Powershell Operator and AD commands


Active Directory – Enable Diagnostic Logging

Turn on diagnostic logging for AD DS

Diagnostic logging for domain controllers is managed in the following registry location:


Logging can be configured by modifying these REG_DWORD entries: 1 Knowledge Consistency Checker (KCC)
2 Security Events
3 ExDS Interface Events
4 MAPI Interface Events
5 Replication Events
6 Garbage Collection
7 Internal Configuration
8 Directory Access
9 Internal Processing
10 Performance Counters
11 Initialization/Termination
12 Service Control
13 Name Resolution
14 Backup
15 Field Engineering
16 LDAP Interface Events
17 Setup
18 Global Catalog
19 Inter-site Messaging
20 Group Caching
21 Linked-Value Replication
22 DS RPC Client
23 DS RPC Server
24 DS Schema

Diagnostic Logging Levels

The values below are used to configure the level of diagnostic logging provided by the host:

0 None Only critical events and error events are logged at this level. This is the default setting for all entries, and it should be modified only if a problem occurs that you want to investigate
1 Minmal Very high-level events are recorded in the event log at this setting. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem
2 Basic
3 Extensive This level records more detailed information than the lower levels, such as steps that are performed to complete a task. Use this setting when you have narrowed the problem to a service or a group of categories
4 Verbose
5 Internal This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Use this setting when you have traced the problem to a particular category of a small set of categories

View Current Logging Levels

$Reg = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
Get-ItemProperty -Path $Reg

Configure with PowerShell

Use the following PowerShell example to configure logging levels:

$Reg = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
Set-ItemProperty -Path $Reg -Name <service> -Type DWORD -Value <value>

Netlogon Logging

After enabling Netlogon logging the activity will be logged to %windir%\debug\netlogon.log. Depending on the amount of activity you may want to increase the size of this log from the default 20 MB. When the file reaches 20 MB, it is renamed to Netlogon.bak, and a new Netlogon.log file is created.

The size of the Netlogon.log file can be increased by changing the MaximumLogFileSize registry entry. This registry entry does not exist by default.

Configure log size with PowerShell:

$Reg = "HKLM:\ SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
New-ItemProperty -Path -Name MaximumLogFileSize  -Type DWORD -Value <log-size>

Configure log size with Group Policy:

Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size

Turn on NetLogon Logging

Command Line:

nltest /dbflag:0x2080ffff


$Reg = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"
New-ItemProperty -Path -Name DBFlag -Type DWORD -Value 545325055

$Reg = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"
Set-ItemProperty -Path $Reg -Name DBFlag -Type DWORD -Value 545325055

Restart-Service netlogon

Turn off NetLogon Logging

Command Line:

nltest /dbflag:0x0


$Reg = "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\"
Set-ItemProperty -Path $Reg -Name DBFlag -Type DWORD -Value 0

Restart-Service netlogon </log-size>


Enable the DHCP log

1. On the DHCP server, log in as Administrator.
2. Launch “Registry Editor“.
3. Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters“.
4. Double-click “DhcpLogFilesMaxSize“.
5. Select “Decimal“.
6. Update the “Value data” to “100“.
7. Click “OK“.
8. Close “Registry Editor“.
9. Restart the “DHCP Server” service.

Perfmon log configeration

Please run a command line windows with administrator account, and setup Performance monitor log for 1 minutes interval time with 500MB circular log file by:

Logman.exe create counter Perf-1Minute -f bincirc -max 500 -c “\LogicalDisk(*)\*” “\Memory\*” “\Network Interface(*)\*” “\Paging File(*)\*” “\PhysicalDisk(*)\*” “\Server\*” “\System\*” “\Process(*)\*” “\Processor(*)\*” “\Cache\*” -si 00:01:00 -o C:\PerfMonLogs\Perf-1Minute.blg

1.       Start

Logman start Perf-1Minute

2.      Waiting for the issue to reoccur. Then wait for 1 minute. And go to step 4.  

3.      Stop

Logman stop Perf-1Minute

Start remoteregistory using psservices sysinternal

PsService.exe \\BRN162DTP145 start RemoteRegistry



Captured net logon trace

Captured net logon trace:

  1. Open command prompt as administrator and run the command : Nltest /DBFlag:2080FFFF
  2. After trying to login to portal, stopped the trace with the command: Nltest /DBFlag:0x0
  3.  and saved the netlogon file
    and we have run the network monitor tool

Replication commands

Get-ADReplicationPartnerMetadata -Target * -Partition * | Select-Object Server,Partition,Partner,ConsecutiveReplicationFailures,LastReplicationSuccess,LastRepicationResult | Out-GridView

repadmin /showrepl * /csv | ConvertFrom-Csv | Out-GridView
repadmin /showrepl * /csv | ConvertFrom-Csv | ?{$_.'Number Of Failures'}

Nltest /dsgetdc:child

Nltest /dsgetdc:child /kdc

Repadmin /replicate dc1 childdc1 dc=child,dc=root,

dcdiag /s: DC1
dcdiag /test:advertising
dcdiag /test:checksdrefdom
dcdiag /test: dns
dcdiag /test:sysvolcheck
dcdiag /test:ridmanager

%d bloggers like this: