Windows NT 4 Administrator's Handbook: Option Pack Edition

Last Updated 2/3/2009 3:42:59 PM

Abstract

This chapter discusses the Windows NT Server troubleshooting tools that can help you gather information to diagnose and resolve problems.

Windows NT Server provides several troubleshooting tools that help you gather information to diagnose and resolve problems. The following sections introduce you to these tools.

USING WINDOWS NT DIAGNOSTICS

Windows NT Diagnostics helps you examine detailed configuration information stored in the registry. It’s better suited for viewing this information than the Registry Editor because it presents the information in a meaningful way and doesn’t give you the chance to change it. Although much of this information is available through other applications (in Control Panel, for example), Windows NT Diagnostics provides a convenient way to examine several aspects of the system in one package.

To start NT Diagnostics, click Start

Programs

Administrative Tools

Windows NT Diagnostics. You’re presented with nine tabs that give you access to the following data:

Version displays operating system version information.
System shows you the status of the computer’s bus, BIOS, and CPUs. It also indicates which HAL is being used.
Display provides detailed data on the video adapter and its driver.
Drives presents a list of local and network-connected drives. Double-click an icon to expand the list of drives and to see additional detail. You can display drives by letter or by drive type.
Memory provides information on memory usage, including the details shown by Task Manager on the Performance tab. It also gives you details about usage of each paging file on your computer.
Services lets you view the state of all installed services and drivers on the computer.
Resources contains detailed information on which drivers are using which IRQs, I/O port address ranges, DMA channels, and memory mapped address ranges. This is one of the most valuable parts of the utility.

Tip: Windows NT Diagnostics is the first place to look if you make hardware configuration changes and want to verify that you don’t have conflicts and that NT sees the configuration that you expect it to see. The registry contains the same information, but it’s very difficult to pull it all together in one place (the way that Windows NT Diagnostics has managed to do).

Environment lets you view the list of all system and user environment variables. This is the same information that you can find in Control Panel’s System application on the Environment tab.
Network provides details on current network settings and status, including several network performance counters. This is a handy way to see the general status of your network components at a glance.

INTRODUCING EVENT VIEWER

Windows NT Server keeps a record of significant events in its event log; the Event Viewer utility enables you to examine and manage the NT event log. Start it by clicking Start

Programs

Administrative Tools

Event Viewer.

As with other NT administrative tools, you can use Event Viewer to reach into another computer’s event log. Just click Log

Select Computer, type or select the computer whose log you want to view, and click OK. This enables you to administer the logs of several computers from a central location. You can even clear logs remotely.

Event Viewer only displays the events that were logged before you started the utility. It doesn’t automatically update the display when new events are logged. To update the display manually at any time, click Refresh on the View menu.

Rolling off Three Logs

NT actually maintains three different event logs: the System Log, the Security Log, and the Application Log.

The System Log records events that are of significance to components of the system. For example, events are added to the System Log when a device driver fails to load, a mirror set completes synchronization, or a hardware device conflict is detected. To view the System Log, click System on the Log menu.

The Security Log houses security-auditing events based on the auditing settings that you specify in User Manager for Domains. Only administrators have access to the Security Log. To view it, click Security on the Log menu.

The Application Log keeps track of events logged by applications. For example, NT Backup adds events to the Application Log when it begins and ends various phases of the backup process. Performance Monitor puts events in the Application Log when an alert condition that you specified is triggered. If NT has to repair inconsistencies on disk during the boot process, the AUTOCHK program logs events to record what it fixed. To view the Application Log, click Application on the Log menu.

Controlling Event Logs

By default, each log has a maximum size of 512KB, and events older than seven days are overwritten. You can control the size and behavior of each event log by clicking Log Settings on the Log menu.

To change settings, click the log that you want to change in the Change Settings for list. Type the new maximum log size in the Maximum Log Size field and click the desired retention behavior under Event Log Wrapping. Then click OK.

Warning: If you select the Do Not Overwrite Events (Clear Log Manually) option, keep two things in mind. First, you’ll need to schedule a periodic visit to the Event Viewer to clear the log by hand (by clicking Log

Clear All Events). Second, when the event log fills up, no more events are logged until the log is cleared. You’ll get a pop-up message indicating that the log is full, but if you’re not there to see it, all new events are lost until the log is cleared.

Understanding Event Log Entries

The one-line event descriptions displayed by default provide basic information about each event. The icon at the far left gives you a clue about the severity of the situation. An i tells you that it’s simply informational, an exclamation point indicates a warning of potential problems downstream, and a stop sign signals that an error condition has caused something to break. In the Security Log, a key icon indicates the auditing of a successful access, whereas a lock icon points to an audit of a failed access.

The log entry also includes a time stamp, the software component that logged the event, an identification number unique to each type of event, and the name of the computer where the event took place. Most NT software components these days don’t specify a Category column. The User column seldom appears because most logged events aren’t associated with a specific user account. The exception is the Security Log where user accounts are logged and are indeed important.

Viewing Event Details

You can get more detailed information on any event by double-clicking it. Figure 13-1 shows an example of an Event Detail dialog box reporting detection of an IRQ conflict between a serial port and a network adapter. Click Previous or Next if you want to see details of adjacent events in the log. (By default, events are listed from newest to oldest, so by clicking Next, you move to the next oldest event.)

The additional detail on each event consists of a text message under Description and some associated raw binary data under Data. The text often refers to specific locations in the data block, as in the example in Figure 13-1. The byte at address 0x2C within the data block indicates that IRQ 3 is the offending interrupt.

Finding and Filtering Events

You can search for a specific event based on any of the fields displayed in the one-line event description. Just click Find on the View menu. In the resulting Find dialog box, enter your search criteria and click Find Next to begin the search.

In addition to finding specific events, you can narrow the list of events by applying a filter. This feature can be particularly useful when you need to study what happened during a particular portion of the afternoon when the network slowed down to a crawl. By using a filter to narrow your focus, you can pinpoint causes of server and network behavior without having to wade through reams of superfluous logged events. On the View menu, click Filter Events, specify your filter criteria, and click OK. When you want to go back to viewing all events, click View

All Events.

Tip: You can use Event Viewer to look at an event log on a LAN Manager 2.x server as well as on an NT server. You can even filter it, as described in this section. However, since the information contained in a LAN Manager 2.x event log is different from that on NT, you can only filter the information based on the time stamp in the event log entry. View From and View Through are the only filters that you can use for these servers; the rest are ignored.

Saving and Viewing Event Log Files

It is destructive to clear events from a log. Once you clear them, you can’t retrieve them. Likewise, when new events overwrite old events, the old events are lost forever. So, you may want to save event logs to disk. Here’s how:

Select the log that you want to save by clicking System, Security, or Application on the Log menu.
If you simply want to save the current event log without deleting existing events, click Save As on the Log menu and go to Step 5.
On the Log menu, click Clear All Events.
Click Yes to confirm that you want to save the log before clearing it.
In the Save as type list, select Event Log Files (which can be viewed later with Event Viewer), Text Files, or Comma-Delim. Text. Type or select the filename that you want to use and click Save.

Tip: If you want a printed copy of a log file for future reference, save it as comma-delimited text and then print that file. If you plan to view a log later with Event Viewer, save it in event log format. You can always save it again as text if you want to print it.

To view a saved event log file, click Open on the Log menu, specify the file and click Open. In the Open File Type dialog box, click the type of log that the file represents: System, Security, or Application. The saved file doesn’t include the type of the original log. If you select the wrong type, the detailed descriptions of the events are probably incorrect.

Page: 1, 2, 3, 4, 5, 6

<< Previous Page Next Page >>

Rate this: