Active Directory Cookbook for windows server 2003- P47 docx

Recipe 15.4 Enabling GPO Client Logging15.4.1 Problem You want to troubleshoot GPO processing issues on a client or server by enabling additional logging in the Application event log..

Trang 1

Recipe 15.4 Enabling GPO Client Logging

15.4.1 Problem

You want to troubleshoot GPO processing issues on a client or server by enabling additional logging in the Application event log

15.4.2 Solution

15.4.2.1 Using a graphical user interface

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft

Windows NT CurrentVersion

3 If the Diagnostics key doesn't exist, right-click on CurrentVersion and select New

Key Enter Diagnostics for the name and hit enter

4 Right-click on Diagnostics and select New DWORD value Enter

RunDiagnosticLoggingGroupPolicy for the value name

5 In the right pane, double-click on RunDiagnosticLoggingGroupPolicy and enter 1

6 Click OK

15.4.2.2 Using a command-line interface

> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics"

/v[RETURN]

"RunDiagnosticLoggingGroupPolicy" /t REG_DWORD /d 1

15.4.2.3 Using VBScript

' This code enables GPO logging on a target computer

' - SCRIPT CONFIGURATION -

strComputer = "<ComputerName>" ' e.g rallen-w2k3

' - END CONFIGURATION -

const HKLM = &H80000002

strRegKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strComputer _

& "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, "RunDiagnosticLoggingGroupPolicy", 1 WScript.Echo "Enabled GPO logging for " & strComputer

15.4.3 Discussion

If you experience problems with client GPO processing, such as a GPO not getting applied even though you think it should, there aren't many tools that can help you troubleshoot the problem One way to get detailed information about what GPOs are applied on a client is by enabling additional GPO event logging If you set the RunDiagnosticLoggingGroupPolicy Registry value

to 1, extensive logging will be done in the Application event log Events detailing the beginning

of the GPO processing cycle, what GPOs are applied, and any errors encountered will all be logged Here is an example of a log message that shows which GPOs are going to be applied on

Trang 2

the host DC1 To disable this logging, either delete RunDiagnosticLoggingGroupPolicy or set the value to 0

Here is a sample event log message:

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1031

Date: 5/26/2003

Time: 5:52:13 PM

User: NT AUTHORITY\SYSTEM

Computer: DC1

Description:

Group Policy objects to be applied: "Default Domain Policy" "Default Domain Controllers Policy"

15.4.4 See Also

MS KB 186454 (How to Enable User Environment Event Logging in Windows 2000)

Recipe 15.5 Enabling Kerberos Logging

15.5.1 Problem

You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems

15.5.2 Solution

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet

Control Lsa Kerberos Parameters

3 If the LogLevel value doesn't already exist, right-click on Parameters and select New DWORD value Enter LogLevel for the value name and click OK

4 In the right pane, double-click on LogLevel and enter 1

5 Click OK

> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v

"LogLevel"[RETURN]

/t REG_DWORD /d 1

Trang 3

const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1

WScript.Echo "Enable Kerberos logging for " & strDC

If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors

to be logged in the System event log The Kerberos events can point out if the problem is related

to clock skew, an expired ticket, expired password, etc For a good overview of some of the Kerberos error messages, see MS KB 230476

Here is an example event:

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 3

Date: 5/26/2003

Time: 5:53:43 PM

User: N/A

Computer: DC01

Description:

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 0:53:43.0000 5/27/2003 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc00000bb KLIN(0)

Client Realm:

Client Name:

Server Realm: RALLENCORP.COM

Server Name: host/ dc01.rallencorp.com

Target Name: host/dc01.rallencorp.com@RALLENCORP.COM

Error Text:

File: 9

Line: ab8

Error Data is in record data

15.5.4 See Also

MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS

KB 262177 (HOW TO: Enable Kerberos Event Logging)

