Purpose
Scope
Windows AD, FSAE, DCAgent.
Diagram
Expectations, Requirements
5. To see from station which DC processed logon run from command line
In a multiple domain controller environment it may be difficult to identify which DC processed a particular user logon event. This article guides the administrator in how to enable logon event logging on DCAgents which may help to troubleshoot 'guests' issues.
Scope
Windows AD, FSAE, DCAgent.
Diagram
Expectations, Requirements
1. From the Domain Controller where DCAgent logging is to be enabled, open regedit and locate next key
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\dcagent]
2. Modify the value of the 'enable_log' parameter and change it from default 0 to 1.
3. Configure the custom log location by editing the 'log_file' parameter.
Default log location: c:\
Default log name: dcagentlog.txt
4. Immediately after the enable_log parameter has been modified the DCAgent creates a log file and starts logging logon event that are processed by this particular Domain Controller. The maximum file size is 10MB. When the limit is reached it will start overwriting old entries.
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\dcagent]
2. Modify the value of the 'enable_log' parameter and change it from default 0 to 1.
3. Configure the custom log location by editing the 'log_file' parameter.
Default log location: c:\
Default log name: dcagentlog.txt
4. Immediately after the enable_log parameter has been modified the DCAgent creates a log file and starts logging logon event that are processed by this particular Domain Controller. The maximum file size is 10MB. When the limit is reached it will start overwriting old entries.
5. To see from station which DC processed logon run from command line
echo %logonserver%
6. To disable DCAgent logging modify the enable_log' parameter back to 0.
Note that there is no need to reboot the Domain Contoller after the registry has been modified, changes are applied on the fly.
The DCAgent log shows:
Note that there is no need to reboot the Domain Contoller after the registry has been modified, changes are applied on the fly.
The DCAgent log shows:
1. Type of event (Logon)
1. Domain and username (Vlad-AD\Administrator)
3. Station name (Vlad-VS)
4. resolved station IP address (workstation IP: 192.168.1.121)
Configuration
dcagentlog.txt sample
02/17/2010 18:13:41.158: processing Logon (level=1) VLAD-AD\Administrator (Administrator) from VLAD-VS
Domain:VLAD-AD DNS suffix added:vlad-ad.local.
workstation IP:192.168.1.121
02/17/2010 18:13:41.158: finish processing.
02/17/2010 18:13:42.377: processing Logon (level=2) VLAD-AD\Administrator (Administrator) from VSBS2003
Domain:VLAD-AD DNS suffix added:vlad-ad.local.
workstation IP:192.168.1.240
02/17/2010 18:13:42.377: finish processing.
02/17/2010 18:13:42.377: processing Logon (level=2) VLAD-AD\Administrator (Administrator) from VSBS2003
Domain:VLAD-AD DNS suffix added:vlad-ad.local.
workstation IP:192.168.1.240
02/17/2010 18:13:42.377: finish processing.
