Using the Debugging Tools Available in Windows Server 2008 Several useful tools are available in Windows 2008 for troubleshooting and diagnosing various problems ranging from TCP/IP con
Trang 1Avoid using too many counters Some counters are costly in terms of taxing a server
for system resources and can increase system overhead Monitoring several activities
at one time also becomes difficult
Use logs instead of displaying graphs The logs can then be imported into a database
or report Logs can be saved on hard disks not being monitored or analyzed
Important Objects to Monitor
The numbers of system and application components, services, and threads to measure in
Windows 2008 are so extensive that it is impossible to monitor thousands of processor,
print queue, network, or storage usage statistics Defining the roles a server plays in a
network environment helps to narrow down what needs to be measured Servers could be
defined and categorized based on the function of the server, such as application server, file
and print server, or services server such as DNS, domain controller, and so on
Because servers perform different roles, and hence have different functions, it makes sense
to monitor the essential performance objects This helps prevent the server from being
overwhelmed from the monitoring of unnecessary objects for measurement or analysis
Overall, four major areas demand the most concern: memory, processor, disk subsystem,
and network subsystem They all tie into any role the server plays
The following list describes objects to monitor based on the roles played by the server:
Domain controller—Because the DC provides authentication, stores the Active
Directory database, holds schema objects, and so on, it receives many requests To be
able to process all these requests, it uses up a lot of CPU resources, disks, memory,
and network bandwidth Consider monitoring memory, CPU, system, network
segment, network interface, and protocol objects such as TCP, UDP, NBT, NetBIOS,
and NetBEUI Also worth monitoring are the Active Directory NTDS service and site
server LDAP service objects DNS and WINS also have applicable objects to be
measured
File and print server—The print servers that process intensive graphics jobs can
utilize extensive resources of system CPU cycles very quickly The file server takes up
a lot of storage space Monitor the PrintQueue object to track print spooling data
Also monitor CPU, memory, network segment, and logical and physical disks for
both file and print data collection
Message collaboration server—A messaging server such as an Exchange Server 2007
uses a lot of CPU, disk, and memory resources Monitor memory collection, cache,
processor, system, and logical and physical disks Exchange objects are added to the
list of objects after Exchange is installed, such as message queue length or
name-resolution response time
Web server—A web server is usually much less disk intensive and more dependent
on processing performance or memory space to cache web pages and page requests
Consider monitoring the cache, network interface, processor, and memory usage
Trang 2Database server—Database servers such as Microsoft SQL Server 2008 can use a lot
of CPU and disk resources Database servers such as Microsoft SQL Server use an
extensive amount of memory to cache tables and data, so RAM usage and query
response times should be monitored Monitoring objects such as system, processor,
logical disk, and physical disk is helpful for overall system performance operations
Using the Debugging Tools Available in Windows
Server 2008
Several useful tools are available in Windows 2008 for troubleshooting and diagnosing
various problems ranging from TCP/IP connection issues to verification and maintenance
issues These tools also make it much easier for IT professionals and administrators,
allow-ing IT personnel to focus on business improvement tasks and functions, not on simply
running specific tools in the networking environment
TCP/IP Tools
TCP/IP forms the backbone of communication and transportation in Windows 2008
Before you can communicate between machines, TCP/IP must be configured
In Windows 2008, TCP/IP is installed by default during the OS installation and is
impossi-ble to add or remove through the GUI
If a TCP/IP connection fails, you need to determine the cause or point of failure Windows
2008 includes some dependable and useful tools to troubleshoot connections and verify
