Module 19: Troubleshooting Resources
Category |
Description |
Action |
Boot |
Computer will
not correctly start selected OS. |
Boot from
Windows NT boot disk or use Emergency Repair. |
Devices |
Interrupt
conflicts and SCSI problems report errors to Event log. |
- Error
suspected, use Last Known Good before user logs on. - Use WinMSD to check IRQ and device status. |
Logon |
Inability to log
on to system. |
- Log on
using different account. -
if no accounts work, use Emergency Repair to restore accounts database. |
Resource
access |
Inability to
access resources. |
- Log on
using different account or server. - Check spelling server and share name |
File systems |
FAT, NTFS
problems |
Run CHKDSK or
reformat |
Printing |
Problems with
network printer. |
- Try
different remote printer or user account. - Remove and recreate printer. |
Network |
Cable, adapter,
IRQ conflict, protocol or external network problems. |
Use network
cable analyzer, network protocol analyzer, or run diagnostics on adapter card. |
Services |
Services
dont start. |
Check Event
Viewer System log. |
- Critical events are noted in on-screen
messages as well as in Event Log
- Non-critical events are merely logged
- Event logging starts each time Windows NT
is started
- Type of events
Icon |
Event type |
Description |
Stop sign |
Error |
Significant
problem (service is not loaded). |
! |
Warning |
Not necessarily
significant but indicate possible future problems. ( example: low disk space) |
i |
Information |
Infrequent but
significant events; describe successful operations of drivers and services. |
Key |
Success Audit |
Audited security
access attempts that are successfull. |
lock |
Failure Audit |
Audited security
access attempts that fail. |
System
and Application logs can be viewed by all users, Security by Administrators only. Select Computer
on Log menu in Event Viewer can be used to view log files from other Windows NT
computers.
Log file |
Description |
System LOG |
- (Systemroot\System32\Config\Sysevent.evt)
- Contains events logged by Windows NT system
components, device drivers (determined by Windows NT and driver vendor)
|
Security LOG |
- (Systemroot\System32\Config\Secevent.evt)
- Can contain valid and invalid logon
attempts, as well as events related to resource use, such as creating, opening, or
deleting files or other objects.
- Auditing MUST be enabled for this log to
work
- Only the Administrator can view the log
|
Application
LOG |
- (Systemroot\System32\Config\Appevent.evt)
- Contains events logged by applications.
Application vendors decide which events to monitor.
|
Enabling Security Logging |
- By default, security logging is turned off.
- To enable security logging, open User
Manager for Domains, and then on Policies menu, click Audit. Click Audit
These Events and determine which events to audit.
- A registry setting can be used to cause the
system to halt when the Security log is full. Do this by:
HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\CrashOnAuditFail:
This entry directs OS to shut down
abnormally, and then a blue screen when Audit log is full. Assures that no audited
activities occur while system is unable to log them.
Type is REG_DWORD; two values:
Data value |
Indicates |
1 |
Stop if Audit
log is full |
2 |
Set by OS just
before system crashes because of a full Audit log |
Click Detail
in View menu of Event Viewer, events are logged with greater detail. Event
Detail dialog box shows following information;
- Date and time of event
- Event identification
- Text description of selected event
The usual extension of the Event Viewer files is .evt
Filtering
When
Event Viewer starts, all recorded events in selected log are displayed automatically. To
view events with specific characterization, click Filter Events on View
menu. Affects only what is displayed.
Property |
Filters |
View From/View
Through |
Specified date
and time or during period of time |
Types |
Error, Warning,
Information, Success Audit, Failure Audit |
Source |
Software that
logged event |
Classification |
Defined by
source (Securityà logon) |
User |
Specific text
that exactly matches text in User name field |
Computer |
Exact name for
computer on which logged event occurred |
Event ID |
Number to
identify specific event |
Arranging
Searching
View
menu click Find. Possible to search on:
-Type
-Source
-Category
-Event ID
-User
-Computer
Settings are in effect in current session.
To save the settings, on Options menu, click Save Setting On Exit.
Archiving Log Files
- Log file format; enables viewing in Event
Viewer
- Text file format; enables viewing in text
oriented application
- Comma-delimited text file format; enables
viewing in spreadsheet and database
- Hexadecimal detail is lost when files are
saved in any format other than .evt
- have a close look at what each of these
tabs show you
Important Counters:
- Processor: %Processor Time
- shows processor activity (after application
start 0-80% OK)
- Processor: Interrupts/Sec
- measure rate of service requests from I/O
devices (dramatic increase without corresponding increase in system activity, shows a
hardware problem)
- System: Processor Queue Length
- number of threads by Processor Queue Length
is indicator of system performance because each thread requires a certain number of
processor cycles.
- a consistent perocessor queue lenght
greater than tow may mean the processor is causing a problem.
Finding Memory
Bottlenecks
- Virtual Memory System
Virtual memory = Physical memory + file system cache + disk
space
- Paged RAM
- memory area from which data and code can be
written to and retrieved from virtual memory and in which applications function as though
they have a full range of memory addresses
- Non-paged RAM
- must remain in main memory and can not be
written to, or retrieved from the virtual memory paging file.
- Hard Page Faults
- occur when data that a program needs is not
found in the physical memory, and must be retrieved from disk (>5 per second memory
problem).
Counters for Memory
Counter |
Function |
Pages/sec |
Number of
requested pages that were not immediately available in RAM |
Available
bytes |
Amount of
available physical memory |
Committed
bytes |
Amount of
virtual memory that has been committed to either physical RAM storage, or to pagefile
space |
Pool Nonpaged
bytes |
Amount of RAM in
non-paged pool system memory, where space is acquired by OS components as required |
Counter |
Acceptable average range |
Desirable value |
Action |
Pages/sec |
0-20 |
Low |
Find causing
process and add RAM |
Available bytes |
> 4 MB |
High |
Find process
using RAM and add RAM |
Committed bytes |
Less than
physical RAM |
Low |
Find process
using RAM and add RAM |
Pool Nonpaged
Bytes |
Remain steady,
no increase |
N/A |
Check for memory
leak in application |
Performance Monitor Exercise
- To create a log. View-->log-->Edit-->Add To Log
(to add any object such as processor. When you select an object for a log, all
counters for that object will be recorded in the log automatically)-->Options-->Log
(when log dialog box appears, set up variables, such as log file name, update
time)-->Start Log-->(to stop)-->Options-->Log-->Stop Log.
- To view log data in a chart. View-->Chart-->File-->New
Chart-->Options-->Data From (Browse the log file you created and open it)-->Edit-->Add
To Chart (to add the counter you want to display). Data will be displayed on the chart
as well as the status bar which give the concrete number. The last, average,
minimum, and maximum values are displayed.
- To View isolated segment of log data in a Chart. You may
want to know the statistics of different time frame. The default chart shows the chart of
the whole log period. To view isolated segment of log data:
- Record the data of the whole period from the status bar window.
- Click Edit-->Time Windows, the Input Log File Timeframe dialog
box appears. Slide the slide bar to adjust the portion of the chart shown in the PM
windows.
- Record the data of that period.
Create a report showing the % Processor Time for the entire
graph period. Click View-->Report-->Edit-->Add To Report to select the
object you want to be included in the report-->Done. You will see a report.
- For security reasons, NT Network Monitor captures only those
frames, including broadcast frames and multicast frames that are sent to or from the local
computer.
- The Capture windows in Network Monitor displays captured data.
- Graph. The current activity as bar charts, showing
the following: the percentage of network utilization, frames per second, bytes per second,
broadcasts per second, and multicasts per second.
- Session Statistics. A summary of the conversations
between two hosts, and which host is initiating broadcasts and multicasts.
- Total Statistics. Statistics for the traffic
detected on the network as a whole, statistics for the frames captured, per second
utilization statistics, and network adapter card statistics.
- Station Statistics. A summary of the total number of
frames initiated by a host, the number of frames and bytes sent and received, and the
number of broadcast and multicast frames initiated.
- Example.
- To set a trigger. Capture-->Trigger-->Trigger
On-->Buffer Space-->50%-->Trigger Action-->Stop Capture-->OK.
- To capture network data and generate network traffic. Capture-->Start
- To view captured network data. Capture-->Stop-->Capture-->Display
Captured Data.
Configuring the System
Recovery Utility |
If
there is a severe error, it is possible to configure the system response using Recovery
options on the Startup/Shutdown of the System program in the Control Panel.
Options:
- Write an event to system log
- Send administrative alert to clients
specified in Alerts dialog box.
- Write debug file containing a dump of
system memory to a specified file name.
- Restart system automatically. Allows server
to return to operation after a system crash.
Recovery Operation
- Write Debugging Information To
option is important for troubleshooting. If Stop error occurs while option is selected, a
program called Savedump.exe writes entire contents of memory to pagefile.
- For this reason Pagefile must
- reside on partition that contains systemroot
folder.
- be at least as large as the amount of
physical memory installed in the system
- Savedump marks the part of the pagefile
that contains the memory dump. When system restarts, Windows NT automatically copies this
part of pagefile to the filename specified in this text box. (default =
Memory.dmp).
- To preserve log files, they should be
copied to a new file name after the computer is restarted.
- A support engineer can then use the Dumpexam.exe
program in Support\Debug\platform folder on Microsoft NT Server CD to debug the
system.
|