Share via

Active Directory Diagnostic Logging

Active Directory records events in the directory services log in Event Viewer. You can use the log to monitor the activity level of Active Directory or to investigate problems.

By default, Active Directory records only critical error events. To instruct Active Directory to record other events in the directory service log, modify the registry. For more information about how to use the Windows 2000 registry editors, see the Windows 2000 Server Help.


Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your computer. Editing the registry directly can have serious, unexpected consequences that can prevent the computer from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or MMC whenever possible.

The registry entries that manage diagnostic logging are stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. Each entry represents a type of event that Active Directory can log. The value of the entry determines the level of detail of the events that are logged and ranges from  0 (records default-level errors and standard verbosity ) to  5 (most verbose and records all activity).Table 10.10 describes each of these values.

Table   10.10 Values for the Diagnostics Registry Entry



0 (None)

Only critical events and error events are logged. This is the default and should be changed only if a problem occurs.

1 (Minimal)

Very high-level events are recorded in the event log. These might include one message for each major task performed by the service. Use this setting to begin an investigation when the location of the problem is in doubt.

2 (Basic)

Events with a logging level of 2 or lower are logged.

3 (Extensive)

Events with a logging level of 3 or lower are logged.
Messages are sent to the event log to record steps taken to run a task. This provides more information than the minimum level but not the detail of the maximum level. Use this when the problem has been narrowed to a service or group of categories

4 (Verbose)

Events with a logging level of 4 or lower are logged.

5 (Internal)

All events are logged, including debug strings and configuration changes received.
Provides a complete log of the operation of the service. Use this level when the problem is traced to a particular category or a small set of categories.

All of the entries in the Diagnostics subkey have the REG_DWORD data type and a default value of  0 .


Logging levels should be set to 0 (None) unless a problem is being investigated.

All fatal and critical errors are logged at level 0 , and no user action is required to view them.

Increasing the level increases the detail of the messages and the number of messages emitted. Setting the value of entries in the Diagnostics subkey to greater then 3 can degrade server performance and is not recommended. The application event log fills up quickly when the logging level is increased.

Table 10.11 contains a list of registry entries in the Diagnostics subkey that store the directory service logging levels.

Table   10.11 Registry Entries in the Diagnostics Subkey

Registry Entry


Knowledge Consistency Checker (KCC)

The KCC derives its input configuration from objects in the directory (for example, sites, servers and site links). The KCC reports if these objects are incorrect or missing.
Events occurring during a run of the KCC. Messages fall into the following categories:
KCC runtime errors, such as inconsistencies, resource errors or directory access problems.
KCC output configuration problems. The new configuration cannot be built or is incomplete in some way. Perhaps too many servers are down to build a complete topology at this time.

Security Events

Events related to Windows 2000 Security, such as a user who tries to read or write an attribute with insufficient permissions, a user binding through MAPI, or a domain that has been changed to native mode.

ExDS Interface Events

Events related to communication between Active Directory and Exchange clients.

MAPI Interface Events

Events related to communication between Active Directory and Exchange clients.

Replication Events

Events related to outbound replication, where changed objects are found and inbound replication, where these changes are applied to a local database. "Normal" errors during the course of replication, such as a domain controller being down, are not logged. They are kept as status and are available through the replication tools. The errors logged during replication are generally critical inconsistencies that require user intervention, as database errors. The other kind of events logged by the replication category are information about which objects and attributes were updated and why.
Note that many attributes are updated each time replication occurs. Logging detail about attributes can generate a great deal of messages very quickly. A level of 1 is safe and might be informative as to the general types of operations occurring for replication. A level higher than level  2 can result in filling up the log file and performance degradation.

Garbage Collection

Events generated when objects marked for deletion are actually deleted.

Internal Configuration

Interpretation and display of the internal directory service operations.

Directory Access

Reads and writes directory objects from all sources.

Internal Processing

Events related to the internal operation of Active Directory code such as processing security descriptor propagation. Error events in this category might be an indicator of serious problems in Active Directory.
When the directory returns the status of "internal error," this category can be used to identify the problem for Microsoft support. Set this category to 1 on all computers involved (client and server) and reproduce the problem. Note the point in the code where the internal error was raised.

Performance Counters

Events related to loading and unloading the NTDS performance object and performance counters.


Events related to starting and stopping Active Directory.

Service Control

Processes Active Directory service events.

Name Resolution

Resolution of addresses and Active Directory names.


Events related to the backup of Active Directory. Specifically, errors occurring when ESE database records are read or written for backup purposes. Generally only logged when a backup operation is underway.

Field Engineering

Internal debugging trace.

LDAP Interface Events

Events related to LDAP. An example of events logged include the following: the LDAP server closed a socket to a client, unable to initialize LDAP Simple Bind Authentication, and LDAP over SSL is now available.


Events related to running the Active Directory Installation Wizard.

Global Catalog

Events related to Global Catalog. For example, "Promotion of this server to a Global Catalog will be delayed for % 1 minutes. This delay is necessary so that the required partitions can be made ready before the GC is advertised.
The operations that occurs during this time include the KCC being run to generate the new topology, all read-only partitions in the enterprise being added to this server, and the contents of these partitions being replicated into this system.
If you want to promote the GC immediately without enforcing this precondition, set the registry variable HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\GlobalCatalogDelayAdvertisement(sec) to a DWORD value of 0. The GC will be promoted on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before promoting to a GC."

Inter-site Messaging

These messages are logged by the "Intersite Message" service, which is a separate service from the directory itself. There are two kinds of messages that are generated in this category:
The ISM Service is responsible for transporting replication messages between sites.
The ISM Service is also responsible for calculating site routes for the KCC to use. Note that the messages in this category are either fatal configuration errors, or informational messages about the amount of traffic being carried.

Summary of Log Files Used in Active Directory

Windows 2000 maintains specific log files that pertain to Active Directory. For example, when installing or removing Active Directory by using the Active Directory Installation Wizard (also known as dcpromo), several log files are created in the %SystemRoot%\Debug that you can use to investigate the actual process. You need to be familiar with the information provided in these files because they provide relevant facts about Active Directory performance and services. The default location for the log files is the % SystemRoot %\Debug folder. For more information about Windows 2000 log files, see the Microsoft TechNet Web link on the Web Resources page at . Search the Technical Support section of this site for Knowledge Base articles and other sources of technical information.


The DcpromoUI.log file contains a detailed progress report of the Active Directory installation and removal processes. Its default location is the % SystemRoot %\Debug folder on Windows 2000–based servers. Logging begins when the Active Directory Installation Wizard is opened and continues until the summary screen appears; regardless of whether it terminated prematurely or completed successfully. If the installation or removal failed, detailed error messages appear in the log immediately after the step that caused the failure. When the installation or removal process is successful, the log provides positive confirmation of that fact.

Additionally, the DcpromoUI.log file includes the following useful information, about the installation or removal of Active Directory:

  • The name of the source domain controller for replication.

  • The directory partitions that were replicated to the target server

  • The number of items that were replicated in each directory partition

  • The services configured on the target domain controller

  • The access control entries (ACEs) set on the registry and files

  • The SYSVOL directories

  • Applicable error messages

  • Applicable selections that were entered by the Administrator during the installation or removal process

For more information about the Dcpromoui.log, see "Active Directory Installation and Removal Issues" later in this chapter.


The %windir%\debug\dcpromos.log is created by the user interface during the graphical user interface mode setup when a Windows 3. x –based or Windows 4.0–based domain controller is promoted to a Windows 2000 domain controller.


The DCPromo.log file is created by using the Active Directory Installation Wizard. Its default location is the %SystemRoot%\Debug folder on Windows 2000–based servers. It also records settings used for the promotion or demotion, such as the site name, the path for the Active Directory database and log files, time synchronization, and information about the computer account. The DCPromo.log file captures the creation of the Active Directory database, SYSVOL trees and the installation and modification of services.

For more information about the Dcpromo.log see "Active Directory Installation and Removal Issues" later in this chapter.


When joining a computer to a Windows 2000 domain, the Networking Setup (NetSetup) installs all the necessary Microsoft supported networking components. The Netsetup.log file provides information about the attempts to join domains and records any errors that might be preventing the join from being successful. Also, to install networking components not directly supported by Microsoft, the NetSetup tool provides a way to connect into the setup process for third-party components.

For more information about Netsetup.log, see "Authentication" earlier in this chapter.


The Net Logon service responds to network logon requests. The Net Logon service dynamically creates records in the DNS database that are used to locate a server.

The Netlogon.log file is created whenever the service is used. For more information about the Net Logon service, see "Name Resolution in Active Directory" in this book. For more information about Netlogon.log, see "Active Directory Architecture" earlier in this chapter.


The File Replication service (FRS) text-based log file is the Ntfrsapi.log file. It resides in the % SystemRoot %\Debug folder. It tracks replication problems and contains events that take place during the installation or removal of Active Directory, for example, creating the NTFRS registry keys. For more information about FRS and the Ntfrsapi.log file, see the "File Replication Service" in this book and the Microsoft Personal Online Support link on the Web Resource page at .


The output of this log file can be helpful in troubleshooting problems with user profiles and Group Policy processing. The log file resides in the % SystemRoot %\Debug folder.

Following is an example of the userenv.log file showing a failure to return a string representing the user guid of the current user.

USERENV(b8.a0) 17:02:31:274 GetUserGuid: Failed to get user guid with 1332.

USERENV(b8.a0) 17:02:31:584 GetUserGuid: Failed to get user guid with 1332.

USERENV(b8.a0) 17:02:31:584 GetUserGuid: Failed to get user guid with 1332.

USERENV( 17:02:31:715 ProcessGPOs: Starting user Group Policy processing...

USERENV( 17:02:31:765 ProcessGPOs: User Group Policy has been applied.

USERENV(b8.c0) 18:43:31:980 ProcessGPOs: Starting user Group Policy processing...

USERENV(b8.c0) 18:43:32:030 ProcessGPOs: User Group Policy has been applied.