1
00:00:01,040 --> 00:00:01,790
In this demonstration,

2
00:00:01,790 --> 00:00:04,870
we're going to do a tour of several of the built‑in

3
00:00:04,870 --> 00:00:07,280
Windows Server troubleshooting tools.

4
00:00:07,280 --> 00:00:12,840
First, we can right‑click the taskbar and invoke good old Task Manager,

5
00:00:12,840 --> 00:00:15,930
most everybody's first line of defense in terms of

6
00:00:15,930 --> 00:00:17,760
troubleshooting system performance.

7
00:00:17,760 --> 00:00:19,370
We've got our Process list.

8
00:00:19,370 --> 00:00:21,720
We can end those tasks.

9
00:00:21,720 --> 00:00:25,650
We've got our Performance, which shares some similarities.

10
00:00:25,650 --> 00:00:27,800
See the link down here to Resource Monitor?

11
00:00:27,800 --> 00:00:29,640
Let's give that a click.

12
00:00:29,640 --> 00:00:34,550
Resource Monitor truly is an expanded version of Task Manager,

13
00:00:34,550 --> 00:00:36,410
give you a very nice view.

14
00:00:36,410 --> 00:00:39,620
I find that when I present on this live,

15
00:00:39,620 --> 00:00:43,880
many students think, wow, I totally forgot that these tools existed,

16
00:00:43,880 --> 00:00:47,110
so I hope that you have an "aha" moment along those lines.

17
00:00:47,110 --> 00:00:49,540
It is easy to forget they exist.

18
00:00:49,540 --> 00:00:53,240
CPU, we can look at Services and their relative CPU.

19
00:00:53,240 --> 00:00:55,480
All these columns are sortable.

20
00:00:55,480 --> 00:00:59,120
Let's see, I'm looking for exports.

21
00:00:59,120 --> 00:01:02,880
I'm not seeing any export capability here unfortunately.

22
00:01:02,880 --> 00:01:08,040
Let me bring this over here, Large, no those are just the running graph views.

23
00:01:08,040 --> 00:01:09,450
Okay, so that's that.

24
00:01:09,450 --> 00:01:13,750
Let's see, Task manager has our user and their Memory and CPU.

25
00:01:13,750 --> 00:01:17,610
Details gives you more process‑related information.

26
00:01:17,610 --> 00:01:20,270
Then we have our Services list.

27
00:01:20,270 --> 00:01:22,730
By the way, I probably should have said this.

28
00:01:22,730 --> 00:01:27,210
I'm on one of my Windows Server 2022 domain member servers.

29
00:01:27,210 --> 00:01:29,690
Alright, so how about Reliability Monitor.

30
00:01:29,690 --> 00:01:31,210
That can be found in good,

31
00:01:31,210 --> 00:01:35,080
old‑fashioned Control Panel under the Security and Maintenance umbrella.

32
00:01:35,080 --> 00:01:37,520
And I like it, as I had mentioned before,

33
00:01:37,520 --> 00:01:41,380
that you can see a longer picture of historical reliability,

34
00:01:41,380 --> 00:01:44,500
and we can look at it by days or by weeks.

35
00:01:44,500 --> 00:01:46,870
And we can see here in this case,

36
00:01:46,870 --> 00:01:50,220
I actually created this machine not too long ago,

37
00:01:50,220 --> 00:01:56,120
so all of this graph data you see to the left it doesn't even start until

38
00:01:56,120 --> 00:02:00,010
this date because the VM never existed before that point,

39
00:02:00,010 --> 00:02:00,930
you see.

40
00:02:00,930 --> 00:02:03,100
Let's go back to Days,

41
00:02:03,100 --> 00:02:07,190
and then we can drill in on particular days where we

42
00:02:07,190 --> 00:02:12,370
had things like application failures, DHCP Server stopped working.

43
00:02:12,370 --> 00:02:16,470
And you can double left‑click these events and you can get some

44
00:02:16,470 --> 00:02:21,570
pretty detailed exception data that you may find helpful to work

45
00:02:21,570 --> 00:02:24,500
with a Microsoft support engineer, for example.

46
00:02:24,500 --> 00:02:27,220
What I like about this is that there's a Copy to

47
00:02:27,220 --> 00:02:30,570
clipboard so you can gather this out, put it in a document,

48
00:02:30,570 --> 00:02:33,640
share it with a support engineer, etc.

49
00:02:33,640 --> 00:02:36,340
Let's see, anything else that's interesting?

50
00:02:36,340 --> 00:02:40,140
Well, it looks like I need to look at my DHCP Server, number one.

51
00:02:40,140 --> 00:02:43,860
And then we've got something with a Security Intelligence Update,

52
00:02:43,860 --> 00:02:46,290
just that it was successfully installed.