Trang 4

Recipe 15.6 Enabling DNS Server Debug Logging

15.6.1 Problem

You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates

15.6.2 Solution

1 Open the DNS Management snap-in

2 Right-click on DNS in the left pane and select Connect to DNS Server

3 Enter the server you want to connect to and click Enter

4 Right-click on the server and select Properties

5 Click on the Debug Logging tab (or the Logging tab for Windows 2000)

6 Select what you want to log and the location of the log file (the log file location is

hardcoded to %systemroot%\system32\dns\dns.log on Windows 2000)

7 Click OK

Use the following command to enable debug logging You have to add together the event codes you want logged and specify the result in hex for the log level The available event codes can be found in Table 15-3

> dnscmd <DNSServerName> /Config /LogLevel <EventFlagSumInHex>

Use the following command to specify the location of the log file:

> dnscmd <DNSServerName> /Config /LogFilePath <DirectoryAndFilePath>

Use the following command to log only entries that pertain to certain IP addresses:

> dnscmd <DNSServerName> /Config /LogIPFilterList

<IPAddress1>[,<IPAddress2> ]

Use the following command to specify the maximum log file size:

> dnscmd <DNSServerName> /Config /LogFileMaxSize <NumberOfBytesInHex>

' This code enables DNS debug logging

Trang 5

intFileSize = <NumberOfBytesInDecimal> ' e.g 50000000

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

objDNSServer.LogLevel = intLogLevel

objDNSServer.LogIPFilterList = arrFilterList

objDNSServer.LogFilePath = strFilePath

objDNSServer.LogFileMaxSize = intFileSize

objDNSServer.Put_

WScript.Echo "Enabled DNS Debug Logging on " & strServer

With the DNS Server debug log, you can record all DNS operations received and initiated by the

server, including queries, updates, zone transfers, etc If you need to troubleshoot a particular

host, you can use the LogIPFilterList setting in dnscmd or the WMI DNS Provider to restrict

the log to operations performed only for or by that host

The most important debug log setting is the log level With the DNS Console, you can select

from a list of available options With Windows Server 2003, the DNS Console provides an

intuitive interface for selecting the required options On Windows 2000, you are presented with a

list of check boxes and you have to figure out which ones need to be used in conjunction with

one another You have a similar issue with CLI and VBScript solutions, where you need to

determine what log level you want to set

Table 15-3 contains all of the event codes with their hexadecimal and decimal values

Table 15-3 DNS debug logging event codes

Trang 6

Table 15-3 DNS debug logging event codes

DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS server is processing For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS server you think should be processing the updates If you don't see any update transactions, that can indicate another server is processing the dynamic update requests

Transactions are not immediately written to the debug log file as they occur They are buffered and written to the file after a certain number of requests are processed

15.6.4 See Also

MSDN: MicrosoftDNS_Server

Recipe 15.7 Viewing DNS Server Performance

Statistics

15.7.1 Problem

You want to view DNS Server performance statistics

15.7.2 Solution

1 Open the Performance Monitor

Trang 7

6 Select the counters you want to add and click the Add button

7 Click Close

> dnscmd <DNSServerName> /statistics

' This code displays all statistics for the specified DNS server

strServer = "<DNSServerName>" ' e.g dc1.rallencorp.com

set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objStats = objDNS.ExecQuery("Select * from MicrosoftDNS_Statistic ") for each objStat in objStats

WScript.Echo " " & objStat.Name & " : " & objStat.Value

The Microsoft DNS Server keeps track of dozens of performance metrics These metrics include the number of queries, updates, transfers, directory reads, and directory writes processed by the server If you can pump these metrics into an enterprise management system, you can track DNS usage and growth over time

These statistics can also be useful to troubleshoot load-related issues If you suspect a DNS Server is being overwhelmed with DNS update requests, you can look at the Dynamic Update Received/sec counter and see if it is processing an unusually high number of updates

You can obtain a subset of the statistics by providing a "statid" after the /statistics option Each statistics category has an associated number (i.e., statid) For a complete list of categories and their statid, run the following command:

> dnscmd /statistics /?