connectivity The tools described in the following eight sections are useful for debugging
TCP/IP connectivity problems Most of these tools have been updated to include switches
for IPv4 and IPv6
Ping
Ping stands for Packet Internet Groper It is used to send an Internet Control Message
Protocol (ICMP) echo request and echo reply to verify the availability of a local or remote
machine You can think of ping as a utility that sends a message to another machine
asking “Are you still there?” By default in Windows 2008, ping sends out four ICMP
pack-ages and waits for responses back in one second However, the number of packpack-ages sent or
time to wait for responses can be changed through the options available for ping
Besides verifying the availability of a remote machine, ping can help determine a
name-resolution problem
To use ping, go to a command prompt and enter Ping Targetname Different parameters
can be used with ping To display them, enter Ping /? or Ping (without parameters)
The parameters for the Ping command are as follows:
-4—Specifies that IPv4 is used to ping This parameter is not required to identify the
target host with an IPv4 address It is required only to identify the target host by name
Trang 3-6—Specifies that IPv6 is used to ping Just like -4, this parameter is not required to
identify the target host with an IPv6 address It is required only to identify the target
host by name
-a—Resolves the IP address to the hostname The hostname of the target machine is
displayed if this command is successful
-f—Requests that echo back messages are sent with the Don’t Fragment flag in
packets This parameter is available only in IPv4
-i ttl—Increases the timeout on slow connections The parameter also sets the value
of the Time To Live (TTL) The maximum value is 255
-j HostList—Routes packets using the host list, which is a series of IP addresses
separated by spaces The host can be separated by intermediate gateways (loose
source route)
-k HostList—Similar to -j but hosts cannot be separated by intermediate gateways
(strict source route)
-l size—Specifies the length of packets in bytes The default is 32 The maximum size
is 65,527
-n count—Specifies the number of packets sent The default is 4.
-r count—Specifies the route of outgoing and incoming packets It is possible to specify
a count that is equal to or greater than the number of hops between the source and
desti-nation The count can be between 1 and 9 only
-R—Specifies that the round-trip path is traced (available on IPv6 only).
-S count—Sets the time stamp for the number of hops specified by count The count
must be between 1 and 4
-S SrcAddr—Specifies the source address to use (available on IPv6 only).
-t—Specifies that Ping should continue sending packets to the destination until
inter-rupted To stop and display statistics, press Ctrl+Break To stop and quit ping, press
Ctrl+C
-v TOS—Specifies the value of the type of service in the packet sent The default is 0
TOS is specified as a decimal value between 0 and 255
-w timeout—Specifies the time in milliseconds for packet timeout If a reply is not
received within the timeout, the Request Timed Out error message is displayed The
default timeout is 4 seconds
TargetName—Specifies the hostname or IP address of the destination to ping.
NOTE
Some remote hosts can be configured to ignore ping traffic as a method of preventing
acknowledgment (and thus as a security measure) Therefore, your inability to ping a
ser ver might not necessarily mean that the ser ver is not operational, just that the ser
v-er is not responding for some reason
Trang 4Tracert
Tracert is generally used to determine the route or path taken to a destination by sending
ICMP packets with varying TTL values Each router the packet meets on the way decreases
the value of the TTL by at least one; invariably, the TTL is a hop count The path is
deter-mined by checking the ICMP Time Exceeded messages returned by intermediate routers
Some routers do not return Time Exceeded messages for expired TTL values and are not
captured by Tracert In such cases, asterisks are displayed for that hop
To display the different parameters that can be used with Tracert, open a command
prompt and enter tracert (without parameters) to display help or type tracert /? The
parameters associated with Tracert are as follows:
-4—Specifies that tracert.exe can use only IPv4 for the trace.
-6—Specifies that tracert.exe can use only IPv6 for the trace.
-d—Prevents resolution of IP addresses of routers to their hostname This is particularly
useful for speeding up results of Tracer t
-h maximumHops—Specifies the maximum number of hops to take before reaching the
destination The default is 30 hops
-j HostList—Specifies that packets use the loose source route option Loose source
routing allows successive intermediate destinations to be separated by one or multiple
routers The maximum number of addresses in the host list is nine This parameter is
useful only when tracing IPv4 addresses
-R—Sends packets to a destination in IPv6, using the destination as an intermediate
destination and testing reverse route
-S—Specifies the source address to use This parameter is useful only when tracing IPv6
addresses
NOTE
Tracer t is a good utility to determine the number of hops and the latency of
communi-cations between two points Even if an organization has an extremely high-speed
con-nection to the Internet, if the Internet is congested or if the route a packet must follow
requires for warding the information between several routers along the way, the per
for-mance and, ultimately, the latency (or delay in response between ser vers) will cause
noticeable communications delays
Pathping
Pathping is a route-tracing tool that combines features of both Ping and Tracert
commands, but with more information than either of those two commands provides
Pathping is most ideal for a network with routers or multiple routes between the source
and destination hosts The Pathping command sends packets to each router on its way to
a destination, and then gets results from each packet returned from the router Because
Pathping computes the loss of packets from each hop, you can easily determine which
router is causing a problem in the network
Trang 5To display the parameters in Pathping, open a command prompt and enter Pathping /?
The parameters for the Pathping command are as follows:
-4—Specifies that Pathping.exe can use only IPv4 for the trace.
-6—Specifies that Pathping.exe can use only IPv6 for the trace.
-g Host-list—Allows hosts to be separated by intermediate gateways.
-h maximumHops—Specifies the maximum number of hops before reaching the target
The default is 30 hops
-n—Specifies that it is not necessar y to resolve the address to the hostname.
-p period—Specifies the number of seconds to wait between pings The default is a
quar ter of a second
-q num_queries—Specifies the number of queries to each host along the route The
default is three seconds
-w timeout—Specifies the timeout for each reply in milliseconds.
Ipconfig
Ipconfig displays all TCP/IP configuration values It is of particular use on machines
running Dynamic Host Control Protocol (DHCP) It is used to refresh DHCP settings and
to determine which TCP/IP configuration values have been assigned by DHCP If Ipconfig
is used without parameters, it displays IP addresses, subnet masks, and gateways for each
of the adapters on a machine The adapters can be physical network adapters or logical
adapters such as dial-up connections
Some of the parameters for Ipconfig are as follows:
/all—Displays all TCP/IP configuration values.
/displaydns—Displays the contents of the DNS client resolver cache.
/flushdns—Resets and flushes the contents of the DNS client resolver cache This
includes entries made dynamically
/registerdns—Sets manual dynamic registration for DNS names and IP addresses
configured on a computer This is par ticularly useful in troubleshooting DNS name
regis-tration or dynamic update problems between a DNS ser ver and client
/release [Adapter]—Sends a DHCP release message to the DHCP server to discard
DHCP-configured settings for adapters This parameter is available only for DHCP-enabled
clients If no adapter is specified, IP address configuration is released for all adapters
/renew [Adapter]—Renews DHCP configuration for all adapters (if an adapter is not
specified) and for a specific adapter if the Adapter parameter is included This parameter
is available only for DHCP-enabled clients
/setclassid Adapter [classID]—Configures the DHCP class ID for a specific
adapter You can configure the DHCP class ID for all adapters by using the wildcard (*)
character in place of Adapter
Trang 6/showclassid Adapter—Displays the DHCP class ID for a specific adapter.
/allcompartments—Displays information about all compartments.
/allocmpartments /all—Displays detailed information about all compartments.
NOTE
Ipconfig determines the assigned configuration for a system such as the default
gate-way, DNS ser vers, local IP address, subnet mask, and so on When you’re debugging
network problems, you can use Ipconfig to validate that the proper TCP/IP settings
have been set up for a system so that a ser ver properly communicates on the
net-work
ARP
ARP stands for Address Resolution Protocol ARP enables the display and modification of the
ARP table on a local machine, which matches physical MAC addresses of machines to
their corresponding IP addresses ARP increases the speed of connection by eliminating
the need to match MAC addresses with IP addresses for subsequent connections
Some of the parameters for ARP are as follows:
-a [InetAddr] [-N IfaceAddr]—Displays the ARP table for all adapters on a
machine Use Arp –a with the InetAddr (IP address) parameter to display the ARP
cache entr y for a specific IP address
-d InetAddr [IfaceAddr]—Deletes an entry with a specific IP address (InetAddr)
Use the IfaceAddr parameter (IP address assigned to the interface) to delete an entry in
a table for a specific interface Use the wildcard character in place of InetAddr to delete
all entries
-g [InetAddr] [-N IfaceAddr]—Similar to the –a parameter
-s InetAddr EtherAddr [IfaceAddr]—Adds a static entry to the ARP cache that
resolves the IP address (InetAddr) to a physical address (EtherAddr) To add a static
ARP cache entry to the table for a specific interface, use the IP address assigned to the
interface (IfaceAddr).