53
00:02:46,290 --> 00:02:48,940
Okay, so that's Reliability Monitor.

54
00:02:48,940 --> 00:02:51,290
Next let's take a look at Performance Monitor.

55
00:02:51,290 --> 00:02:55,040
I've got another instance of Resource Monitor, let me close that.

56
00:02:55,040 --> 00:02:56,940
Here's good old perfmon.

57
00:02:56,940 --> 00:03:00,760
Now what we've got here, let me collapse these sections, three main sections.

58
00:03:00,760 --> 00:03:03,790
We've got the Performance Monitor itself,

59
00:03:03,790 --> 00:03:10,410
which is our live view, and it loads in the % Processor Time counter,

60
00:03:10,410 --> 00:03:13,860
and you can change its behavior in the Properties sheet here,

61
00:03:13,860 --> 00:03:18,500
including its appearance, the graph, how it's charting on the graph,

62
00:03:18,500 --> 00:03:19,680
and so on, and so forth.

63
00:03:19,680 --> 00:03:23,440
But let me artificially create a spike in CPU.

64
00:03:23,440 --> 00:03:25,120
Yeah, so we can see this live.

65
00:03:25,120 --> 00:03:27,650
None of this is being logged or saved.

66
00:03:27,650 --> 00:03:29,150
It gives you a live picture.

67
00:03:29,150 --> 00:03:32,450
And we can control, we can add additional counters in.

68
00:03:32,450 --> 00:03:35,100
And I had mentioned that when you're monitoring,

69
00:03:35,100 --> 00:03:38,320
it's best to monitor remotely, so we could,

70
00:03:38,320 --> 00:03:41,380
for instance, instead of looking at the local computer,

71
00:03:41,380 --> 00:03:46,060
let's say we wanted to look at the CPU of our domain controller,

72
00:03:46,060 --> 00:03:46,660
dc1.

73
00:03:46,660 --> 00:03:51,800
I can click Browse to browse the network,

74
00:03:51,800 --> 00:03:55,590
or I may be able to use a universal naming convention path here.

75
00:03:55,590 --> 00:03:58,190
Let me see if I can resolve dc1, yeah.

76
00:03:58,190 --> 00:04:01,460
And we can look here, we've got our objects,

77
00:04:01,460 --> 00:04:04,730
remember the object is at the top of the hierarchy.

78
00:04:04,730 --> 00:04:07,710
So instead of Processor, let's look at PhysicalDisk.

79
00:04:07,710 --> 00:04:12,140
And we can look at input/output statistics here.

80
00:04:12,140 --> 00:04:12,660
Avg.

81
00:04:12,660 --> 00:04:15,340
Disk Queue Length is important.

82
00:04:15,340 --> 00:04:18,170
And so the object would be PhysicalDisk,

83
00:04:18,170 --> 00:04:21,740
LogicalDisk, whatever, there's objects for both.

84
00:04:21,740 --> 00:04:23,080
Then you've got your instances.

85
00:04:23,080 --> 00:04:26,210
In this case, we've got volumes, basically,

86
00:04:26,210 --> 00:04:32,640
so we could look at Read Queue Length just for our C drive by adding that in.

87
00:04:32,640 --> 00:04:35,880
And so now we're superimposing, if we look down below,

88
00:04:35,880 --> 00:04:38,930
we've got two counters loaded in, one on MEM1,

89
00:04:38,930 --> 00:04:40,330
the other on dc1,

90
00:04:40,330 --> 00:04:45,740
and this allows you to do some comparison and contrast on multiple machines.

91
00:04:45,740 --> 00:04:49,020
Now you may want to change the way that the graph appears.

92
00:04:49,020 --> 00:04:50,640
This is useful for me.

93
00:04:50,640 --> 00:04:52,390
As a color blind person,

94
00:04:52,390 --> 00:04:56,650
you can do a Histogram bar and you also can do a Report view,

95
00:04:56,650 --> 00:05:00,380
which just gives you every second when it creates a new reading,

96
00:05:00,380 --> 00:05:03,240
it gives you a new value there.

97
00:05:03,240 --> 00:05:05,540
Okay, so that's Performance Monitor.

98
00:05:05,540 --> 00:05:12,240
The data collector set allows you to actually record and save this kind of data,

99
00:05:12,240 --> 00:05:15,140
and we have some built‑in System DCSs,

100
00:05:15,140 --> 00:05:20,970
and then you have the capacity to create your own user‑defined DCSs.

101
00:05:20,970 --> 00:05:21,880
Let's take a look.

102
00:05:21,880 --> 00:05:25,870
I've been running the System Performance one quite a bit.

103
00:05:25,870 --> 00:05:28,650
If I right‑click and go to its properties,

104
00:05:28,650 --> 00:05:31,730
this just gives you the ability to control the

105
00:05:31,730 --> 00:05:36,040
behavior in terms of scheduling Start, scheduling Stop,

106
00:05:36,040 --> 00:05:37,950
when the Stop Condition is,

107
00:05:37,950 --> 00:05:42,170
and if you want to do automation when the data collector set stops,

108
00:05:42,170 --> 00:05:45,920
maybe export the data to a network share location,

109
00:05:45,920 --> 00:05:46,540
whatever.

110
00:05:46,540 --> 00:05:49,600
If we take a look at the components of the DCS,

111
00:05:49,600 --> 00:05:52,860
you can see in this case we've got a Performance Counter

112
00:05:52,860 --> 00:05:55,770
category that brings in a whole lot of objects.

113
00:05:55,770 --> 00:05:57,640
Look at all those stars.

114
00:05:57,640 --> 00:06:00,510
The star is a wild card, you probably know this,

115
00:06:00,510 --> 00:06:04,280
that denotes all of the child objects underneath that level.

116
00:06:04,280 --> 00:06:09,230
So this is actually gathering a whole lot of Performance Counter data across,

117
00:06:09,230 --> 00:06:14,090
it looks like CPU, memory, disk, and network.

118
00:06:14,090 --> 00:06:18,270
And then we have a trace for looking at Windows kernel events.

119
00:06:18,270 --> 00:06:20,350
So the way this looks is if you're going to do a

120
00:06:20,350 --> 00:06:23,150
user‑defined data collector set,

121
00:06:23,150 --> 00:06:26,700
you either start with a template or you could start Advanced.

122
00:06:26,700 --> 00:06:31,340
I'll call this az801, click Next.

123
00:06:31,340 --> 00:06:33,300
What is the template you want to start with?

124
00:06:33,300 --> 00:06:35,600
I'll just do Basic, click Next.

125
00:06:35,600 --> 00:06:40,560
Choose where you want the data saved, under what credential you want to use,

126
00:06:40,560 --> 00:06:44,140
and then now that you've got an empty one that's got just buckets for,

127
00:06:44,140 --> 00:06:46,680
in this case it looks like there's a Trace,

128
00:06:46,680 --> 00:06:49,440
Configuration, and Performance Counter.

129
00:06:49,440 --> 00:06:51,610
The Configuration, like I said before,

130
00:06:51,610 --> 00:06:55,110
is where you can follow registry keys; The Kernel,

131
00:06:55,110 --> 00:06:55,490
again,

132
00:06:55,490 --> 00:06:59,480
is going to be particular event providers; and Performance

133
00:06:59,480 --> 00:07:02,860
Counter allows you to get back to this dialog to look at

134
00:07:02,860 --> 00:07:05,430
local or remote performance counters.

135
00:07:05,430 --> 00:07:09,240
And then, again, you can manually start and stop these by right‑clicking.

136
00:07:09,240 --> 00:07:11,750
Otherwise, you can run them on a schedule.

137
00:07:11,750 --> 00:07:16,240
You can templatize these and export them and import them.

138
00:07:16,240 --> 00:07:19,870
Notice that there's a Latest Report option. So I can right‑click

139
00:07:19,870 --> 00:07:22,560
System Performance and go to Latest Report,

140
00:07:22,560 --> 00:07:25,980
and it will come down into the third section of Performance

141
00:07:25,980 --> 00:07:29,300
Monitor and it will show one of the report files.

142
00:07:29,300 --> 00:07:33,270
And it's a static picture that includes important summary

143
00:07:33,270 --> 00:07:37,740
data up on top in terms of average utilization over the

144
00:07:37,740 --> 00:07:40,110
sample time that that report ran.

145
00:07:40,110 --> 00:07:46,890
These are just very short 60‑second, 77‑second snapshots here in this list,

146
00:07:46,890 --> 00:07:50,450
but these reports can be awfully useful in terms of

147
00:07:50,450 --> 00:07:52,170
getting a more holistic picture.

148
00:07:52,170 --> 00:07:55,430
You want to capture what's called a baseline of your

149
00:07:55,430 --> 00:07:57,380
Windows Server system performance.

150
00:07:57,380 --> 00:07:58,640
That make sense?

151
00:07:58,640 --> 00:07:59,760
Alright, good.

152
00:07:59,760 --> 00:08:03,740
Lastly, let's go to Event Viewer and let's take a look at this.

153
00:08:03,740 --> 00:08:06,900
I wanted to show you how to set up event subscriptions

154
00:08:06,900 --> 00:08:09,340
in case that shows up on your exam.

