DESKTOP

Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 2)

6/27/2014 9:46:41 PM

2. Event Viewer Troubleshooting Procedure

To take full advantage of the new Event Viewer features and capabilities, it is a best practice to follow a set procedure to ensure that you are viewing the most relevant information for the problem that you are having. To do this, you should follow these steps:

  1. Evaluate the System event log for Group Policy events.

  2. Evaluate the Group Policy operational log:

    1. Determine the ActivityID of Group Policy processing.

    2. Create a custom view of a Group Policy instance.

  3. Divide the custom view of the log into three phases:

    1. Preprocessing

    2. Processing

    3. Postprocessing

  4. Associate all Starting events with the correct Ending event.

  5. Investigate all Errors, Warnings, and Failures.

  6. Isolate the event that is causing the problem, and address the problem.

  7. Run GPUpdate on the computer with the Group Policy problem to determine whether the problem persists. If so, repeat these steps to find other issues.

Evaluate the System Event Log

The Group Policy service writes events to the System event log indicating an administrative alert, representing the latest status of the Group Policy service. Here you can quickly determine whether the Group Policy service is the source of the problem. You might see any of the following three events in the System event log for Group Policy:

  • Informational event . Indicates that the Group Policy service is functioning properly.

  • Warning event . Indicates that the Group Policy service is functioning properly, but other dependencies may have failed.

  • Error event . Indicates that the Group Policy service has failed.

Evaluate the Group Policy Operational Log: Determine the ActivityID of Group Policy Processing

Every time Group Policy background or foreground processing occurs, an ActivityID is generated that groups all of the specific actions that occurred during that Group Policy processing. It is important that you determine the ActivityID of the process so that you can isolate all events related to that process. To determine the ActivityID for an event, follow these steps:

  1. Start Event Viewer.

  2. Under Event Viewer, click to expand Applications And Services Logs, and then expand Microsoft, expand Windows, expand GroupPolicy, and click Operational.

  3. In the details pane, click the GroupPolicy warning or error event that you want to troubleshoot.

  4. In the details pane, click the Details tab the lower pane for the event, and then click Friendly view.

  5. On the event’s Details tab, click System to expand the System node.

  6. Scroll until you find the ActivityID in the System node details. This value (without the opening and closing braces) is the ActivityID.

Evaluate the Group Policy Operational Log: Create a Custom View of a Group Policy Instance

After the ActivityID is determined, all events related to that ID must be isolated for easier and more efficient evaluation. To isolate all of the events that are associated with the ActivityID that you found, follow these steps:

  1. Start Event Viewer.

  2. Right-click Custom Views, and then click Create Custom View. The Create Custom View dialog box appears.

  3. Click the XML tab, and then select the Edit Query Manually check box. Event Viewer displays a dialog box, which explains that editing a query manually prevents you from modifying the query using the Filter tab. Click Yes.

  4. Copy the Event Viewer query (provided at the end of this step) to the clipboard. Paste the query into the Query box. Your query should look something like the following:

    <QueryList><Query Id="0” Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID=‘{INSERT ACTIVITY ID HERE}’]</Select> </Query></QueryList>

  5. Enter the ActivityID that you determined in the preceding procedure in place of the “INSERT ACTIVITY ID HERE” text from step 4. Click OK.

    Note

    The leading and trailing {} characters are essential for the query to work.

  6. In the Save Filter to Custom View dialog box, type a name and description meaningful to the view you created, and then click OK.

  7. The name of the saved view appears under Custom Views in the console tree. Click the name of the saved view to display its events in Event Viewer, as shown in Figure 3.

The custom view in Event Viewer isolates all of the events related to a single ActivityID.
Figure 3. The custom view in Event Viewer isolates all of the events related to a single ActivityID.
Other  
  •  Windows 8 : Managing Windows Update (part 4) - Viewing update history, Rolling back updates
    •
  •  Windows 8 : Managing Windows Update (part 3) - Managing Windows Update in Windows 8 native interface
    •
  •  Windows 8 : Managing Windows Update (part 2) - Configuring update settings
  •  Windows 8 : Managing Windows Update (part 1) - Accessing Windows Update settings by using Control Panel
  •  Windows 8 : Working with location-based settings and connection methods
    •
  •  Windows Server 2008 R2 : Active Directory lightweight directory services
    •
  •  Windows Server 2008 R2 : Active Directory federation services (part 4) - Complete ADFS server configuration
    •
  •  Windows Server 2008 R2 : Active Directory federation services (part 3) - Install Web agent for claims aware Web application, Configure ADFS certificates
    •
  •  Windows Server 2008 R2 : Active Directory federation services (part 2) - Set up the ADFS role for the internal and external Active Directory forests
    •
  •  Windows Server 2008 R2 : Active Directory federation services (part 1) - Planning for Active Directory Federation Services
    •
     
    Top 10
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    3 Tips for Maintaining Your Cell Phone Battery (part 1) - Charge Smart
    OPEL MERIVA : Making a grand entrance
    FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
    BMW 650i COUPE : Sexy retooling of BMW's 6-series
    BMW 120d; M135i - Finely tuned
    PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
    PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS