Netlogon Debug helper


Today's topic:

Netlogon Debug helper

Sometimes it can be helpfull to get inforamtion about actions performed by the Netlogon service on a machine. To gather such information you need to enable Netlogon Debug Logging. Just to make things easier - you will find download links at the end of the article for a little helper program that:

  • helps building the debug flag bit mask corresponding to your needs
  • explains the bits int the debug flag bit mask
  • sets the desired value in the registry
  • restats Netlogon service

Some basics - to configrure Netlogn Debug Logging we need to set a DWORD value in the registry.
Path to parent registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value:

DBFlag = desired debug flag bit mask

The corresponding log entries can be found in:

%windir%\debug\netlogon.log

To control log file size (default = 20 MB) we may use the follwing DWORD value in the same registry key:

MaximumLogFileSize = maximum log file size in bytes

There are many articles out there talking about this topic - but unfortunately they all miss detailed information about the valid debug flags that can be configured.
Most of the articles are suggesting to set value 0x2080ffff - which results in very verbose debug reporting -> white noise.
Apart form complexity of the analysis of the huge amount of the gathered data - your log file may be overwritten very quickly -> thus you may miss log entries of interest.

Therefore, I suggest to only set those bits for debug flags that will let netlogon log only the data you are interested in.

List of the debug flag bits:

    [Flags]
    public enum DEBUG_FLAGS : uint
    {
        NL_INIT =           0x00000001, // Netlogon initialization
        NL_MISC =           0x00000002, // Misc debug (like DCLocator)
        NL_LOGON =          0x00000004, // Logon processing
        NL_SYNC =           0x00000008, // Synchronization and replication
        NL_MAILSLOT =       0x00000010, // Mailslot messages
        NL_SITE =           0x00000020, // Sites
        NL_MSA =            0x00000040, // Managed Service Account Scavenger processing
        NL_1 =              0x00000080, // Unknown
        NL_CRITICAL =       0x00000100, // Only real important errors
        NL_SESSION_SETUP =  0x00000200, // Trusted Domain maintenance
        NL_DOMAIN =         0x00000400, // Hosted Domain maintenance
        NL_2 =              0x00000800, // UnKnown
        NL_SERVER_SESS =    0x00001000, // Server session maintenance
        NL_CHANGELOG =      0x00002000, // Change Log references
        NL_DNS =            0x00004000, // DNS name registration
        // Verbose bits
        NL_VERBOSE =        0x00008000, // Enable verbose logging
        NL_WORKER =         0x00010000, // Debug worker thread
        NL_DNS_MORE =       0x00020000, // Verbose DNS name registration
        NL_PULSE_MORE =     0x00040000, // Verbose pulse processing
        NL_SESSION_MORE =   0x00080000, // Verbose session management
        NL_REPL_TIME =      0x00100000, // replication timing output
        NL_REPL_OBJ_TIME =  0x00200000, // replication objects get/set timing output
        NL_ENCRYPT =        0x00400000, // debug encrypt and decrypt across net
        NL_SYNC_MORE =      0x00800000, // additional replication dbgprint
        NL_PACK_VERBOSE =   0x01000000, // Verbose Pack/Unpack
        NL_MAILSLOT_TEXT =  0x02000000, // Verbose Mailslot messages
        NL_CHALLENGE_RES =  0x04000000, // challenge response debug
        NL_SITE_MORE =      0x08000000, // Verbose sites
        // Control bits.
        NL_INHIBIT_CANCEL = 0x10000000, // Don't cancel API calls
        NL_TIMESTAMP =      0x20000000, // TimeStamp each output line
        NL_ONECHANGE_REPL = 0x40000000, // Only replicate one change per call
        NL_BREAKPOINT =     0x80000000 // Enter debugger on startup
    }

Example - you are interested in logon processing -> set debug flag value NL_TIMESTAMP | NL_LOGON (0x20000004).
Keep in mind - only if you set bit NL_TIMESTAMP (0x20000000) you will have the time stamp for each log entry in the netlogon.log.

FYI - white noise DBFlag value 0x2080fff translates to:

  • NL_INIT
  • NL_MISC
  • NL_LOGON
  • NL_SYNC
  • NL_MAILSLOT
  • NL_SITE
  • NL_MSA
  • NL_1
  • NL_CRITICAL
  • NL_SESSION_SETUP
  • NL_DOMAIN
  • NL_2
  • NL_SERVER_SESS
  • NL_CHANGELOG
  • NL_DNS
  • NL_VERBOSE
  • NL_SYNC_MORE
  • NL_TIMESTAMP

Netlogon Debug Helper Tool downloads:

All the best and have fun debugging.

Michael

PFE | Have keyboard. Will travel


Skip to main content