155
00:08:09,340 --> 00:08:13,030
Now first of all, like I said, you've got your traditional Windows Logs,

156
00:08:13,030 --> 00:08:16,060
Application, Security, Setup, System,

157
00:08:16,060 --> 00:08:19,050
and then depending upon all the roles and features and

158
00:08:19,050 --> 00:08:22,210
third‑party software you have installed on that server,

159
00:08:22,210 --> 00:08:25,220
you will have a number of additional logs.

160
00:08:25,220 --> 00:08:28,640
Again, all of them have the same user interface,

161
00:08:28,640 --> 00:08:32,620
so you can use your search, and create custom views,

162
00:08:32,620 --> 00:08:33,850
and so on within here.

163
00:08:33,850 --> 00:08:36,340
You can connect to remote machines.

164
00:08:36,340 --> 00:08:39,020
I'm just looking at the local machine here,

165
00:08:39,020 --> 00:08:42,110
but I can definitely make a connection across my local area

166
00:08:42,110 --> 00:08:44,840
network to another machine if I want to.

167
00:08:44,840 --> 00:08:48,160
As far as configuring subscriptions, so if I wanted to,

168
00:08:48,160 --> 00:08:52,950
for example, gather event log data from my domain controller,

169
00:08:52,950 --> 00:08:57,740
dc1, I like to use PowerShell for this, so let me show you my PowerShell.

170
00:08:57,740 --> 00:09:00,330
Let me zoom in here in VS Code.

171
00:09:00,330 --> 00:09:05,790
Here is a link to a nice tutorial that I found that gave me this code.

172
00:09:05,790 --> 00:09:11,560
Here we're using a combination of PowerShell and just old‑fashioned executables.

173
00:09:11,560 --> 00:09:15,150
So the collector machine is the machine that you're going

174
00:09:15,150 --> 00:09:18,160
to use to view the collected files,

175
00:09:18,160 --> 00:09:21,660
and that would be in my case this machine that I'm on right now,

176
00:09:21,660 --> 00:09:22,510
mem1.

177
00:09:22,510 --> 00:09:24,280
I think that's what its title is.

178
00:09:24,280 --> 00:09:32,240
And wecutil qc configures ports and protocols to support that collection.

179
00:09:32,240 --> 00:09:35,570
And then on the target monitored system,

180
00:09:35,570 --> 00:09:40,350
you can verify whether Server Manager remoting is enabled with line 9,

181
00:09:40,350 --> 00:09:44,870
and you can enable it by running Configure‑SMRemoting.exe ‑ENABLE,

182
00:09:44,870 --> 00:09:49,040
so that's what's called Server Manager remoting.

183
00:09:49,040 --> 00:09:51,990
And then lastly, we've got adding the client to the

184
00:09:51,990 --> 00:09:54,940
server's Event Log Readers group.

185
00:09:54,940 --> 00:09:56,300
Do you have to use PowerShell?

186
00:09:56,300 --> 00:09:58,440
No, but it's convenient.

187
00:09:58,440 --> 00:10:02,450
And so what line 13 is doing is ensuring that my mem1 computer,

188
00:10:02,450 --> 00:10:04,500
my collector, the one I'm on right now,

189
00:10:04,500 --> 00:10:08,270
is a member of the local Event Log Readers group on my

190
00:10:08,270 --> 00:10:10,000
target machine that I'm monitoring,

191
00:10:10,000 --> 00:10:13,230
dc1. And I ran that in the context of

192
00:10:13,230 --> 00:10:15,880
Invoke‑Command. I did an Invoke‑Command dc1,

193
00:10:15,880 --> 00:10:19,790
and then for my script block I sent it over line 13,

194
00:10:19,790 --> 00:10:20,640
okay?

195
00:10:20,640 --> 00:10:21,830
That's the setup.

196
00:10:21,830 --> 00:10:23,670
Then you create your subscription.

197
00:10:23,670 --> 00:10:27,670
So we can go to Subscriptions here in Event Viewer, create a subscription.

198
00:10:27,670 --> 00:10:31,220
Give it a name, I'll call this dc1‑system‑log.

199
00:10:31,220 --> 00:10:36,000
The destination log by default is Forwarded Events.

200
00:10:36,000 --> 00:10:40,640
That's one of the basic prebuilt windows logs, but you can change that.

201
00:10:40,640 --> 00:10:44,150
This is going to be a Collector initiated, when this

202
00:10:44,150 --> 00:10:46,810
machine will query the machine and say, hey,

203
00:10:46,810 --> 00:10:53,000
you got any events for me? So I'll Select and Add Domain Computers.