How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server (314980)



The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

This article was previously published under Q314980
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

This step-by-step article describes how to configure Active Directory diagnostic event logging in Microsoft Windows 2000 and Microsoft Windows Server 2003.

Active Directory records events to the Directory Services log of Event Viewer. You can use the information that is collected in the log to help you diagnose and resolve possible problems or monitor the activity of Active Directory-related events on your server.

By default, Active Directory records only critical events and error events in the Directory Service log. To configure Active Directory to record other events, you must increase the logging level by editing the registry.

Active Directory Diagnostic Event Logging

The registry entries that manage diagnostic logging for Active Directory are stored in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Each of the following REG_DWORD values under the Diagnostics subkey represent a type of event that can be written to the event log:

1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging
New to Windows Server 2003:
20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema

Logging Levels

Each entry can be assigned a value from 0 through 5, and this value determines the level of detail of the events that are logged. The logging levels are described as:
  • 0 (None): Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate.
  • 1 (Minimal): Very high-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.
  • 2 (Basic)
  • 3 (Extensive): This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories.
  • 4 (Verbose)
  • 5 (Internal:): This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.

How to Configure Active Directory Diagnostic Event Logging

To configure Active Directory diagnostic event logging, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

    Each entry that is displayed in the right pane of the Registry Editor window represents a type of event that Active Directory can log. All entries are set to the default value of 0 (None).
  4. Configure event logging for the appropriate component:
    1. In the right pane of Registry Editor, double-click the entry that represents the type of event for which you want to log. For example, Security Events.
    2. Type the logging level that you want (for example, 2) in the Value data box, and then click OK.
  5. Repeat step 4 for each component that you want to log.
  6. On the Registry menu, click Exit to quit Registry Editor.
Notes
  • Logging levels should be set to the default value of 0 (None) unless you are investigating an issue.
  • When you increase the logging level, the detail of each message and the number of messages that are written to the event log also increase. A diagnostic level of 3 or greater is not recommended, because logging at these levels requires more system resources and can degrade the performance of your server. Make sure that you reset the entries to 0 after you finish investigating the problem.

REFERENCES

For more information about how to view and manage logs in Event Viewer, click the following article number to view the article in the Microsoft Knowledge Base:

302542 How to diagnose system problems with Event Viewer in Microsoft Windows 2000

235427 How to view saved Directory Service, DNS server, and file replication service event logs from another Windows 2000-based computer

You can find information about enabling Windows 2000 application deployment debug logging in the following article. This may be useful with any problems that are related to advertisement, publishing, or assignment of Windows Installer programs by using Windows 2000 Group Policy.

249621 How to troubleshoot software installations with Windows 2000 application management debug logging


Modification Type:MinorLast Reviewed:10/4/2006
Keywords:kbHOWTOmaster KB314980 kbAudITPro