Contains hundreds of step-by-step solutions for both
common and uncommon problems that you might
encounter with Active Directory -- including recipes to
deal with the Lightweight Directory Access Protocol
(LDAP), multi-master replication, Domain Name System
(DNS), Group Policy, the Active Directory Schema, and
many other features. Each recipe includes graphical,
command line, and scripting examples (where applicable)
so you can use the tools that best suit you and your
environment. Check out a sample chapter.
Buy from Amazon and save 30%
You want to enable Perfmon Trace Logs to view system level calls related to Active Directory.
1. Open the Performance Monitor.
2. In the left pane, expand Performance Logs and Alerts.
3. Right-click on Trace Logs and select New Log Settings.
4. Enter a name for the log and click OK.
5. Click the Add button.
6. Highlight one or more of the Active Directory providers and click OK.
7. Use the tabs to configure additional settings about the log.
8. When you are done, click OK.
9. Unless you've scheduled it to run at a different time, the trace log you created should show up in the right pane next to a green icon, which indicates it is running.
10. To stop the Trace Log, right-click on it in the right pane and select Stop.
11. Now open up a command shell (cmd.exe).
12. Use cd to change into the directory where the trace log files are stored (c:\perflogs by default).
13. Run the following command:
This command is available by default with Windows Server 2003. On Windows 2000, you'll need to use the Resource Kit utility called tracedmp.exe.
The tracerpt command generates a summary.txt file that summarizes all of the events by total. A second file called dumpfile.csv is created that can be imported into Excel or viewed with a text viewer to show the details of each event.
Trace Logs capture detailed system and application level events. Applications support Trace Log capability by developing a Trace Log Provider. Active Directory supports several providers that log low-level system calls related to Kerberos, LDAP, and DNS, to name a few. This can be an extremely valuable tool for debugging and even figuring out the inner-workings of Active Directory. Trace Logs can be resource intensive, so you should enable them with care.
Here is an example of what the summary.txt file looks like on a domain controller that had all of the Active Directory-related Trace Log Providers enabled:
Here you can see that over a 24-second period there was 1 LDAP bind request (DsLdapBind), 8 directory searches (DsDirSearch), and 14 total LDAP requests (LdapRequest).
The dumpfile.csv contains entries for every event that was generated during the time period. Here is an example of an entry for one of the DsDirSearch requests (note that the lines will wrap due to their length so I've added a blank line in between for separation):
Based on just those two lines (disregarding most of the numeric values), we can deduce that a user on the host with IP address 192.168.5.26 performed an LDAP query for user objects in the Sales OU. Pretty neat, huh?
MS KB 302552 (HOW TO: Create and Configure Performance Monitor Trace Logs in Windows 2000)