Here is an example of viewing the Query (statid = 2) and Query2 (statid = 4) statistics:

> dnscmd /statistics 6

DNS Server statistics:

Queries and Responses:

-

Total:

Queries Received = 14902

Responses Sent = 12900

UDP:

Queries Recvd = 14718

Trang 8

Queries Sent = 23762

Responses Recvd = 0

TCP:

Client Connects = 184

Queries Recvd = 184

Queries Sent = 0

Responses Recvd = 0

Queries:

-

Total = 14902

Notify = 0

Update = 2207

TKeyNego = 184

Standard = 12511

A = 1286

NS = 29

SOA = 2263

MX = 0

PTR = 1

SRV = 8909

ALL = 0

IXFR = 0

AXFR = 0

OTHER = 23

Command completed successfully

You can obtain a subset of statistics by adding a where clause to the WQL query The following query would match only counters that start with "Records":

select * from MicrosoftDNS_Statistic where Name like 'Records%'

15.7.4 See Also

MSDN: MicrosoftDNS_Statistic

Recipe 15.8 Enabling Inefficient and Expensive LDAP Query Logging

15.8.1 Problem

You want to log inefficient and expensive LDAP queries to the Directory Services event log

Trang 9

15.8.2 Solution

To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4 This summary is generated every 12 hours during the garbage collection cycle

To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5

See Recipe 15.2 for more on enabling diagnostics logging

A search is considered expensive if it has to visit a large number of objects in Active Directory

A search is considered inefficient if it returns less than 10% of the total objects it visits The

default threshold for an expensive query is 10,000 That means any search that visits 10,000 or more objects would be considered expensive The default bottom limit for an inefficient query is 1,000 If a query visited 1,000 objects and only returned 99 of them (less than 10%), it would be considered inefficient If it returned 900 instead, it would not be considered inefficient To summarize, with 1,000 being the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient

Here is an example summary report event that is logged when 15 Field Engineering is set to 4: Event Type: Information

Event Source: NTDS General

Event Category: Field Engineering

Event ID: 1643

Date: 5/24/2003

Time: 7:24:24 PM

User: NT AUTHORITY\ANONYMOUS LOGON

Computer: DC1

Description:

Internal event: Active Directory performed the following number of search operations

within this time interval

Time interval (hours):

9

Number of search operations:

24679

During this time interval, the following number of search operations were characterized as either expensive or inefficient

Expensive search operations:

7

Inefficient search operations:

22

Trang 10

If you set 15 Field Engineering to 5, the summary event is logged during the garbage collection cycle, and event 1644 every time an expensive or inefficient search occurs Notice that this event provides details on all aspects of the search including the client IP, authenticating user, search base DN, search filter, attributes, controls, number of entries visited, and number of entries

returned This was taken from a Windows Server 2003 domain controller Windows 2000 does not provide quite as much detail

Event Type: Information

Event Source: NTDS General

Event Category: Field Engineering

Event ID: 1644

Date: 5/24/2003

Time: 7:50:40 PM

User: RALLENCORP\rallen

Computer: DC1

Description:

Internal event: A client issued a search operation with the following options

Client:

192.168.4.14

Starting node:

DC=rallencorp,DC=com

Filter:

(description=*)

Search scope:

subtree

Attribute selection:

cn

Server controls:

Visited entries:

10340

Returned entries:

1000

With the default settings, the query shown in the above event is considered both expensive and inefficient It is expensive because it visited more than 10,000 entries It is inefficient because it returned less than 10% of those entries

You can customize what a domain controller considers expensive and inefficient by creating a

couple registry values under the

HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key You can create a value

named Expensive Search Results Threshold of type DWORD, and specify the number of

entries a search would need to visit to be considered expensive Similarly, you can create a value named Inefficient Search Results Threshold of type DWORD, and specify the minimum number of entries visited where a match returning less than 10% would be considered inefficient

Định dạng
Số trang	10
Dung lượng	37,21 KB