Article ID: 314980 - Last Review: October 31, 2006 - Revision: 4.5

How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server

View products that this article applies to.

This article was previously published under Q314980

SUMMARY

This step-by-step article describes how to configure Active Directory diagnostic event logging in Microsoft Windows 2000 and Microsoft Windows Server 2003.

Active Directory records events to the Directory Services log of Event Viewer. You can use the information that is collected in the log to help you diagnose and resolve possible problems or monitor the activity of Active Directory-related events on your server.

By default, Active Directory records only critical events and error events in the Directory Service log. To configure Active Directory to record other events, you must increase the logging level by editing the registry.

Back to the top

Active Directory Diagnostic Event Logging

The registry entries that manage diagnostic logging for Active Directory are stored in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Each of the following REG_DWORD values under the Diagnostics subkey represent a type of event that can be written to the event log:

1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging
New to Windows Server 2003:
20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema

Logging Levels

Each entry can be assigned a value from 0 through 5, and this value determines the level of detail of the events that are logged. The logging levels are described as:

0 (None): Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate.
1 (Minimal): Very high-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.
2 (Basic)
3 (Extensive): This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories.
4 (Verbose)
5 (Internal:): This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.

How to Configure Active Directory Diagnostic Event Logging

To configure Active Directory diagnostic event logging, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
Locate and click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Each entry that is displayed in the right pane of the Registry Editor window represents a type of event that Active Directory can log. All entries are set to the default value of 0 (None).
Configure event logging for the appropriate component:
1. In the right pane of Registry Editor, double-click the entry that represents the type of event for which you want to log. For example, Security Events.
2. Type the logging level that you want (for example, 2) in the Value data box, and then click OK.
Repeat step 4 for each component that you want to log.
On the Registry menu, click Exit to quit Registry Editor.

Notes

Logging levels should be set to the default value of 0 (None) unless you are investigating an issue.
When you increase the logging level, the detail of each message and the number of messages that are written to the event log also increase. A diagnostic level of 3 or greater is not recommended, because logging at these levels requires more system resources and can degrade the performance of your server. Make sure that you reset the entries to 0 after you finish investigating the problem.

Back to the top

REFERENCES

For more information about how to view and manage logs in Event Viewer, click the following article number to view the article in the Microsoft Knowledge Base:

302542 (http://support.microsoft.com/kb/302542/ ) How to diagnose system problems with Event Viewer in Microsoft Windows 2000

235427 (http://support.microsoft.com/kb/235427/ ) How to view saved Directory Service, DNS server, and file replication service event logs from another Windows 2000-based computer

You can find information about enabling Windows 2000 application deployment debug logging in the following article. This may be useful with any problems that are related to advertisement, publishing, or assignment of Windows Installer programs by using Windows 2000 Group Policy.

249621 (http://support.microsoft.com/kb/249621/ ) How to troubleshoot software installations with Windows 2000 application management debug logging

Back to the top