Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 3) - Divide the Custom View of the Log into Three Phases

Divide the Custom View of the Log into Three Phases: Preprocessing

This phase begins the Group Policy processing and gathers information that is required to process Group Policy. The information gathered in this phase is used to cycle through each Group Policy extension. During this phase, the Group Policy service collects information that will be used to process each CSE. This information can be divided into small subsets, which include the following:

• Start policy processing

• Retrieve account information

• Domain controller discovery

• Computer role discovery

• Security principal discovery

• Loopback processing mode discovery

• GPO discovery

• Slow link detection

• Nonsystem GP extension discovery

For each subset in the preprocessing phase, specific event IDs are generated. The ability to track an event ID to a specific portion of the preprocessing phase can help significantly in identifying the root problem with Group Policy. Each subset is defined in the following sections.

Start Policy Processing

When the computer starts, a user logs on, a refresh occurs, or there is a change to a network interface, an instance of Group Policy is recorded in Event Viewer. This instance is tracked via the ActivityID, and one of the start events is recorded with it. The start events range from 4000 to 4007 and are described in Table 1.

Table 1. Group Policy Start Events

Event ID	Start Event Type
4000	Computer start-up
4001	User logon
4002	Computer network change
4003	User network change
4004	Computer manual refresh
4005	User manual refresh
4006	Computer periodic refresh
4007	User periodic refresh

Retrieve Account Information

For processing to occur, the Group Policy service must acquire the location of the user and computer object in Active Directory. This determines the SOM for the objects. Two sets of event IDs are recorded for this portion of the preprocessing phase. They include the following:

Informational/success interaction event

• This event records information about interaction with dependent components with one of three event IDs:

  • 5320 - Success interaction event: The interaction described in the event completed successfully.

  • 6320 - Warning interaction event: The interaction described in the event completed with one or more errors.

  • 7320 - Error interaction event: The interaction described in the event failed to complete.

Trace component event

• During the information gathering phase, the Group Policy service calls other functions in Windows, referred to as system calls. These events are recorded in Event Viewer and report one or more event IDs:

  • 4017 - Start-trace event: The beginning of a system call described in the event.

  • 5017 - Success end-trace event: The system call described in the event completed successfully.

  • 6017 - Warning end-trace event: The system call described in the event completed with one or more errors.

  • 7017 - Error end-trace event: The system call described in the event failed to complete.

Tip

All end-trace events contain the elapsed time used by the system call. A call that takes too much time could indicate that there is a problem. The Details tab (explained earlier) indicates the status of the end-trace event and the elapsed time.

Domain Controller Discovery

For Group Policy to process successfully, a domain controller must be discovered. During the discovery procedure, the system binds to Active Directory, discovers a domain controller to connect to, and makes a connection to the domain controller. The event IDs associated with each step in the process include the following:

Domain controller discovery start event

• This event occurs when the computer starts to find the domain controller.

• The following event IDs are associated with this event:

  • 5017 - Success end-trace event: The system call described in the event completed successfully.

  • 6017 - Warning end-trace event: The system call described in the event completed with one or more errors.

  • 7017 - Error end-trace event: The system call described in the event failed to complete.

DC discovery interaction event

• This event occurs when the computer begins to communicate with the domain controller.

• The following event IDs are associated with this event:

  • 5308 - Success DC interaction event: The interaction described in the paragraph before this table completed successfully.

  • 6308 - Warning DC interaction event: The interaction described in the paragraph before this table completed with one or more errors.

  • 7308 - Error DC interaction event: The interaction described in the paragraph before this table did not complete.

Domain controller discovery end event

• This event occurs when the computer ends communications with the domain controller.

• The following event IDs are associated with this event:

  • 5326 - Success DC discovery end event: The process of discovering a domain controller completed successfully.

  • 6326 - Warning DC discovery end event: The process of discovering a domain controller completed with one or more errors.

  • 7326 - Error DC discovery end event: The process of discovering a domain controller did not complete.

Computer Role Discovery

Group Policy is applied based on the computer role and membership in a domain. Group Policy applies differently based on the computer role. The roles that a computer can have include those listed in Table 2.

Table 2. Computer Roles and Values

Value	Computer role
0	The current computer is a stand-alone workstation or server.
1	The current computer is a member of a domain that does not support directory services.
2	The current computer is a member of a domain that supports directory services.
3	The current computer is a domain controller.

The events that will be written into the log, including these computer role values, will fall under the following category and event IDs:

Computer information event

• The following event IDs are associated with this event:

  • 5309 - Success computer information event: The discovery of computer information completed successfully.

  • 6309 - Warning computer information event: The discovery of computer information completed with one or more errors.

  • 7309 - Error computer information event: The discovery of computer information did not complete.

Security Principal Discovery

Because Group Policy applies only to computer and user objects, this portion of the process determines whether the current object focus is a user or computer so that the appropriate settings can be applied. This is written to the log with the following category and event IDs:

Security principal information event

• The following event IDs are associated with this event:

  • 5310 - Success security principal information event: Discovering information about the current security principal completed successfully.

  • 6310 - Warning security principal information event: Discovering information about the current security principal completed with one or more errors.

  • 7310 - Error security principal information event: Discovering information about the current security principal did not complete.

Loopback Processing Mode Discovery

Because loopback processing alters the default Group Policy processing behavior, the Group Policy service must be aware of any loopback settings. The following category and event IDs are registered after the loopback processing information is gathered:

Loopback processing mode event

• The following event IDs are associated with this event:

  • 5311 - Success loopback processing mode event: Determining the loopback processing mode completed.

  • 6311 - Warning loopback processing mode event: Determining the loopback processing mode completed with one or more errors.

  • 7311 - Error loopback processing mode event: Determining the loopback processing mode did not complete.

  The event description will include one of three types of loopback processing that will occur:

  • No loopback mode: Loopback processing is not enabled.

  • Merge: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user settings within the scope of the user.

  • Replace: Loopback processing is enabled. The Group Policy service replaces user settings within the scope of the user with user setting from the scope of the computer.

GPO Discovery

After all of the initial information is gathered to create a list of applicable GPOs, the Group Policy service discovers the final list of GPOs that will apply to the computer or user object. After obtaining the list, the Group Policy service checks the accessibility of each GPO by reading the gpt.ini file. It uses the gpt.ini file location on the domain controller discovered in the domain discovery step. The events that could be recorded include the following:

• 5017 - Success end-trace event: The system call described in the event completed successfully.

• 6017 - Warning end-trace event: The system call described in the event completed with one or more errors.

• 7017 - Error end-trace event: The system call described in the event failed to complete.

After the gpt.ini files are checked, the system performs an additional check and records the following Applied GPO list event and event IDs:

Applied GPO list event

• This is where the Group Policy CSEs are listed based on the applicable settings in the GPO. The recorded events will include one of the following:

  • 5312 - Success applied GPO list event: The discovery of applicable Group Policy objects completed successfully.

  • 6312 - Warning applied GPO list event: The discovery of applicable Group Policy objects completed with one or more errors.

  • 7312 - Error applied GPO list event: The discovery of applicable Group Policy objects did not complete.

Finally, the system ends this portion of the phase by listing the filtered GPOs. The system processes the following Filtered GPO list event and event IDs:

Filtered GPO list event

• The GPOs listed in these events will not be applied to the computer or user. The following event IDs are associated with this event:

  • 5313 - Success filtered GPO list event: The discovery of filtered Group Policy objects completed successfully.

  • 6313 - Warning filtered GPO list event: The discovery of filtered Group Policy objects completed with one or more errors.

  • 7313 - Error filtered GPO list event: The discovery of filtered Group Policy objects did not complete.

Slow Link Detection

Multiple components rely on the speed of the network for the application of policy settings. For the Group Policy service to determine this criteria, it must perform two steps. First, it must determine the speed of the network. Second, it must determine whether the configured slow link setting in Group Policy classifies the determined speed as slow or fast. The following two events record this behavior, along with the associated event IDs:

Estimated bandwidth event

• The results of the estimated bandwidth will be recorded in the event measured in kilobits per second (Kbps). The following event IDs are associated with this event:

  • 5327 - Success estimated bandwidth event: Estimating the bandwidth for a network interface completed successfully.

  • 6327 - Warning estimated bandwidth event: Estimating the bandwidth for a network interface completed with one or more errors.

  • 7327 - Error estimated bandwidth event: Estimating the bandwidth for a network interface did not complete.

Network information event

• After the estimated bandwidth speed is determined, the Group Policy service determines whether the speed is slow or fast. This event will classify the speed in one of the following three categories within the event recorded:

  • The connection is a fast or slow link.

  • The estimated bandwidth value, measured in Kbps.

  • The slow link bandwidth threshold, also measured in Kbps.

This event will have the following event IDs associated with it:

• 5314 - Success network information event: The Group Policy service successfully determined a slow or fast link.

• 6314 - Warning network information event: The Group Policy service encountered one or more errors when determining a slow or fast link.

• 7314 - Error network information event: The Group Policy service encountered an error when attempting to determine a slow or fast link.

Nonsystem GP Extension Discovery

Any third-party Group Policy extensions that need to process are also tracked. The Group Policy service runs in a separate service host process from nonsystem extensions (third-party extensions) for stability reasons. This information is reported under the following event and event IDs:

Operational information event

• The following event IDs are associated with this event:

  • 5320 - Success operational information event: The event description provides information or describes a successful event.

  • 6320 - Warning operational information event: The event description provides information about a recent warning event.

  • 7320 - Error operational informational event: The event description provides information about a recent error event.

Divide the Custom View of the Log into Three Phases: Processing

This phase uses the information gathered in the preprocessing phase to cycle through each Group Policy extension. It is the extension that applies policy settings to the user or computer. The Group Policy service passes all of the information gathered in the preprocessing phase to each of the system and nonsystem CSEs. You can clearly see the beginning of this phase in the Event Viewer by noting that the Group Policy service records the CSE processing start event of 4016, including a list of all GPOs that have settings for the associated CSE. Afterward, with the successful completion of the CSE processing event, the service records a final event ID of 5016. Each CSE that is processed has a beginning event and an ending event.

Divide the Custom View of the Log into Three Phases: Postprocessing

The postprocessing phase reports the end of the policy processing instance and records whether the instance ended successfully, was processed with warnings, or failed. Table 3 describes the event IDs associated with the events and the levels of success or failure of the event recorded.

Table 3. Postprocessing Event IDs

Warning or Error Event ID	Failure Event ID	Successful Event ID	End Policy Processing Event
6000	7000	8000	Computer end event
6001	7001	8001	User end event
6002	7002	8002	Computer network change event
6003	7003	8003	User network change event
6004	7004	8004	Computer manual refresh event
6005	7005	8005	User manual refresh event
6006	7006	8006	Computer periodic refresh event
6007	7007	8007	User periodic refresh event

Associate All Starting Events with the Correct Ending Event

Each phase and each subset of the phases has a starting and ending event pair. This is extremely useful in troubleshooting, because it allows you to more narrowly identify where problems are occurring. If a pair of events or subevents has only success events, it is unlikely that the event pair is causing any problems with Group Policy processing.

Investigate All Errors, Warnings, and Failures

You should focus carefully on the errors, warnings, and failures that are logged in the events. These are the events most likely to cause the most problems with the application of Group Policy.

Isolate the Event Causing the Problem

After you determine the initial problem from the preceding steps, you should address it without concern for other errors that might be occurring. Group Policy application can often have a “trickling” affect on other areas of the processing. If too many problems are handled at one time, more problems can arise. Also, you should avoid spending time trying to fix a problem that may be a by-product of the original problem.

Run GPUpdate on the Computer with the Group Policy Problem

To determine whether Group Policy processing is fully functional after an error has been fixed, you can run GPUpdate to learn whether a new instance of the Group Policy processing causes any issues. If only successful events are logged and the behavior of the computer is as desired, the problem is fixed. If problems still exist, repeat the steps in this section until all errors and problems are resolved.