Link to home
Create AccountLog in
Avatar of colsztyn
colsztynFlag for United States of America

asked on

Windows Server 2019 Diagnostic Log Settings Reverting 15 minutes after Regedit Changes

I noticed that our Windows Server 2019 DCs were logging excessive amounts of AD and LDAP log entries - noticeably more than what I have been used to seeing over the years.  In tracking down why I noted that if I went to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics that the log settings were set for "16 LDAP Interface Events" and "8 Directory Access" to log level 3 for the LDAP logs and 5 for the AD logs, which clearly explains the excessive logging.  

This is the MS KB I used to determine the diagnostic log settings and locations: https://support.microsoft.com/en-us/help/314980/how-to-configure-active-directory-and-lds-diagnostic-event-logging

So, I manually changed each of 4 DCs (all running Win Server 2019 DC 1089 and patched up to date and healthy otherwise) so that the logging levels of LDAP and AD are set to 0.  I make the registry change, close the registry, reopen, hit F5 to view the changes, they display as 0.  Some time in the next 15 minutes or so I come back and check the logs and they have started logging excessively again, so I check the registry keys and they are reset back to 3 for LDAP and 5 for Directory Access.  So, I do the changes again, reboot the server, check the changes and they are fine on reboot but 10-15 minutes later the log levels revert to the original values (3 and 5).  

I have made a registry txt file to insert the keys and they insert fine and 15 minutes later revert.  This is true on all 4 DCs.  It seems as if some scheduled task or some other background process is intervening to change the diagnostic log settings back to their original values.  

Since I am the person who rolled these server and integrated them into the environment and the sole support for them this should be pretty straightforward.  

I thought I would reach out to the community and ask for ideas.
Avatar of Dr. Klahn
Dr. Klahn

Download a copy of Microsoft Process Monitor.  Set it to look for registry key accesses.  You will have to look through a large number of events as Windows is continually accessing keys for many reasons, but it should reveal which process is modifying the keys.

Don't run Process Monitor any longer than necessary, because it can eat up enormous amounts of disk.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

User generated image
Avatar of colsztyn

ASKER

Dr. Klahn,

Thanks for your good suggestion.   I downloaded Process Monitor and also put a filter for the registry path to the HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\8 Directory Access.  I set the diagnostic log value to 0 at 12:03pm and see another entry at 12:20pm for operation RegSetValue at that same path changing my 0 entry to 5, with a result of success.  See screenshots.

I am not clear what the next steps will be to track down the results of the output, so any suggestions will be helpful.

proc-monitor-results.pdf
ASKER CERTIFIED SOLUTION
Avatar of Dr. Klahn
Dr. Klahn

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I appreciate the helpful guidance you provided.  It enabled me to track down the offending software.  I am doing a trial of a AD monitoring package and apparently one of the settings causes those to diagnostic logs to get adjusted to the high levels we were seeing, and even though I kept changing them back it kept adjusting them again.