461
Run the following command to list your current tickets:
> klist tickets
Run the following command to purge your tickets:
> klist purge
14.17.3 Discussion
Active Directory uses Kerberos as its preferred network authentication system. When you
authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a
domain controller, you are issued one or more tickets. These tickets identify you as a certain
principal in Active Directory and can be used to authenticate you to other Kerberized services.
This type of ticket is known as a ticket-granting-ticket, or TGT. Once you've obtained a TGT, the
client can pass that to a Kerberized service and if the service accepts the ticket, it will issue a
service ticket that represents the client for the particular service.
Kerberos is a fairly complicated system that cannot be done justice in a single paragraph. If you
want more information on tickets and how the Kerberos authentication system works, see
Kerberos:TheDefinitive Guide (O'Reilly).
14.17.4 See Also
RFC 1510 (The Kerberos Network Authentication Service V5), and MS KB 232179 (Kerberos
Administration in Windows 2000)
Recipe 14.18 Forcing Kerberos to Use TCP
14.18.1 Problem
Clients are experiencing authentication problems and you've determined it is due to UDP
fragmentation of Kerberos traffic. You want to force Kerberos traffic to go over TCP instead.
14.18.2 Solution
14.18.2.1 Using a graphical user interface
1. Run regedit.exe from the command line or Start Run.
2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet
Control Lsa Kerberos Parameters.
3. Right-click on Parameters and select New
DWORD value. Enter MaxPacketSize for

the value name.
4. In the right pane, double-click on MaxPacketSize and enter 1.
5. Click OK.

462
14.18.2.2 Using a command-line interface
> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
/v[RETURN]
"MaxPacketSize" /t REG_DWORD /d 1
14.18.2.3 Using VBScript
' This code forces Kerberos to use TCP
' SCRIPT CONFIGURATION
strComputer = "<ComputerName>" ' e.g. rallen-w2k3
' END CONFIGURATION

const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
set objReg = GetObject("winmgmts:\\" & strComputer & _
"\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1
WScript.Echo "Kerberos forced to use TCP for " & strComputer
14.18.3 Discussion
If you have users that are experiencing extremely slow logon times (especially over VPN) or
they are seeing the infamous "There are currently no logon servers available to service the logon
request," then they may be experiencing UDP fragmentation of Kerberos traffic. One way to help
identify if there is a problem with Kerberos is to have the users run the following command:
> netdiag /test:kerberos
Another source of information is the System event log on the clients. Various Kerberos-related
events are logged there if problems with authentication occur.
For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to

Use TCP Instead of UDP).
Recipe 14.19 Modifying Kerberos Settings
14.19.1 Problem
You want to modify the default Kerberos settings that define things, such as maximum ticket
lifetime.
14.19.2 Solution
14.19.2.1 Using a graphical user interface
1. Open the Domain Security Policy snap-in.
2. In the left pane, expand Account Policies
Kerberos Policy.
3. In the right pane, double-click on the setting you want to modify.
4. Enter the new value and click OK.

463
14.19.3 Discussion
There are several Kerberos-related settings you can customize. In most environments, the default
settings are sufficient, but the ones you can modify are listed in Table 14-1
.

Change the default settings with caution as it could cause operational
problems and compromise security if done incorrectly.

Table 14-1. Kerberos policy settings
Setting Default value
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
14.19.4 See Also

MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179
(Kerberos Administration in Windows 2000)


464
Chapter 15. Logging, Monitoring, and
Quotas

Introduction
Recipe 15.1. Enabling Extended dcpromo Logging
Recipe 15.2. Enabling Diagnostics Logging
Recipe 15.3. Enabling NetLogon Logging
Recipe 15.4. Enabling GPO Client Logging
Recipe 15.5. Enabling Kerberos Logging
Recipe 15.6. Enabling DNS Server Debug Logging
Recipe 15.7. Viewing DNS Server Performance Statistics
Recipe 15.8. Enabling Inefficient and Expensive LDAP Query Logging
Recipe 15.9. Using the STATS Control to View LDAP Query Statistics
Recipe 15.10. Using Perfmon to Monitor AD
Recipe 15.11. Using Perfmon Trace Logs to Monitor AD
Recipe 15.12. Enabling Auditing of Directory Access
Recipe 15.13. Creating a Quota

Recipe 15.14. Finding the Quotas Assigned to a Security Principal
Recipe 15.15. Changing How Tombstone Objects Count Against Quota Usage
Recipe 15.16. Setting the Default Quota for All Security Principals in a Partition
Recipe 15.17. Finding the Quota Usage for a Security Principal

465
Introduction

This chapter deals with tracking the activity and usage of various Active Directory components.
Whenever you need to troubleshoot a problem, often the first place you look is log files. With
Active Directory, there are several different log files, and each have different ways to increase or
decrease the verbosity of information that is logged. Viewing log messages can be useful, but
you may also want to look at performance metrics to determine if the system is being over-
utilized. I'll review a couple of ways you can view performance metrics and monitor Active
Directory performance. For more extensive monitoring, I suggest looking at NetPro's
( />) Active Directory monitoring tools or Microsoft Operations Manager
( />).
I'll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor
and limit the number of objects a security principal (user, group, or computer) can create in a
partition. This feature, introduced in Windows Server 2003, closes a hole that existed in
Windows 2000 where users that had access to create objects in Active Directory could create as
many as they wanted. These users could even cause a denial of service by creating objects until
the disk filled on the domain controllers. This kind of attack is not likely to happen in most
environments, but the possibility should still be considered.
The Anatomy of a Quota Object Container
Quota objects are stored in the NTDS Quotascontainer in all Windows Server 2003-based naming
contexts and application partitions except the schema-naming context (quotas cannot be
associated with the schema-naming context). By default, this container is hidden from view
within tools, such as Active Directory Users and Computers, but can be seen by selecting View
Advanced Features from the menu. The quota object container has an objectClass of msDS-
QuotaContainer
, and contains several attributes that define default quota behavior. Table 15-1
lists some of the important attributes of msDS-QuotaContainer objects.
Table 15-1. Attributes of msDS-QuotaContainer objects
Attribute Description
cn
RDN of quota container objects. By default, this is equal to NTDS
Quotas

.
msDS-DefaultQuota
The default quota applied to all security principals that do not have
another quota specification applied. See Recipe 15.16
for more
details.
msDS-QuotaEffective
A constructed attribute that contains the effective quota of the
security principal that is viewing the attribute. See Recipe 15.17
for
more details.
msDS-QuotaUsed
A constructed attribute that contains the quota usage of the security

466
Table 15-1. Attributes of msDS-QuotaContainer objects
Attribute Description
principal that is viewing the attribute. See Recipe 15.17 for more
details.
msDS-
TombstoneQuotaFactor

Percentage that tombstone objects count against a quota. The
default is 100, which means a tombstone object has equal weighting
to a normal object. See Recipe 15.15 for more details.
msDS-TopQuotaUsage
Multivalued attribute that contains information about the security
principals with the top quota usage. See Recipe 15.17
for more
details.

The Anatomy of a Quota Object
Quota objects have an objectClass of msDS-QuotaControl, which defines three attributes that
relate to quotas. Table 15-2 contains these attributes and provides a description for each.
Table 15-2. Attributes of msDS-QuotaControl objects
Attribute Description
cn
RDN of the quota object.
msDS-
QuotaAmount

Number of objects that can be created by the security principals that the
quota applies to. See Recipe 15.13 for more information.
msDS-
QuotaTrustee

SID of the security principal that the quota applies to. This can be a user,
group, or computer SID. See Recipe 15.13 for more information.
Recipe 15.1 Enabling Extended dcpromo Logging
15.1.1 Problem
You want to enable extended dcpromo logging. This can be useful if you are experiencing
problems during the promotion or demotion process and the dcpromo log files are not providing
enough information to indicate the problem.
15.1.2 Solution
These solutions are slightly different on Windows 2000. See the Discussion section for more
information. To enable the maximum amount of logging, use 16711683 (FF0003 in hexadecimal)
as the flag value. For a complete description of the possible bit values, see MS KB 221254.

467
15.1.2.1 Using a graphical user interface
1. Run regedit.exe from the command line or Start Run.

2. In the left pane, expand HKEY_LOCAL_MACHINE
Software Microsoft
Windows CurrentVersion AdminDebug dcpromoui.
3. If the LogFlags value does not exist, right-click on dcpromoui in the left pane and select
New DWORD Value. For the name, enter LogFlags.
4. In the right pane, double-click on the LogFlags value and enter the flag value you want to
set.
5. Click OK.
15.1.2.2 Using a command-line interface
With the following command, <FlagValue> needs to the decimal version (not hexidecimal) of
the flag value:
> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
/v[RETURN]
"LogFlags" /t REG_DWORD /d <FlagValue>
15.1.2.3 Using VBScript
' This code sets the dcpromoui logging flag (for Windows Server 2003 only)
' SCRIPT CONFIGURATION
strDC = "<DomainControllerName>" ' e.g. dc01
intFlag = <FlagValue> ' Flag value in decimal, e.g. 16711683
' END CONFIGURATION

const HKLM = &H80000002
strDcpromoReg =
"Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strDcpromoReg, "LogFlags", intFlag
WScript.Echo "Dcpromoui flag set to " & intFlag
15.1.3 Discussion
As described in Recipe 3.5, the dcpromo wizard creates a couple of log files in
%SystemRoot%\debug when it is executed, which can be useful in troubleshooting promotion or

demotion problems. Typically, the default amount of logging that is done in the dcpromoui.log
file is sufficient to identify most problems, but you can increase it as described in the Solution
section.
The location of the log flags registry value changed from Windows 2000 to Windows Server
2003. In Windows 2000, the value is located here:
HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
In Windows Server 2003, the value is located here (which was used in the Solutions section):

468
HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags
15.1.4 See Also
Recipe 3.5 for more on troubleshooting dcpromo problems, and MS KB 221254 (Registry
Settings for Event Detail in the Dcpromoui.log File)
Recipe 15.2 Enabling Diagnostics Logging
15.2.1 Problem
You want to enable diagnostics event logging because the current level of logging is not
providing enough information to help pinpoint the problem you are troubleshooting.
15.2.2 Solution
15.2.2.1 Using a graphical user interface
1. Run regedit.exe from the command line or Start Run.
2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet
Services NTDS Diagnostics.
3. In the right pane, double-click on the diagnostics logging entry you want to increase, and
enter a number (0-5) based on how much you want logged.
4. Click OK.
15.2.2.2 Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v[RETURN]
"<LoggingSetting>" /t REG_DWORD /d <0-5>
15.2.2.3 Using VBScript
' This code sets the specified diagnostics logging level

' SCRIPT CONFIGURATION
strDC = "<DomainControllerName>" ' e.g. dc01
strLogSetting = "<LoggingSetting>" ' e.g. 1 Knowledge Consistency Checker
intFlag = <FlagValue> ' Flag value in decimal, e.g. 5
' END CONFIGURATION

const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "LogFlags", intFlag
WScript.Echo "Diagnostics logging for " & strLogSetting _
& " set to " & intFlag
15.2.3 Discussion
A useful way to troubleshoot specific problems you are encountering with Active Directory is to
increase the diagnostics logging level. Diagnostics logging can be enabled by component. For

469
example, if you determine the Knowledge Consistency Checker (KCC) is not completing every
15 minutes, you can enable diagnostics logging for the "1 Knowledge Consistency Checker"
setting.
These settings are stored under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. By default, all settings are set
to 0, which disables diagnostic logging, but you can increase it by setting it to a number from 1
through 5. As a general rule, a value of 1 is used for minimum logging, 3 for medium logging,
and 5 for maximum logging. It is a good practice to ease your way up to 5 because some
diagnostics logging settings can generate a bunch of events in the event log, which may make it
difficult to read, along with increasing resource utilization on the domain controller.
Here is the complete list of diagnostics logging settings for Windows Server 2003. Note that
settings 20-24 are not available on Windows 2000-based domain controllers.
1 Knowledge Consistency Checker

2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging
20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema
15.2.4 See Also
MS KB 220940 (How to Enable Diagnostic Event Logging for Active Directory Services)
Recipe 15.3 Enabling NetLogon Logging
15.3.1 Problem
You want to enable NetLogon logging to help with troubleshooting client account logon, lockout,
or domain controller location issues.


470
15.3.2 Solution
15.3.2.1 Using a command-line interface
To enable Netlogon logging, use the following command:
> nltest /dbflag:0x2080ffff
To disable Netlogon logging, use the following command:
> nltest /dbflag:0x0
15.3.3 Discussion
The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting
client logon and related issues. When enabled at the highest setting (0x2000ffff), it logs useful
information, such as the site the client is in, the domain controller the client authenticated against,
additional information related to the DC Locator process, account password expiration
information, account lockout information, and even Kerberos failures.
The NetLogon logging level is stored in the following registry value:
HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag
If you set that registry value manually, instead of using nltest, you'll need to restart the
NetLogon service for it to take effect.
One of the issues with the netlogon.log file is that it can quickly grow to several megabytes,
which makes it difficult to peruse. A new tool available for Windows XP and Windows Server
2003 called nlparse can filter the contents of the netlogon.log file so that you'll only see certain
type of log entries. The nlparse tool is part of the Account Lockout and Management Tools that
Microsoft made available from the following web site (assuming the tools haven't moved):
/>b999adde0b9e&DisplayLang=en
15.3.4 See Also
MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How
Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security
Event 681)