I’ve had some authentication problems of late on one of my Windows 2000/2003 networks, so I decided to enable Net Logon debugging to help trace the source of the problem. KB 109626 details how to enable debug logging for Windows NT 3.51+, but if you’re running Windows 2000 or higher just exit to a command prompt and run the following command:
nltest /dbflag:2080FFFF
This will log Net Logon events to %windir%\debug\netlogon.log.
Next, use Brad Rutkowski’s method of parsing the netlogon.log file for critical events using the tail.exe utility from the Windows 2003 Resource Kit.
tail.exe -f \\server\admin$\Debug\Netlogon.log |findstr /i Critical >critical.log
This will parse the netlogon.log file for all instances of “critical” and dump it to the critical.log file.
Here’s an example of actual errors shown in my log:
09/18 12:51:50 [CRITICAL] DOM: NlGetIncomingPassword: Can’t NlSamOpenNamedUser for ELEMLAB03$ 0xc0000064.
9/18 12:51:50 [CRITICAL] DOM: NetrServerAuthenticate: Can’t NlGetIncomingPassword for ELEMLAB03$ 0xc0000064.
Finally I used err.exe to look up the 0xc0000064 errors shown above:
C:\Program Files\Windows Resource Kits\Tools\Err>err 0xc0000064 # for hex 0xc0000064 / decimal -1073741724 : STATUS_NO_SUCH_USER ntstatus.h # The specified user does not exist. # 1 matches found for "0xc0000064"
Err.exe reports that the cause of the 0xc0000064 error is the user does not exist. Actually, a better description may be “object does not exist” since ELEMLAB03 is a computer, not user. I fired up Active Directory Users and Computers and searched for ELEMLAB03, and the object does not exist, which probably explains the reason users are experiencing authentication issues when trying to access the domain from that particular machine!
Once you’re finished debugging, run the following command to disable debug logging:
nltest /dbflag:0x0