troubleshooting Question

Windows Server 2019 Diagnostic Log Settings Reverting 15 minutes after Regedit Changes

Avatar of colsztyn
colsztynFlag for United States of America asked on
* DiagnosticsWindows Server 2019
4 Comments1 Solution82 ViewsLast Modified:
I noticed that our Windows Server 2019 DCs were logging excessive amounts of AD and LDAP log entries - noticeably more than what I have been used to seeing over the years.  In tracking down why I noted that if I went to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics that the log settings were set for "16 LDAP Interface Events" and "8 Directory Access" to log level 3 for the LDAP logs and 5 for the AD logs, which clearly explains the excessive logging.  

This is the MS KB I used to determine the diagnostic log settings and locations: https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging

So, I manually changed each of 4 DCs (all running Win Server 2019 DC 1089 and patched up to date and healthy otherwise) so that the logging levels of LDAP and AD are set to 0.  I make the registry change, close the registry, reopen, hit F5 to view the changes, they display as 0.  Some time in the next 15 minutes or so I come back and check the logs and they have started logging excessively again, so I check the registry keys and they are reset back to 3 for LDAP and 5 for Directory Access.  So, I do the changes again, reboot the server, check the changes and they are fine on reboot but 10-15 minutes later the log levels revert to the original values (3 and 5).  

I have made a registry txt file to insert the keys and they insert fine and 15 minutes later revert.  This is true on all 4 DCs.  It seems as if some scheduled task or some other background process is intervening to change the diagnostic log settings back to their original values.  

Since I am the person who rolled these server and integrated them into the environment and the sole support for them this should be pretty straightforward.  

I thought I would reach out to the community and ask for ideas.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros