Chapter 19: Using Windows 2003 Troubleshooting Utilities

Event Viewer Reveals

Event Viewer is an essential troubleshooting tool for Windows Server 2003. One of the most valuable characteristics of this tool is that you can always count on Event Viewer to give you the messy details about what's going on when drivers or services fail to load during system startup. Event Viewer is also your entry point into analyzing what's going on with your system, whether you're auditing specific events by design or trying to figure out where problems and errors may be coming from.

To launch Event Viewer, follow this menu sequence: Start Administrative Tools Event Viewer. This produces the Event Viewer window shown in Figure 19-1.

Figure 19-1: The System Log in Event Viewer.

The small icons in the right column of the Event Viewer's various logs represent the following:

• Red circle with an X: Known as the error icon, it identifies an error report that may be worth investigating.

• Blue quote bubble with a lowercase i : Called the information icon, it indicates an event that describes the successful operation of a major server service.

• Yellow triangle with an exclamation point: Known as the warning icon, it indicates that an event occurred that wasn't necessarily serious but might indicate that potential problems lie ahead. This may be worth investigating, too.

To investigate any log entry, double-click the line where it appears. When we double-clicked one of the red circles in Figure 19-1, it produced the Event Detail report shown in Figure 19-2.

Figure 19-2: An event detail.

The System Log appears in Event Viewer by default. The utility also includes three other main log files (in addition to the System Log) and may include service- or application-specific logs, depending on what applications and services you have installed. Here's a rundown of what appears on our test system:

• Application Log: Records events logged by some applications or services. When developers build applications, they can instruct those applications to send event information to the Event Viewer as part of their installation. The icons that appear in the Application Log are the same as those for the System Log.

• Directory Service: Records events related to the Directory Service.

• DNS Server: Records events related to the Domain Name Service (DNS) server.

• File Replication Service: Records events related to the File Replication Service.

• Security Log: Records security-related events, such as changes to a machine's security policy and failed attempts to log on or access files or directories. This is where security audit information is recorded. The Security Log uses two special icons: A yellow key indicates an audited security event completed successfully, and a gray lock indicates that an audited security event failed.

• System Log: Records all events logged by Windows 2003 system components . By default, the System Log records all system-related hardware and operating system errors, warnings, and information messages.

Working with Event Viewer should become part of your regular system maintenance routine. Check the System and Application Logs at least once a week to see whether anything untoward has happened . If you audit security events, check the Security Log as often as makes sense.

Sick applications? Call Dr. Watson!

Throughout this book, you encounter loads of tools and utilities for troubleshooting Windows Server 2003 hardware, networks, and the operating system itself. But what do you do when the applications go awry?

The answer to this question is Nothing! Not because you can't do anything about application problems, but because such problems in the Windows 2003 environment automatically provoke error reports from the Dr. Watson utility. In fact, Dr. Watson's job is to report application difficulties whenever they occur.

Although you probably won't know what to make of Dr. Watson's content unless you have extensive Windows programming experience and are familiar with debuggers rest assured that this is old hat for plenty of people out there. Your entire involvement with Dr. Watson will be to check where the crash dump resides, make a copy of that dump, and e-mail it to someone who can make heads or tails of this stuff! You can find the crash dump in the "Crash Dump" text box at top of the Dr. Watson application window, which is displayed by entering drwtsn32 in the text entry box of the Run command.

When applications get weird, Dr. Watson can be good for the tech support folks who will try to cure what ails your system.

Whenever you troubleshoot, the Event Viewer should be an early stop along your path . In addition to keeping you informed about most system problems, this tool can be counted on to keep you informed about any application or service problems that know how to use this facility to report warnings and errors. Unfortunately, this does not include all applications, but does include most server services and important applications, such as database managers and e-mail packages.