Are there alternatives to Sysinternals ADInsight?

windows active-directory

I had been using ADInsight from Sysinternals to trace Active Directory calls from my workstation, but the application has failed.

Where previously the Active Directory events were traced and logged, now the window remains blank, whether the application is in capture mode or not. I have run as Administrator, rebooted, downloaded a new version; none of those actions has returned the program to a functional state.

The Sysinternals forums don't offer much hope, since this tool is known to fail often.

Is there tool that has similar functionality?

Questions

Does the tool fail when run from another workstation with your account? Yes

Does it fail from your (and/or) another workstation using someone else's account? Yes

Is there anything in the event log of your workstation? No


There are known issues with ADInsight and it is no longer supported or developed. It has issues loading its DLL in certain environments, specifically on VMs (see http://forum.sysinternals.com/adinsight-doesnt-work-hangs_topic18891.html and http://forum.sysinternals.com/adinsight-operation_topic18963.html) (archive links)

The best solution I have found is to turn on Active Directory Diagnostic Logging as described at http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/41/Default.aspx (archive link). Basically, you want to set the following registry values:

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering
Type: DWORD
Value: 5

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold
Type: DWORD
Value: 1

These changes do not require a reboot but are set per server, so implementing for an entire forest/domain would best be done via Group Policy Preferences. Once set you will find the resulting logs in the Directory Service event log on the DC. They are not exactly parse-friendly but can be wrangled with some regex. The best part is it requires no external utilities/code.

I would be remiss if I didn't mention that this level of logging may incur a performance penalty on a production DC. In my test environment, with only two DCs doing next to nothing, I see ~10-20 events/minute from just this setting.


I know this is an old question but I've just found out that starting from Windows Vista/2008, the windows LDAP client supports ETW.

The reference for the tracing flags is here.

Related

Inaccessible_boot_device after installing KB2919355 on Server 2012R2
How to utilize IPMI on Windows?
uploading files greater than 1MB = connection resets
What is the impact of increasing "nofile" limits in /etc/security/limits.conf?
Fedora 16: "Permission denied: file permissions deny server access"
Setting new hostname on CentOS, it changes back after restart
How to remotely generate Windows AD Kerberos keytab from a Unix machine?
Changing MySQL data directory in Ubuntu Server 10.04
Disable usage of console-kit-daemon in Ubuntu
How to get nginx to redirect from www to non-www domain?
Wireless Signal Strength + Performance
How can I export all group policies to a easily-parseable format?