Active Directory 2008: DNS Debug Logging Facts
Prior to the introduction of DNS analytic logs, DNS debug logging was an available method to monitor DNS transactions. DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed in this topic. Debug logging is discussed here because it is also a tool that is available for DNS logging and diagnostics. See Using server debugging logging options for more information about DNS debug logging. The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
Active Directory 2008: DNS Debug Logging Facts
The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
Select and enable debug logging options on the DNS serverGathering detailed DNS debug logs from AD DNSEnabling DNS Server Debug LoggingEnable DNS Request Logging for Windows 2003 and above
Windows DNS debug logging is the only means of monitoring DNS events on Windows Server versions before 2012 R2.However, DNS Servers capable of ETW might be configured for file-based logging in cases where all events must be captured without exception.
The DNS events logged by Sysmon are not the same as other DNS monitoring events like DNS Server Audit and Analytical logging or DNS Server debug logging.For example, Sysmon DNS query logging only logs client DNS queries.Yet, the information it supplies compliments the DNS Server Analytical logs by adding the name and path of the application querying the DNS Server.It can monitor DNS queries initiated by any network-enabled Windows client software, for instance, web browsers, FileZilla, WinSCP, ping, tracert, etc.However, Sysmon does not log direct DNS lookups done with nslookup.
DNS debug logging can affect system performance and diskspace because it provides detailed data about information that theDNS server sends and receives. Enable DNS debug logging only whenyou require this information.
The recommended setup is to create an internal zone for uat.abc.com and leave the external zone for abc.com as is. This is how I have my sites and Active Directory environment configured. My internal AD is ad.activedirectorypro.com and my website is hosted externally with a separate external DNS zone.
If you enable debug logging for the Net Logon service by using the method that is described in Microsoft Knowledge Base (KB) article 109626, you receive a sequence that resembles the following. The sequence indicates how the site name is invalidated.10/20 13:20:01 [SITE] Setting site name to 'MyCachedSiteName'10/20 13:20:01 [SITE] Hint avoided. 3110/20 13:20:01 [SESSION] \Device\NetBT_Tcpip_6964FC65-C026-4EC4-A8B9-29C2019401AC: Transport Added (169.254.237.187)10/20 13:20:01 [CRITICAL] IPV6SocketAddressList is too small 0.10/20 13:20:01 [SESSION] Winsock Addrs: 169.254.237.187 (1) Address changed.10/20 13:20:01 [SESSION] V6 Winsock Addrs: (0) 10/20 13:20:01 [CRITICAL] Address list changed since last boot. (Forget DynamicSiteName.)10/20 13:20:01 [SITE] Setting site name to '(null)' For more information about KB article 109626, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Net Logon serviceFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
One place you can look for information on the performance of your DNS server is the event logs, and if you have DNS debug logging enabled, you can use it as well. To enable DNS debug logging, right-click on the name of the server, click Properties, and click the Debug Logging tab. On that tab click the Log Packets for Debugging box, as shown in Figure 16.24. Once you are in the debug console window, you can specify logging for packet direction, transport protocol, packet contents, packet type, and other options. The actual log file is stored in the C:\Windows\System32\DNS folder, but you can change the location to suit your needs.
Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in Table 14-3.
If the Duo settings are managed by Windows Group Policy, those settings override any changes made via regedit. Update the "Enable Debug Logging" setting in the GPO instead to enable debug logging globally, or if you just need to temporarily enable it to capture an issue update the HKLM\Software\Policies\Duo Security\DuoCredProv\debug registry value as well (this may be reverted at the client's next GPO refresh).
If you enable debug logging for the Net Logon service by using the method that is described in Microsoft Knowledge Base (KB) article 109626, you receive a sequence that resembles the following. The sequence indicates how the site name is invalidated.
[2020/01/23:20:26:10.268]LDAP API ldap_search_s() finished, return code is 0x20 [2020/01/23:20:26:10.268]Adprep verified the state of operation cn=00232167-f3a4-43c6-b503-9acb7a81b01c,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=RICKS,DC=LOCAL. [Status/Consequence]The operation has not run or is not currently running. It will be run next.[2020/01/23:20:26:10.282]Adprep was unable to complete because the call back function failed. [Status/Consequence]Error message: Unable to access the computer "RICKSNT1.RICKS.LOCAL". The network path was not found. (0x80070035).[User Action]Check the log file ADPrep.log, in the C:\Windows\debug\adprep\logs\20200123202610 directory for more information.DSID Info:DSID: 0x18111331winerror = 0x1fNT BUILD: 14393NT BUILD: 2969[2020/01/23:20:26:10.282]Adprep was unable to update forest information. [Status/Consequence]Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.[User Action]Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20200123202610 directory for more information.
If the user account logging into the splash page does not exist in the directory, the username is being entered incorrectly, or the Admin account does not have access to OU containing the user, an LDAP search will complete successfully with no error based Events. Events 1138 and 1139 will be logged when a successful LDAP search has occurred, however a "bad user password" (previously shown) will appear in the test widget and the Sign-on Splash page will alert Access denied. In this case, verify the user account name is valid and that the admin account has read access to the OU containing the user.
The response "can't find devapps.mycompany.local: Non-existent domain" suggests that you are correctly talking to the DNS server so it doesn't appear to be a network or firewall issue. Enable debug logging on the DNS server to get a better idea of what's going on.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics path and change the entry value of 16 LDAP Interface to 2.NOTE: This being a registry change it must be performed it in the lower environment first with cautious.Refer to the following link: -us/help/314980/how-to-configure-active-directory-and-lds-diagnostic...Run account aggregation and search for event ids 2898 and 2899 in Directory Service events logs on Active Directory Server. For more information, see -us/windows-server/identity/ad-ds/manage/how-ldap-server-cookies-are-ha...If any event id (2898 or 2899) is viewed in event logs, then perform the following steps:
When you finish, type q, and then press ENTER.NOTE: Since the default Active Directory parameter would be changed hence it must be performed in the lower environment first with cautious. For more information, see -in/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-...
The server provides logging mechanisms to record access, error, or debugging information forthe server instance. Multiple loggers of a given type can be active atany time, which makes it possible to create logs for specific subtrees ordifferent repositories. The server does not currently provide logging filters to restrict thetype of information in the logs. 350c69d7ab