     
     
    But upon reading
    it seems that by default only NO_CLIENT_SITE is logged.
     
    • Marked as answer by Palmer_001 Monday, November 21, 2016 4:04 PM
    Monday, November 21, 2016 3:51 PM

All replies

  • Hi

     You should check this article for "Enabling debug logging for the Netlogon service"

    https://support.microsoft.com/en-us/kb/109626

    But you should be careful with process,also take a full backup before process.                   


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Monday, November 21, 2016 11:39 AM
    Monday, November 21, 2016 11:33 AM
  • I have read that. I am not asking a question on how to make the change I even included the syntax above to show I know that part so as not to deviate from the question. Thanks for your time.

    @ Anyone. My question is: Will I only be able to capture missing subnet to client IP addresses if I enable netlogon debug or is that information captured as default?

    Thanks

    Monday, November 21, 2016 11:46 AM
  • By default logging is disabled,if you perform action on a DC then you can capture all client activities,so if you need to capture a single client just you should perform on client computer.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, November 21, 2016 11:51 AM
  • > If I want to catch client details that have IP addresses that are not
    > mapped to any AD sites do I need to enable Netlogon Level i.e. NLtest
     
    To finally answer your question: No. This is a message that is captured
    without logging enabled.
     
    • Marked as answer by Palmer_001 Monday, November 21, 2016 4:04 PM
    Monday, November 21, 2016 2:43 PM
  • Thank you Martin!!!

    I thought that was the case but was thrown a curve ball above (no offence meant). I have worked with the no IP subnet issue many times (looking at the alerts and adding subnets) but can't ever having enabled Netlogon logging first but wanted to check my facts.  I was in the process or simulating this in my lab but you have saved me the time, many thanks.


    • Edited by Palmer_001 Monday, November 21, 2016 2:55 PM
    Monday, November 21, 2016 2:55 PM
  • Hi Martin. Not going off topic but you mind if I ask a couple of questions stemming from this...

    1. My view is that logging is enabled only when trouble shooting a problem but otherwise have it disabled. Would you say that would be the MSFT recommendation as I can't find it written anywhere?

    2. I have trawled the net and have a few books an AD but I can't find anywhere which tells me what type of information is captured as default without enabling the logging. Would you have any decent links you can point in the direction off perhaps?

    Many thanks.

    Monday, November 21, 2016 3:10 PM
  • > 1. My view is that logging is enabled only when trouble shooting a
    > problem but otherwise have it disabled. Would you say that would be the
    > MSFT recommendation as I can't find it written anywhere?
     
    This questions is answered in the KB Burak linked above :)
     
    Cite: "We do not recommend that you enable Netlogon logging in policies
    that apply to all systems (such as the Default Domain Policy). Instead,
    consider narrowing the scope to systems that may be causing problems."
     
    > 2. I have trawled the net and have a few books an AD but I can't find
    > anywhere which tells me what type of information is captured as default
    > without enabling the logging. Would you have any decent links you can
    > point in the direction off perhaps?
     
    Didn't find anything, too. Maybe
    but that's a 28k pages PDF file :()
     
     
    But upon reading
    it seems that by default only NO_CLIENT_SITE is logged.
     
    • Marked as answer by Palmer_001 Monday, November 21, 2016 4:04 PM
    Monday, November 21, 2016 3:51 PM
  • Re question 1. I must have admit I missed that comment. I Probably saw it linked to Group Policy and skimmed it as I was not looking to enable group-wide. All credit to "Burak".

    I came across links 1 and 2 that you mentioned but not link 3. Link 3 is the money link for me - spot on! Gives me something from a MSFT site that confirms 'turn off' (generally speaking).

    Thanks again Martin.

    Monday, November 21, 2016 4:04 PM
  • Hi,
    As far as I know, it might be that there is no such “confirm” from Microsoft. Considering the overhead of disk and memory utilization and file size, we usually do not recommend to keep enabling netlogon debug at all times unless you have frequent issues relying on Netlogon logs to troubleshoot.
    You could refer to the following blog from Brandon Wilson for more details:
    Quick Reference: Troubleshooting Netlogon Error Codes
    https://blogs.technet.microsoft.com/askpfeplat/2013/01/28/quick-reference-troubleshooting-netlogon-error-codes/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, November 22, 2016 2:58 AM
    Moderator