eG Monitoring
 

Measures reported by NetlogonFileTest

The Netlogon service is responsible for communication between systems in response to a logon request, a domain synchronization request, and a request to promote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC). The Netlogon service performs several tasks when servicing network logon requests. They are as follows:

  • Selects the target domain for logon authentication
  • Identifies a domain controller in the target domain to perform authentication
  • Creates a secure channel for communication between Netlogon services on the originating and target systems
  • Passes an authentication request to the appropriate domain controller
  • Returns authentication results to Netlogon on the originating system
The Net Logon service dynamically creates records in the DNS database that are used to locate a server. The Netlogon.log file is created whenever the service is used. Delays in the Netlogon authentication process can often scar a user's overall experience with not just the domain controller, but also with the application that requests for the authentication. To understand the real cause of such delays and troubleshoot the same, administrators may need to move a step ahead to look into the Netlogon.log file which liberally contains all the log entries that were captured due to various errors such as insufficient resources, password expiry, account lockout etc., to name a few. The NetlogonFileTest helps administrators in this regard. By analyzing the Netlogon.log file in the Active Directory, this test helps administrators to identify the various errors captured in the file. In the process, administrators can identify the most common error and rectify them before end users start complaining.

Output of the test: One set of results for the target Active Directory server being monitored.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Nologon Indicates the number of times the STATUS_NO_LOGON_SERVERS message was encountered in the log file during the last measurement period. Number This message is encountered when there are no logon servers to service the logon request. Additionally, this message will appear when a MaxConcurrentAPI(MCA) issue occurs. The MCA issue occurs when the threads within the lsass.exe that handle NTLM authentication beigns to time out. The following are the common causes for this error message:

  1. DNS forwarders (if crossing domain/forest boundaries) - i.e., when the administrator forgot to update the IP when it was changed on a target domain/forest DNS server.
  2. DNS records (A, AAAA, SRV) for domain controllers in the target domain may be missing or incorrect.
  3. 1B/1C WINS records for domain controllers in the target domain may be missing or incorrect.
  4. Invalid entries may be present in your HOSTS and/or LMHOSTS files for the domain name, domain controller name, 1B record, or 1C record.
  5. Network timeouts experienced due to faulty or misconfigured network hardware.
  6. SYSVOL and Netlogon may not be shared on the domain controller on which the connection attempt was made to.
  7. You may be logging onto a RODC that does not have connectivity to a writeable DC
  8. Network Issues
  9. Logical site names in Active Directory may not match in the source and target forests (applicable only when DNS is used for cross domain name resolution)
To know more about the errors and the solution to minimize the error messages, refer to http://blogs.technet.com/b/askpfeplat/archive/2013/01/28/quick-reference-troubleshooting-netlogon-error-codes.aspx#_Toc345694514.
NoMemory Indicates the number of times the NO_MEMORY message was encountered in the log file during the last measurement period. Number This message typically appears when enough storage is not available to process the command. This error message may be caused due to the following reasons:

  1. Domain controller, client, or target server may have exhausted virtual memory/page file or physical memory.
  2. User ports may be exhausted.
Insuff_resource Indicates the number of times the STATUS_INSUFFICIENT_RESOURCES message was encounterd in the log file during the last measurement period. Number This error message will occur due to the following issues:
  1. Available physical memory exhaustion
  2. Paged pool or non-paged pool memory exhaustion
  3. Free System PTE (Page Table Entries) exhaustion
Pwd_rest Indicates the number of times the STATUS_PASSWORD_RESTRICTION message was encountered in the log file during the last measurement period. Number This error may be encountered when a user is attempting to reset the password and the password does not meet the specifications mentioned by the password policy (length, history and complexity of the password)
Invalid_workstation Indicates the number of times the STATUS_INVALID_WORKSTATION message was encountered in the log file during the last measurement period. Number The common causes for this error are enumerated below:
  1. The user is trying to logon from a machine they aren't assigned to.
  2. Active Directory replication may not be complete
Netlogon_notstarted Indicates the times the STATUS_NETLOGON_NOT_STARTED message was encountered in the lg file during the last measurement period. Number This error message clearly indicates that the Netlogon service is not started or the Domain controller is not advertising. The common causes for this error are as follows:
  1. The Netlogon service is not started on the application server or domain controller
  2. Sysvol and/or Netlogon is not shared on the Domain Controller
pwd_expired Indicates the the number of times the STATUS_PASSWORD_EXPIRED message was encountered in the log file during the last measurement period. Number This error message mostly occurs when your password has expired or when the Active Directory replication is not yet complete.
Account_lockout Indicates the number of times the STATUS_ACCOUNT_LOCKED_OUT message was encountered in the log file during the last measurement period. Number This error message mostly occurs when your user acount is locked out or when the Active Directory replication is not yet complete.
Invalid_svrstate Indicates the number of times the STATUS_PASSWORD_EXPIRED message was encountered in the log file during the last measurement period. Number This error message mostly occurs when your password has expired or when the Active Directory replication is not yet complete.
Invalid_hours Indicates the number of times the STATUS_INVALID_LOGON_HOURS message was encountered in the log file during the last measurement period. Number This error message mostly occurs when you are set with logon hours restrictions and have attempted to logon outside of those time restrictions or the Active Directory Replication may not be complete.
Acc_deined Indicates the number of times the STATUS_ACCESS_DENIED message was encountered in the log file during the last measurement period. Number This error message mostly occurs due to the following reasons:
  1. You are attempting to join a machine who's name already exists in Active Directory
  2. Secure channel may be broken
  3. Trust password may be mismatched
  4. Incorrect credentials may have been used (0x5)
  5. NTLM blocking may be enabled
  6. LM compatibility level mismatch
  7. User rights assignment configuration (allow access from the network) (0x5)
  8. Incompatible SMB signing options between the source and target machine
  9. Secure channel may be in the process of resetting (client reset its secure channel) when an authentication is attempted
  10. Active Directory replication to/from the target domain controller
  11. Group policy may not have been applied properly
unknownUserLogin Indicates the number of times the STATUS_NO_SUCH_USER message was encountered in the log file during the last measurement period. Number The most common reason for the occurance of this error message is the user does not exist. Other reason may include the following:
  1. Incorrect username was used for login
  2. Active Directory replication to/from the target domain controller may not be complete (ex: new user creation)
  3. Domain controller may be in the process of shutting down or restarting when the connection is made
  4. If running Windows 2008 SP2, you may be experiencing the problem described in http://support.microsoft.com/default.aspx?scid=kb;EN-US;982801
  5. Target domain controller resource load may be high(high lsass.exe utilization, high memory consumption, paged pool memory exhaustion for example)
FailureLogin Indicates the number of times the STATUS_LOGON_FAILURE message was encountered in the log file during the last measurement period. Number The most common causes are as follows:
  1. An invalid username and/or password was used.
  2. LM Compatibility mismatch between the source and target
  3. Time difference between the source and target is greater than 30 minutes (NTLMv2 only)
  4. Secure channel may be broken
BadPassword Indicates the number of times the STATUS_WRONG_PASSWORD message was encountered in the log file during the last measurement period. Number This error message may occur due to the following reasons:
  1. Typing a wrong password
  2. PDC Emulator cannot be contacted to validate the password (for recent password changes)
  3. Active Directory Replication to/from the target domain controller
DisabledAccount Indicates the number of times the STATUS_ACCOUNT_DISABLED message was encountered in the log file during the last measurement period. Number This error message may occur due to the adminsitrator disabling te user account or due to the Active Directory replication is not yet complete.