Netstat
As its name implies, Netstat (or network statistics) is used to display protocol statistics for
any active connections, monitor connections to a remote host, and monitor IP addresses
or domain names of hosts with established connections
The parameters for Netstat are as follows:
-a—Displays all connections and listening ports by hostname.
-an—Similar to the –a parameter, but displays connections and listening por ts by IP
addresses
-e—Displays Ethernet packets and bytes to and from the host.
Trang 7-n—Displays address and port numbers without resolving the address to the hostname.
-o—Displays TCP connections and includes the corresponding process ID (PID) Used in
combination with –a, -n, and –p Not available in earlier Windows versions
-P protocol—Displays statistics based on the protocol specified Protocols that can be
specified are TCP, UDP, TCPv6, or UDPv6 It can be used with –s to display TCP, UDP,
ICMP, IP, TCPv6, UDPv6, ICMPv6, or IPv6
-s—Displays statistics on a protocol-by-protocol basis Can be used with the –p
parame-ter to specify a set of protocols
-r—Displays the route table Information displayed includes network destination,
netmask, gateway, inter face, and metric (number of hops)
[Parameter] Interval—Displays the information at ever y inter val specified
Interval is a numeral in seconds Press Ctrl+C to stop the intervals
Route
Route is particularly useful for troubleshooting incorrect static routes or for adding a route
to a route table to temporarily bypass a problem gateway Static routes can be used in place
of implicit routes specified by a default gateway Use Route to add static routes to forward
packets going to a gateway specified by default to avoid loops, improve traffic time, and so
on
The parameters for Route are as follows:
-add—Adds a route to a table Use –p to make the route persistent for subsequent
sessions
-Delete—Deletes a route from the table.
-Print—Prints a route.
-change—Modifies an existing route.
-destination—Specifies the host address.
-gateway—Specifies the address of gateway for Route.
IF interface—Specifies the inter face for the routing table to modify.
-mask Netmask—Uses the subnet mask specified by Netmask If mask is not used, it
defaults to 255.255.255.255
-METRIC Metric—Specifies the metric, or cost, for the route using the value Metric
-f—Clears the routing table of all gateway entries.
-p—Used with -add to create a persistent route
Nslookup
Nslookup is used to query DNS You can think of Nslookup as a simple diagnostic client
for DNS servers It can operate in two modes: Interactive and Noninteractive Use
Noninteractive mode to look up a single piece of data To look up more than one piece of
Trang 8data, use Interactive mode To stop Interactive mode at any time, press Ctrl+B To exit
from the command, enter exit If Nslookup is used without any parameters, it uses the
default DNS name server for lookup
The parameters for Nslookup are as follows:
-ComputerToFind—Looks up information for the specified ComputerToFind By default,
it uses the current default DNS name server
-Server—Specifies the ser ver as the DNS name ser ver.
-SubCommand—Specifies one or more Nslookup subcommands as a command-line
option Enter a question mark (?) to display a list of subcommands available
NetDiag
The Network Connectivity Tester (NetDiag) tool is a command-line diagnostic tool to test
network connectivity, configuration, and security It’s included with the Support Tools on
the Windows 2008 media The tool gathers information on and tests network
configura-tion, network drivers, protocols, connectivity, and well-known target accessibility This is a
good tool to use right off the bat if you think there are problems with the network
connectivity of a system
One nice feature of the NetDiag.exe tool is that it does not require parameters, which
makes it easy to use Simple instructions can be given to the administrators who need to
execute it, and the bulk of the time can be spent analyzing the results
Although it doesn’t require any parameters, several are available:
/q—Displays quiet output (errors only).
