How to enable Netlogon logging in Windows Server

What Is Netlogon?

Netlogon is a Local Security Authority (LSA) service that runs in the background on domain controllers and domain-joined systems. It is responsible for authenticating users into the domain, maintaining secure communication between clients and domain controllers in an Active Directory environment.

When authentication issues occur, enabling Netlogon logging helps you gather detailed troubleshooting information directly from the Netlogon log file.

How to enable Netlogon logging using the Command Prompt

To enable Netlogon logging, follow these steps:

1. Open the Command Prompt as an Administrator.
2. Run the following command:
   Copy

   nltest /dbflag:0x2080ffff

   

3. Restart the Netlogon service (optional but recommended):
   Copy

   net stop netlogon
   net start netlogon
       

   

Enable Netlogon logging using Registry Editor (alternative method)

This method is useful if you prefer configuring settings through the registry or need to enable logging via Group Policy preferences or scripts.

Steps:

1. Press Win + R, type regedit, and press Enter.
2. Navigate to:
   Copy

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Locate (or create) a DWORD (32-bit) Value named:
   Copy

   DBFlag

4. Set its value to:
   Copy

   0x2080FFFF

   (You can enter this in hexadecimal format.)

5. Restart the Netlogon service via the Command Prompt.

   

Increase the Netlogon log file size

By default, the Netlogon log file size is limited to 20MB. When this maximum size is reached, the existing Netlogon.log file is automatically renamed to Netlogon.bak, and a new Netlogon.log file is created to continue recording events.

Important consideration

The disk space allocated for Netlogon logs should be double the configured log file size.

This is because:

• One file stores the active log (Netlogon.log).
• One file stores the backup log (Netlogon.bak).

Where to find the Netlogon log file

After enabling logging, you can access the log file on domain controllers and domain-joined machines at the default netlogon log path:

C:\Windows\debug\netlogon.log

The log file records:

• Authentication requests
• Secure channel activity
• Bad password attempts
• Domain controller communication
• Trust relationship issues

By reviewing the entries, you can identify the exact machine or IP address that is sending incorrect credentials and causing account lockouts.

The challenge, however, is that the Netlogon log is a continuous debug file filled with verbose system entries, hexadecimal status codes, timestamps, and repetitive authentication traces.

In large environments, it can grow rapidly and become difficult to interpret. Manually scanning through the file to isolate a single bad password source can be time consuming and, at times, confusing.

Active Directory auditing just got easier!

With ManageEngine ADAudit Plus, you can instantly identify the root cause of account lockouts using the built-in Account Lockout Analyzer.

ADAudit Plus comes bundled with over 300 predefined reports that simplify Active Directory auditing and provide complete visibility into user activity, logon failures, privilege changes, and security events. Real-time alerts notify you immediately when critical events occur, helping you respond faster and strengthen your overall security posture.

Find Locked out users instantly with ManageEngine ADAudit Plus

1. Download and install ADAudit Plus.
2. Find the steps to configure auditing on your domain controller here.
3. Navigate to Active Directory > User Management > Account Lockout Analyzer.

Instead of scanning Event ID 4740 entries or reviewing verbose Netlogon logs, the Lockout Analyzer provides a centralized, easy-to-read view of:

• The exact source workstation triggering the lockout.
• The domain controller that processed the request.
• The caller computer name.
• Timestamps and frequency of failed attempts.