Windows NT Server 4.0 Notes


Module 19: Troubleshooting Resources

Troubleshooting Category

Category

Description

Action

Boot Computer will not correctly start selected OS. Boot from Windows NT boot disk or use Emergency Repair.
Devices Interrupt conflicts and SCSI problems report errors to Event log. - Error suspected, use Last Known Good before user logs on.

- Use WinMSD to check IRQ and device status.

Logon Inability to log on to system. - Log on using different account.

- if no accounts work, use Emergency Repair to restore accounts database.

Resource access Inability to access resources. - Log on using different account or server.

- Check spelling server and share name

File systems FAT, NTFS problems Run CHKDSK or reformat
Printing Problems with network printer. - Try different remote printer or user account.

- Remove and recreate printer.

Network Cable, adapter, IRQ conflict, protocol or external network problems. Use network cable analyzer, network protocol analyzer, or run diagnostics on adapter card.
Services Services don’t start. Check Event Viewer System log.
Event Viewer
  • Critical events are noted in on-screen messages as well as in Event Log
  • Non-critical events are merely logged
  • Event logging starts each time Windows NT is started
  • Type of events

Icon

Event type

Description

Stop sign Error Significant problem (service is not loaded).
! Warning Not necessarily significant but indicate possible future problems. ( example: low disk space)
i Information Infrequent but significant events; describe successful operations of drivers and services.
Key Success Audit Audited security access attempts that are successfull.
lock Failure Audit Audited security access attempts that fail.
Event Log Files

System and Application logs can be viewed by all users, Security by Administrators only. Select Computer on Log menu in Event Viewer can be used to view log files from other Windows NT computers.

Log file

Description

System LOG
  • (Systemroot\System32\Config\Sysevent.evt)
  • Contains events logged by Windows NT system components, device drivers (determined by Windows NT and driver vendor)
Security LOG
  • (Systemroot\System32\Config\Secevent.evt)
  • Can contain valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects.
  • Auditing MUST be enabled for this log to work
  • Only the Administrator can view the log
Application LOG
  • (Systemroot\System32\Config\Appevent.evt)
  • Contains events logged by applications. Application vendors decide which events to monitor.
Enabling Security Logging
  • By default, security logging is turned off.
  • To enable security logging, open User Manager for Domains, and then on Policies menu, click Audit. Click Audit These Events and determine which events to audit.
  • A registry setting can be used to cause the system to halt when the Security log is full. Do this by:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\CrashOnAuditFail:

This entry directs OS to shut down abnormally, and then a blue screen when Audit log is full. Assures that no audited activities occur while system is unable to log them.

Type is REG_DWORD; two values:

Data value

Indicates

1

Stop if Audit log is full

2

Set by OS just before system crashes because of a full Audit log
  • Interpreting an Event

Click Detail in View menu of Event Viewer, events are logged with greater detail. Event Detail dialog box shows following information;

  1. Date and time of event
  2. Event identification
  3. Text description of selected event

The usual extension of the Event Viewer files is .evt

Filtering

    When Event Viewer starts, all recorded events in selected log are displayed automatically. To view events with specific characterization, click Filter Events on View menu. Affects only what is displayed.
     

    Property

    Filters

    View From/View Through Specified date and time or during period of time
    Types Error, Warning, Information, Success Audit, Failure Audit
    Source Software that logged event
    Classification Defined by source (Securityà logon)
    User Specific text that exactly matches text in User name field
    Computer Exact name for computer on which logged event occurred
    Event ID Number to identify specific event

Arranging

    Events are arranged from most recent to the oldest. Use View menu to change it.

Searching

    View menu click Find. Possible to search on:

    -Type             -Source

    -Category      -Event ID

    -User             -Computer

    Settings are in effect in current session. To save the settings, on Options menu, click Save Setting On Exit.

Archiving Log Files

  • Three file formats:
  • Log file format; enables viewing in Event Viewer
  • Text file format; enables viewing in text oriented application
  • Comma-delimited text file format; enables viewing in spreadsheet and database
  • Hexadecimal detail is lost when files are saved in any format other than .evt
Windows NT Diagnostics

    This shows computer hardware and OS data stored in Windows NT registry.

    WinMSD.exe is in systemroot\System32. Following tabs

    Tab

    Description

    Services Lists services and devices in CurrentControlSet along with status: running or stopped
    Resources Displays system resources in use: IRQ, I/O port, DMA channels, memory allocation 
    Environment Displays environment variables
    Network Lists network-related configuration information including network statistics
    Version Contains OS information with version numbers
    System Displays BIOS, HAL, and CPU information
    Display Contains information about video adapter, driver and display settings
    Drivers Lists all available drivers and their types (FDD,HDD, CD-ROM)
    Memory Contains information about physical and virtual memory (paging file location, total and available memory)
  • have a close look at what each of these tabs show you
Performance Monior:
    1. Monitor real-time and historical system performance
    2. Identify trends over time
    3. Identify bottlenecks
    4. Monitor effects of system configuration changes
    5. Determine system capacity.

    List of standard object types that Performance Monitor tracks:
     

    Object

    Function

    Cache File system cache used to buffer physical device data
    LogicalDisk Used to monitor a partition on a drive
    Memory Used to monitor real and virtual memory of the system
    Objects Certain system software objects
    Paging File File used by system to back up certain virtual memory allocations
    PhysicalDisk Hardware disk unit (spindle or RAID)
    Process Software object that represents a running program
    Processor Hardware unit that executes program instructions
    Redirector File system that diverts file requests to network servers
    Server Used to monitor the server processes that are used to communicate between local services and network services
    System Used to monitor those counters that apply to all microprocessors
    Thread Software objects inside a process that uses the processor

Important Counters:

  • Processor: %Processor Time
    • shows processor activity (after application start 0-80% OK)
  • Processor: Interrupts/Sec
    • measure rate of service requests from I/O devices (dramatic increase without corresponding increase in system activity, shows a hardware problem)
  • System: Processor Queue Length
    • number of threads by Processor Queue Length is indicator of system performance because each thread requires a certain number of processor cycles.
    • a consistent perocessor queue lenght greater than tow may mean the processor is causing a problem.

Finding Memory Bottlenecks

    1. Virtual Memory System

    2. Virtual memory = Physical memory + file system cache + disk space

      • Paged RAM
        • memory area from which data and code can be written to and retrieved from virtual memory and in which applications function as though they have a full range of memory addresses
      • Non-paged RAM
        • must remain in main memory and can not be written to, or retrieved from the virtual memory paging file.
    3. Hard Page Faults
      • occur when data that a program needs is not found in the physical memory, and must be retrieved from disk (>5 per second memory problem).

Counters for Memory

    Counter

    Function

    Pages/sec Number of requested pages that were not immediately available in RAM
    Available bytes Amount of available physical memory
    Committed bytes Amount of virtual memory that has been committed to either physical RAM storage, or to pagefile space
    Pool Nonpaged bytes Amount of RAM in non-paged pool system memory, where space is acquired by OS components as required

 

Counter

Acceptable average range

Desirable value

Action

Pages/sec 0-20 Low Find causing process and add RAM
Available bytes > 4 MB High Find process using RAM and add RAM
Committed bytes Less than physical RAM Low Find process using RAM and add RAM
Pool Nonpaged Bytes Remain steady, no increase N/A Check for memory leak in application

Performance Monitor Exercise

  • To create a log. View-->log-->Edit-->Add To Log (to add any object such as processor. When you select an object for a log, all counters for that object will be recorded in the log automatically)-->Options-->Log (when log dialog box appears, set up variables, such as log file name, update time)-->Start Log-->(to stop)-->Options-->Log-->Stop Log.
  • To view log data in a chart. View-->Chart-->File-->New Chart-->Options-->Data From (Browse the log file you created and open it)-->Edit-->Add To Chart (to add the counter you want to display). Data will be displayed on the chart as well as the status bar which give the concrete number. The last, average, minimum, and maximum values are displayed.
  • To View isolated segment of log data in a Chart. You may want to know the statistics of different time frame. The default chart shows the chart of the whole log period. To view isolated segment of log data:
    • Record the data of the whole period from the status bar window.
    • Click Edit-->Time Windows, the Input Log File Timeframe dialog box appears. Slide the slide bar to adjust the portion of the chart shown in the PM windows.
    • Record the data of that period.

    Create a report showing the % Processor Time for the entire graph period. Click View-->Report-->Edit-->Add To Report to select the object you want to be included in the report-->Done. You will see a report.

Network Monitor
  • For security reasons, NT Network Monitor captures only those frames, including broadcast frames and multicast frames that are sent to or from the local computer.
  • The Capture windows in Network Monitor displays captured data.
    • Graph. The current activity as bar charts, showing the following: the percentage of network utilization, frames per second, bytes per second, broadcasts per second, and multicasts per second.
    • Session Statistics. A summary of the conversations between two hosts, and which host is initiating broadcasts and multicasts.
    • Total Statistics. Statistics for the traffic detected on the network as a whole, statistics for the frames captured, per second utilization statistics, and network adapter card statistics.
    • Station Statistics. A summary of the total number of frames initiated by a host, the number of frames and bytes sent and received, and the number of broadcast and multicast frames initiated.
  • Example.
    • To set a trigger. Capture-->Trigger-->Trigger On-->Buffer Space-->50%-->Trigger Action-->Stop Capture-->OK.
    • To capture network data and generate network traffic. Capture-->Start
    • To view captured network data. Capture-->Stop-->Capture-->Display Captured Data.
Configuring the System Recovery Utility

    If there is a severe error, it is possible to configure the system response using Recovery options on the Startup/Shutdown of the System program in the Control Panel.

    Options:

    • Write an event to system log
    • Send administrative alert to clients specified in Alerts dialog box.
    • Write debug file containing a dump of system memory to a specified file name.
    • Restart system automatically. Allows server to return to operation after a system crash.

    Recovery Operation

  • Write Debugging Information To option is important for troubleshooting. If Stop error occurs while option is selected, a program called Savedump.exe writes entire contents of memory to pagefile.
  • For this reason Pagefile must
    • reside on partition that contains systemroot folder.
    • be at least as large as the amount of physical memory installed in the system
  • Savedump marks the part of the pagefile that contains the memory dump. When system restarts, Windows NT automatically copies this part of pagefile to the  filename specified in this text box. (default = Memory.dmp).
  • To preserve log files, they should be copied to a new file name after the computer is restarted.
    • A support engineer can then use the Dumpexam.exe program in Support\Debug\platform folder on Microsoft NT Server CD to debug the system.

 

 


E-mail Me! Comments and suggestions? E-mail me at grantwil@sk.sympatico.ca
Last Updated: Wednesday, March 10, 1999 Grant Wilson, Tisdale, SK. Canada