colsztyn
asked on
Windows Server 2019 Diagnostic Log Settings Reverting 15 minutes after Regedit Changes
I noticed that our Windows Server 2019 DCs were logging excessive amounts of AD and LDAP log entries - noticeably more than what I have been used to seeing over the years. In tracking down why I noted that if I went to \HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\NT DS\Diagnos tics that the log settings were set for "16 LDAP Interface Events" and "8 Directory Access" to log level 3 for the LDAP logs and 5 for the AD logs, which clearly explains the excessive logging.
This is the MS KB I used to determine the diagnostic log settings and locations: https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging
So, I manually changed each of 4 DCs (all running Win Server 2019 DC 1089 and patched up to date and healthy otherwise) so that the logging levels of LDAP and AD are set to 0. I make the registry change, close the registry, reopen, hit F5 to view the changes, they display as 0. Some time in the next 15 minutes or so I come back and check the logs and they have started logging excessively again, so I check the registry keys and they are reset back to 3 for LDAP and 5 for Directory Access. So, I do the changes again, reboot the server, check the changes and they are fine on reboot but 10-15 minutes later the log levels revert to the original values (3 and 5).
I have made a registry txt file to insert the keys and they insert fine and 15 minutes later revert. This is true on all 4 DCs. It seems as if some scheduled task or some other background process is intervening to change the diagnostic log settings back to their original values.
Since I am the person who rolled these server and integrated them into the environment and the sole support for them this should be pretty straightforward.
I thought I would reach out to the community and ask for ideas.
This is the MS KB I used to determine the diagnostic log settings and locations: https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging
So, I manually changed each of 4 DCs (all running Win Server 2019 DC 1089 and patched up to date and healthy otherwise) so that the logging levels of LDAP and AD are set to 0. I make the registry change, close the registry, reopen, hit F5 to view the changes, they display as 0. Some time in the next 15 minutes or so I come back and check the logs and they have started logging excessively again, so I check the registry keys and they are reset back to 3 for LDAP and 5 for Directory Access. So, I do the changes again, reboot the server, check the changes and they are fine on reboot but 10-15 minutes later the log levels revert to the original values (3 and 5).
I have made a registry txt file to insert the keys and they insert fine and 15 minutes later revert. This is true on all 4 DCs. It seems as if some scheduled task or some other background process is intervening to change the diagnostic log settings back to their original values.
Since I am the person who rolled these server and integrated them into the environment and the sole support for them this should be pretty straightforward.
I thought I would reach out to the community and ask for ideas.
ASKER
Dr. Klahn,
Thanks for your good suggestion. I downloaded Process Monitor and also put a filter for the registry path to the HKLM\System\CurrentControl Set\Servic es\NTDS\Di agnostics\ 8 Directory Access. I set the diagnostic log value to 0 at 12:03pm and see another entry at 12:20pm for operation RegSetValue at that same path changing my 0 entry to 5, with a result of success. See screenshots.
I am not clear what the next steps will be to track down the results of the output, so any suggestions will be helpful.
proc-monitor-results.pdf
Thanks for your good suggestion. I downloaded Process Monitor and also put a filter for the registry path to the HKLM\System\CurrentControl
I am not clear what the next steps will be to track down the results of the output, so any suggestions will be helpful.
proc-monitor-results.pdf
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I appreciate the helpful guidance you provided. It enabled me to track down the offending software. I am doing a trial of a AD monitoring package and apparently one of the settings causes those to diagnostic logs to get adjusted to the high levels we were seeing, and even though I kept changing them back it kept adjusting them again.
Don't run Process Monitor any longer than necessary, because it can eat up enormous amounts of disk.
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon