Abstract
This chapter presents a wide range of tips, tricks, and troubleshooting techniques that will help you get the most out of your Windows NT network.
Have you ever tried to perform magic tricks such as pulling an endless string of scarves from your sleeve or extracting a quarter out of your niece’s ear? You know that what looks like magic to some is really just a secret technique that’s typically quite simple. If you know the trick and give it lots of practice, you can make amazing, seemingly magical things happen.
So it is with NT network administration. If you know what nooks and crannies to visit, and you know the mechanics of what to do when you get there, you can perform amazing feats. In this chapter, you’ll pick up a wide range of tips, tricks, and troubleshooting techniques that will help you get the most out of your NT Server network and occasionally raise you to heroic status in the eyes of your users. I’ll introduce you to the available troubleshooting tools and provide specific guidance on how to tweak your servers to match your specific environment. By the end of this chapter, you’ll have a bag of tricks at your side that will serve you well in your network administration adventures.
Caution: Many of the techniques presented in this chapter involve editing the NT registry. Before proceeding with any registry changes, be sure to read Chapter 11, which strongly emphasizes the risks involved. Editing the registry can be hazardous to the health of your NT computer!
WINDOWS NT TROUBLESHOOTING TOOLS
Windows NT Server provides several troubleshooting tools that help you gather information to diagnose and resolve problems. In the following sections, I introduce you to these tools.
Using Windows NT Diagnostics
NT includes a handy tool called Windows NT Diagnostics, with which you can examine detailed configuration information stored in the registry. It’s better suited for viewing this information than the Registry Editor since it presents the information in a meaningful way and doesn’t give you the chance to change it. Although much of this information is available through other applications (in Control Panel, for example), Windows NT Diagnostics provides a convenient way to examine several aspects of the system in one package.
To start NT Diagnostics, click Start Programs Administrative Tools Windows NT Diagnostics. You’re presented with nine tabs, which give you access to the following data:
Version displays operating system version information.
System shows you the status of the computer’s bus, BIOS, and CPUs. It also indicates which HAL is being used.
Display provides detailed data on the video adapter and its driver.
Drives presents a list of local and network-connected drives. Double-click an icon to expand the list of drives and to see additional detail. You can display drives by letter or by drive type.
Memory provides information on memory usage, including the details shown by Task Manager on the Performance tab. It also gives you details about usage of each paging file on your computer.
Services lets you view the state of all installed services and drivers on the computer. This is essentially the same information that you see in the Devices and Services applications in Control Panel, discussed in Chapter 8.
Resources contains detailed information on which drivers are using which IRQs, I/O port address ranges, DMA channels, and memory mapped address ranges. This is probably the most valuable part of the utility. See Figures 12-1, 12-2, and 12-3 for three of the five available resource views.
Environment lets you view the list of all system and user environment variables. This is the same information that you can find in Control Panel’s System application on the Environment tab.
Network provides details on current network settings and status, including several network performance counters. This is a handy way to see the general status of your network components at a glance.
Tip: Windows NT Diagnostics is the first place to look if you’ve made hardware configuration changes and you want to verify that you don’t have conflicts and that NT sees the configuration that you expect it to see. The registry contains the same information, but it’s very difficult to pull it all together in one place, the way that Windows NT Diagnostics has managed to do.
Note: Windows NT Diagnostics has no Help file, so you’ll have to use your judgment in interpreting the displayed network statistics. It’s not always clear how they map to the counters available in Performance Monitor, described in Chapter 10.
Introducing Event Viewer
Windows NT Server keeps a record of significant events in its event log. You saw a glimpse of this in Chapter 9, where I discussed auditing security events and viewing the results. You use the Event Viewer utility to examine and manage the NT event log. Start it by clicking Start Programs Administrative Tools Event Viewer.
As with other NT administrative tools, you can use Event Viewer to reach into another computer’s event log. Just click Log Select Computer, type or select the computer whose log you want to view, and click OK. This enables you to administer the logs of several computers from a central location. You can even clear logs remotely.
Event Viewer only displays the events that were logged before you started the utility. It doesn’t automatically update the display when new events are logged. To update the display manually at any time, click Refresh on the View menu.
Rolling off Three Logs
NT actually maintains three different event log flavors: the System Log, the Security Log, and the Application Log. The System Log records events that are of significance to components of the system itself. For example, events are added to the System Log when a device driver fails to load, a mirror set completes synchronization, or a hardware device conflict is detected. To view the System Log, click System on the Log menu. Figure 12-4 shows an example of a System Log.
The Security Log houses security auditing events based on the auditing settings that you specify in User Manager for Domains, as discussed in Chapter 9. Only administrators have access to the Security Log. To view it, click Security on the Log menu.
Cross-Reference:Figure 9-61 in Chapter 9 provides an example of a Security Log.
The Application Log keeps track of events logged by applications. For example, NT Backup (discussed in Chapter 9) adds events to the Application Log when it begins and ends various phases of the backup process. Performance Monitor (covered in Chapter 9) puts events in the Application Log when an alert condition that you specified is triggered. If NT has to repair inconsistencies on disk during the boot process, the AUTOCHK program logs events to record what it fixed. To view the Application Log, click Application on the Log menu. Figure 12-5 shows an example of an Application Log from a computer that’s mainly used to run backups.
Controlling Event Logs
By default, each log has a maximum size of 512KB, and events older than seven days are overwritten. You can control the size and behavior of each event log by clicking Log Settings on the Log menu. Figure 12-6 shows the resulting Event Log Settings dialog box.
To change settings, click the log that you want to change in the Change Settings for list. Type the new maximum log size in the Maximum Log Size field and click the desired retention behavior under Event Log Wrapping. Then click OK.
Caution: If you select the Do Not Overwrite Events (Clear Log Manually) option, keep two things in mind. First, you’ll need to schedule a periodic visit to the Event Viewer to clear the log by hand (by clicking Log Clear All Events). Second, when the event log fills up, no more events are logged until the log is cleared. You’ll get a pop-up message indicating that the log is full, but if you’re not there to see it, all new events will be lost until the log is cleared. (It seems as if NT should log an event indicating that the event log is full, but that becomes sort of a Catch-22. In some cases, though, NT actually does log an event that the log is full. Go figure.)
Understanding Event Log Entries
The one-line event descriptions displayed by default provide basic information about each event. The icon at the far left gives you a clue about the severity of the situation. An i tells you that it’s simply informational, an exclamation point indicates a warning of potential problems downstream, and a stop sign signals an error condition that has caused something to break. In the Security Log, a key icon indicates the auditing of a successful access, whereas a lock icon points to an audit of a failed access.
The log entry also includes a time stamp, the software component that logged the event, an identification number unique to each type of event, and the name of the computer where the event took place. I’ve skipped the Category column, since most NT software components these days don’t specify one. I’ve also skipped the User column, since most logged events aren’t associated with a specific user account. The exception to this is the Security Log, where user accounts are logged and are indeed important.
Viewing Event Details
You can get more detailed information on any event by double-clicking it. Figure 12-7 shows an example of an Event Detail dialog box reporting detection of an IRQ conflict between a serial port and a network adapter. Click Previous or Next if you want to see details of adjacent events in the log. (By default, events are listed from newest to oldest, so clicking Next has the nonintuitive behavior of moving to the next oldest event.)
The additional detail on each event consists of a text message under Description and some associated raw binary data under Data. The text often refers to specific locations in the data block, as in the example in Figure 12-7. The byte at address 0x2C within the data block indicates that IRQ 3 is the offending interrupt.
Finding and Filtering Events
You can search for a specific event based on any of the fields displayed in the one-line event description. Just click Find on the View menu. Figure 12-8 shows the resulting Find dialog box. Enter your search criteria and click Find Next to begin the search.
In addition to finding specific events, you can narrow the list of events by applying a filter. This feature can be particularly useful when you need to study what happened during a particular portion of the afternoon when the network slowed down to a crawl. Being able to narrow your focus using a filter can help you pinpoint causes of server and network behavior, without having to wade through reams of superfluous logged events. On the View menu, click Filter Events, specify your filter criteria, and click OK. When you want to go back to viewing all events, click View All Events. Figure 12-9 illustrates this.
Note: You can use Event Viewer to look at an event log on a LAN Manager 2.x server as well as on an NT server. You can even filter it, as described in this section. However, since the information contained in a LAN Manager 2.x event log is different from that on NT, you can only filter the information based on the time stamp in the event log entry. View From and View Through are the only filters that you can use for these servers; the rest are ignored.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
Programs 
