--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


This shows you the differences between two versions of the page.

Link to this comparison view

ldaploggingad [2013/03/08 04:47] (current)
sjoerd created
Line 1: Line 1:
 += LDAP Logging AD =
 +How to make event viewer show information that's actually useful when trying to troubleshoot AD's LDAP?
 +I got triggered because I got this event in my AD LDAP server and I wanted to know which clients it was about:
 +During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
 +(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation),​ or
 +(2) A LDAP simple bind that was performed on a cleartext (non-SSL/​TLS-encrypted) connection
 +This directory server is not currently configured to reject such binds. ​ The security of this directory server can be significantly enhanced by configuring the server to reject such binds. ​ For more details and information on how to make this configuration change to the server, please see http://​​fwlink/?​LinkID=87923.
 +Summary information on the number of these binds received within the past 24 hours is below.
 +You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events"​ event logging category to level 2 or higher.
 +Number of simple binds performed without SSL/TLS: 2397
 +Number of Negotiate/​Kerberos/​NTLM/​Digest binds performed without signing: 0
 += Active Directory Diagnostic Event Logging =
 +The registry entries that manage diagnostic logging for Active Directory are stored in the following registry subkey:
 +Each of the following REG_DWORD values under the Diagnostics subkey represent a type of event that can be written to the event log:
 +1 Knowledge Consistency Checker (KCC)
 +2 Security Events
 +3 ExDS Interface Events
 +4 MAPI Interface Events
 +5 Replication Events
 +6 Garbage Collection
 +7 Internal Configuration
 +8 Directory Access
 +9 Internal Processing
 +10 Performance Counters
 +11 Initialization/​Termination
 +12 Service Control
 +13 Name Resolution
 +14 Backup
 +15 Field Engineering
 +16 LDAP Interface Events
 +17 Setup
 +18 Global Catalog
 +19 Inter-site Messaging
 +New to Windows Server 2003:
 +20 Group Caching
 +21 Linked-Value Replication
 +22 DS RPC Client
 +23 DS RPC Server
 +24 DS Schema
 += Logging Levels =
 +Each entry can be assigned a value from 0 through 5, and this value determines the level of detail of the events that are logged. The logging levels are described as:
 +* 0 (None): Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate.
 +* 1 (Minimal): Very high-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.
 +* 2 (Basic)
 +* 3 (Extensive):​ This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories.
 +* 4 (Verbose)
 +* 5 (Internal:​):​ This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories.
 +I got very good results with using 2, allthough 3 shows a little bit more. Just try and see waht works best for you!
 += Sources =
 +{{tag>​windows ldap ad}}
ldaploggingad.txt ยท Last modified: 2013/03/08 04:47 by sjoerd