NT Server 4.0 Notes Intro Installing Environment System Policies File Systems Partitions Fault Tolerance Applications Networking Protocols Services RAS Internet NetWare Clients Replication Boot Process Troubleshooting

Module 19: Troubleshooting Resources

Category	Description	Action
Boot	Computer will not correctly start selected OS.	Boot from Windows NT boot disk or use Emergency Repair.
Devices	Interrupt conflicts and SCSI problems report errors to Event log.	- Error suspected, use Last Known Good before user logs on. - Use WinMSD to check IRQ and device status.
Logon	Inability to log on to system.	- Log on using different account. - if no accounts work, use Emergency Repair to restore accounts database.
Resource access	Inability to access resources.	- Log on using different account or server. - Check spelling server and share name
File systems	FAT, NTFS problems	Run CHKDSK or reformat
Printing	Problems with network printer.	- Try different remote printer or user account. - Remove and recreate printer.
Network	Cable, adapter, IRQ conflict, protocol or external network problems.	Use network cable analyzer, network protocol analyzer, or run diagnostics on adapter card.
Services	Services don’t start.	Check Event Viewer System log.

• Critical events are noted in on-screen messages as well as in Event Log
• Non-critical events are merely logged
• Event logging starts each time Windows NT is started
• Type of events

Icon	Event type	Description
Stop sign	Error	Significant problem (service is not loaded).
!	Warning	Not necessarily significant but indicate possible future problems. ( example: low disk space)
i	Information	Infrequent but significant events; describe successful operations of drivers and services.
Key	Success Audit	Audited security access attempts that are successful.
lock	Failure Audit	Audited security access attempts that fail.

System and Application logs can be viewed by all users, Security by Administrators only. Select Computer on Log menu in Event Viewer can be used to view log files from other Windows NT computers.

Log file	Description
System LOG	(Systemroot\System32\Config\Sysevent.evt) Contains events logged by Windows NT system components, device drivers (determined by Windows NT and driver vendor)
Security LOG	(Systemroot\System32\Config\Secevent.evt) Can contain valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. Auditing MUST be enabled for this log to work Only the Administrator can view the log
Application LOG	(Systemroot\System32\Config\Appevent.evt) Contains events logged by applications. Application vendors decide which events to monitor.

• By default, security logging is turned off.
• To enable security logging, open User Manager for Domains, and then on Policies menu, click Audit. Click Audit These Events and determine which events to audit.
• A registry setting can be used to cause the system to halt when the Security log is full. Do this by:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\CrashOnAuditFail:

This entry directs OS to shut down abnormally, and then a blue screen when Audit log is full. Assures that no audited activities occur while system is unable to log them.

Type is REG_DWORD; two values:

• Interpreting an Event

Click Detail in View menu of Event Viewer, events are logged with greater detail. Event Detail dialog box shows following information;

1. Date and time of event
2. Event identification
3. Text description of selected event

The usual extension of the Event Viewer files is .evt

Filtering

When Event Viewer starts, all recorded events in selected log are displayed automatically. To view events with specific characterization, click Filter Events on View menu. Affects only what is displayed.
 

Property	Filters
View From/View Through	Specified date and time or during period of time
Types	Error, Warning, Information, Success Audit, Failure Audit
Source	Software that logged event
Classification	Defined by source (Security logon)
User	Specific text that exactly matches text in User name field
Computer	Exact name for computer on which logged event occurred
Event ID	Number to identify specific event

Arranging

Events are arranged from most recent to the oldest. Use View menu to change it.

Searching

View menu click Find. Possible to search on:

-Type             -Source

-Category      -Event ID

-User             -Computer

Settings are in effect in current session. To save the settings, on Options menu, click Save Setting On Exit.

Archiving Log Files

• Three file formats:

• Log file format; enables viewing in Event Viewer
• Text file format; enables viewing in text oriented application
• Comma-delimited text file format; enables viewing in spreadsheet and database

• Hexadecimal detail is lost when files are saved in any format other than .evt

This shows computer hardware and OS data stored in Windows NT registry.

WinMSD.exe is in systemroot\System32. Following tabs

Tab	Description
Services	Lists services and devices in CurrentControlSet along with status: running or stopped
Resources	Displays system resources in use: IRQ, I/O port, DMA channels, memory allocation
Environment	Displays environment variables
Network	Lists network-related configuration information including network statistics
Version	Contains OS information with version numbers
System	Displays BIOS, HAL, and CPU information
Display	Contains information about video adapter, driver and display settings
Drivers	Lists all available drivers and their types (FDD,HDD, CD-ROM)
Memory	Contains information about physical and virtual memory (paging file location, total and available memory)

• have a close look at what each of these tabs show you

1. Monitor real-time and historical system performance
2. Identify trends over time
3. Identify bottlenecks
4. Monitor effects of system configuration changes
5. Determine system capacity.

List of standard object types that Performance Monitor tracks:
 

Object	Function
Cache	File system cache used to buffer physical device data
LogicalDisk	Used to monitor a partition on a drive
Memory	Used to monitor real and virtual memory of the system
Objects	Certain system software objects
Paging File	File used by system to back up certain virtual memory allocations
PhysicalDisk	Hardware disk unit (spindle or RAID)
Process	Software object that represents a running program
Processor	Hardware unit that executes program instructions
Redirector	File system that diverts file requests to network servers
Server	Used to monitor the server processes that are used to communicate between local services and network services
System	Used to monitor those counters that apply to all microprocessors
Thread	Software objects inside a process that uses the processor

Important Counters:

• Processor: %Processor Time
• shows processor activity (after application start 0-80% OK)
• Processor: Interrupts/Sec
• measure rate of service requests from I/O devices (dramatic increase without corresponding increase in system activity, shows a hardware problem)
• System: Processor Queue Length
• number of threads by Processor Queue Length is indicator of system performance because each thread requires a certain number of processor cycles.
• a consistent perocessor queue lenght greater than tow may mean the processor is causing a problem.

Finding Memory Bottlenecks

1. Virtual Memory System


Virtual memory = Physical memory + file system cache + disk space

• Paged RAM
• memory area from which data and code can be written to and retrieved from virtual memory and in which applications function as though they have a full range of memory addresses
• Non-paged RAM
• must remain in main memory and can not be written to, or retrieved from the virtual memory paging file.
2. Hard Page Faults
• occur when data that a program needs is not found in the physical memory, and must be retrieved from disk (>5 per second memory problem).

Counters for Memory

Counter	Function
Pages/sec	Number of requested pages that were not immediately available in RAM
Available bytes	Amount of available physical memory
Committed bytes	Amount of virtual memory that has been committed to either physical RAM storage, or to pagefile space
Pool Nonpaged bytes	Amount of RAM in non-paged pool system memory, where space is acquired by OS components as required

Performance Monitor Exercise

• To create a log. View-->log-->Edit-->Add To Log (to add any object such as processor. When you select an object for a log, all counters for that object will be recorded in the log automatically)-->Options-->Log (when log dialog box appears, set up variables, such as log file name, update time)-->Start Log-->(to stop)-->Options-->Log-->Stop Log.
• To view log data in a chart. View-->Chart-->File-->New Chart-->Options-->Data From (Browse the log file you created and open it)-->Edit-->Add To Chart (to add the counter you want to display). Data will be displayed on the chart as well as the status bar which give the concrete number. The last, average, minimum, and maximum values are displayed.
• To View isolated segment of log data in a Chart. You may want to know the statistics of different time frame. The default chart shows the chart of the whole log period. To view isolated segment of log data:
• Record the data of the whole period from the status bar window.
• Click Edit-->Time Windows, the Input Log File Timeframe dialog box appears. Slide the slide bar to adjust the portion of the chart shown in the PM windows.
• Record the data of that period.

Create a report showing the % Processor Time for the entire graph period. Click View-->Report-->Edit-->Add To Report to select the object you want to be included in the report-->Done. You will see a report.

• For security reasons, NT Network Monitor captures only those frames, including broadcast frames and multicast frames that are sent to or from the local computer.
• The Capture windows in Network Monitor displays captured data.
• Graph. The current activity as bar charts, showing the following: the percentage of network utilization, frames per second, bytes per second, broadcasts per second, and multicasts per second.
• Session Statistics. A summary of the conversations between two hosts, and which host is initiating broadcasts and multicasts.
• Total Statistics. Statistics for the traffic detected on the network as a whole, statistics for the frames captured, per second utilization statistics, and network adapter card statistics.
• Station Statistics. A summary of the total number of frames initiated by a host, the number of frames and bytes sent and received, and the number of broadcast and multicast frames initiated.

• Example.
• To set a trigger. Capture-->Trigger-->Trigger On-->Buffer Space-->50%-->Trigger Action-->Stop Capture-->OK.
• To capture network data and generate network traffic. Capture-->Start
• To view captured network data. Capture-->Stop-->Capture-->Display Captured Data.

If there is a severe error, it is possible to configure the system response using Recovery options on the Startup/Shutdown of the System program in the Control Panel.

Options:

• Write an event to system log
• Send administrative alert to clients specified in Alerts dialog box.
• Write debug file containing a dump of system memory to a specified file name.
• Restart system automatically. Allows server to return to operation after a system crash.

Recovery Operation

• Write Debugging Information To option is important for troubleshooting. If Stop error occurs while option is selected, a program called Savedump.exe writes entire contents of memory to pagefile.
• For this reason Pagefile must
• reside on partition that contains systemroot folder.
• be at least as large as the amount of physical memory installed in the system

• Savedump marks the part of the pagefile that contains the memory dump. When system restarts, Windows NT automatically copies this part of pagefile to the  filename specified in this text box. (default = Memory.dmp).

• To preserve log files, they should be copied to a new file name after the computer is restarted.
• A support engineer can then use the Dumpexam.exe program in Support\Debug\platform folder on Microsoft NT Server CD to debug the system.

Top of page

Comments and suggestions? E-mail me at grantwilson21@yahoo.com I'm sorry, but I can't answer specific network-related, or exam-related questions.
Last Updated: August 6, 2001	Grant Wilson, Edmonton, AB Canada