/v—Displays verbose output.
/l—Logs to the NetDiag.log
/debug—Displays even more verbose output.
/d: DomainName—Finds a domain controller in the domain.
/fix—Fixes minor problems.
/DCAccountEnum—Enumerates domain controller computer accounts.
/test: TestName—Runs the specified tests only.
/skip: TestName—Skips the specified tests.
When specifying tests to run or to skip, nonskippable tests will still be run
DCDiag
The Domain Controller Diagnostic (DCDiag) tool analyzes the state of domain controllers
and services in an Active Directory forest It is installed when the Active Directory Domain
Services (AD DS) role is added to a Windows 2008 installation This is a great
general-purpose test tool for checking the health of an Active Directory infrastructure
Trang 9Tests include domain controller connectivity, replication errors, permissions, proper roles,
and connectivity, and other general Active Directory health checks It can even run
non-domain-controller-specific tests, such as whether a server can be promoted to a domain
controller (the dcpromo test), or register its records properly in DNS (RegisterInDNS test)
DCDiag is run on domain controllers exclusively, with the exception of the dcpromo and
RegisterInDNS tests
When run without any parameters, the tests will be run against the current domain
controller This runs all the key tests and is usually sufficient for most purposes
The parameters for DCDiag are as follows:
/s:DomainController—Uses the domain controller as the home ser ver.
/n:NamingContext—Uses the specified naming context (NetBIOS, FQDN, or
distin-guished name) to test
/u:Domain\UserName /p:{*|Password|””}—Uses the supplied credentials to run
the tool
/a—Tests all domain controllers in the site.
/e—Tests all domain controllers in the enterprise.
/q—Displays quiet output (errors only).
/v—Displays verbose output.
/I—Ignores minor error messages.
/fix—Fixes minor problems.
/f:LogFile—Logs to the specified log file.
/ferr:ErrorLogFile—Logs errors to the specified log file.
/c—Comprehensively runs all tests.
/test:TestName—Runs the specified tests only.
/skip:TestName—Skips the specified tests.
When specifying tests to run or to skip, nonskippable tests will still be run
NOTE
DCDiag is automatically included on a Windows 2008 system when the AD DS role is
added Other wise, on non–domain controllers, the utility can be added by adding the
Remote Ser ver Administration Tools feature in Ser ver Manager
System Startup and Recovery
The System Startup and Recovery utility stores system startup, system failure, and
debug-ging information It also controls the behavior (what to do) when a system failure occurs
To open System Startup and Recovery, launch Control Panel, select System, Advanced
System Settings, and click the Advanced tab in the Systems Settings dialog box, and then
Trang 10click Settings under Startup and Recovery to display a property page similar to the one
shown in Figure 13.11
The Default Operating System field contains information that is displayed at startup This
information is typically the name of the operating system such as Windows Server 2008
Enterprise Edition You can edit this information using bcdedit from a command prompt
If the machine is dual booted, there will be an entry for each operating system The Time
to Display List of Operating Systems option specifies the time the system takes to display
the name of the operating system at startup The default time is 30 seconds This can be
increased or reduced to a different time The Time to Display Recovery Options When
Needed is unchecked by default but can be selected and an interval in seconds entered
You can set the action to be taken when system failure occurs in the System Failure
section There are two options The first option is Write an Event to the System Log This
action is not editable in Windows 2008 because this action occurs by default every time a
stop error occurs The next option, Automatically Restart, reboots the system in the event
of a system failure
The Write Debugging Information section tells the system where to write debugging
infor-mation when a system failure occurs The options available include where the debugging
information can be written to Small Memory Dump (128KB), Kernel Memory Dump,
Complete Memory Dump, or (None) The Write Debugging Information To option
requires a paging file on the boot volume, which should be the size of the physical RAM
plus at least 1MB