If you receive the message “WS-Management could not connect to the specified destination,” verify that the Windows Remote Management service is started on the forwarding computer and that no firewall is blocking connections between the two computers.
7. Verify that the user account you configured the subscription to use has privileges on the forwarding computer. If necessary, enable failure security auditing on the remote computer as described in Chapter 4, wait for events to be forwarded, and then examine the Security event log for logon failures. In addition, you can configure the subscription temporarily to use a Domain Admin account—if the subscription works with the Domain Admin account, the source of your problem is definitely related to authentication. Troubleshoot the authentication problem and reconfigure the subscription to use the original user account.
8. If the subscription is configured to use Machine Account authentication, verify that the collecting computer’s account is a member of the forwarding computer’s Event Log Readers local group. If the subscription is configured to use a different user account, that account must be in the forwarding computer’s Event Log Readers local group.
9. Verify that the following services are started on the forwarding computer:
■ Windows Remote Management (WS-Management)
■ Windows Event Collector
10. Verify that the Windows Event Collector service is started on the collecting computer.
11. Verify Windows Firewall settings on the forwarding computer as follows:
■ Verify that the Windows Remote Management (HTTP-In) firewall exception is enabled.
■ If you are using HTTPS instead of HTTP, verify that you have created and enabled a custom firewall exception for TCP port 443.
■ Verify that the forwarding computer and the collecting computer are both connected to Private or Domain networks, rather than to Public networks. To verify the network profile, right-click the network icon in the system tray and then click Open Network And Sharing Center. In the Network And Sharing Center, the profile type appears after the network name. If it shows Public Network, click Customize and change the profile type to Work Network, which uses the private network profile.
12. In addition to the forwarding computer, verify that the Windows Remote Management (HTTP-In) firewall exception is enabled on the collecting computer.
13. Verify that a network firewall is not blocking traffic by testing connectivity. Because the forwarding computer must have HTTP (and possibly HTTPS) available, you can attempt to connect to it from the collecting computer by using Windows Internet Explorer— simply type http://computername (or https://computername if you are using HTTPS) in the Address bar. If the firewall on the forwarding computer is configured correctly, you receive an HTTP 404 error and Internet Explorer displays the message, The webpage cannot be found.” If Internet Explorer displays the message, “Internet Explorer cannot display the webpage,” the firewall exception on the forwarding computer has ot been enabled.
14. Verify that the event query is valid by performing these steps:
a. View the subscription properties, and click Select Events.
b. Select the XML tab, select the contents of the query, and press Ctrl+C to copy it to the Clipboard.
c. Open a second instance of Event Viewer. Right-click Event Viewer, and then click Connect To Another Computer. Select the forwarding computer, and then click OK.
d. Right-click Custom Views, and then click Create Custom View.
e. In the Create Custom View dialog box, select the XML tab. Select the Edit Query Manually check box, and click Yes when prompted.
f. Click the query box and press Ctrl+V to paste the query. Then click OK.
g. The new custom view appears and shows the matching events. If any events have appeared since you created the event forwarder, they should have been forwarded.
If there are no new events, the problem is with your forwarding criteria. Try creating a custom view that matches the events that you want to forward and then importing
that into a new subscription.
PRACTICE Forward Events Between Computers
In this practice, you configure event forwarding between two computers using the default settings.
EXERCISE 1
Configuring a Computer to Collect Events
In this exercise, you configure a computer to collect events.
1. Log on to the computer running Windows 7 that you want to use to collect events using a domain account with administrative privileges.
2. Open an elevated command prompt by clicking Start, typing cmd, and pressing Ctrl+Shift+Enter.
3. At the command prompt, run the following command to configure the Windows Event Collector service:
wecutil qc
4. When prompted to change the service startup mode to Delay-Start, type Y, and then press Enter.
EXERCISE 2
Configuring a Computer to Forward Events
In this exercise, you configure a computer running Windows 7 to forward events to the collecting computer. To complete this exercise, you must have completed Exercise 1.
1. Log on to the computer running Windows 7 that you want to use to forward events using a domain account with administrative privileges.
2. Open an elevated command prompt by clicking Start, typing cmd, and pressing Ctrl+Shift+Enter.
3. At the command prompt, run the following command to configure the Windows Remote Management service: winrm quickconfig.
4. When prompted to change the service startup mode, type Y, and then press Enter.
5. When prompted to create the WinRM listener and enable the firewall exception, type Y and then press Enter.
6. Verify that you have updated the Windows Firewall configuration by following these steps:
a. Click Start and then click Control Panel.
b. Click the System And Security link.
c. Click the Windows Firewall link.
d. Click the Advanced Settings link.
e. Select the Inbound Rules node.
f. In the Details pane, verify that the Windows Remote Management (HTTP-In) exception is enabled for the Domain and Private profiles.
7. Verify that the Windows Remote Management service is configured to start automatically by following these steps:
a. Click Start, type services.msc, and then press Enter.
b. In the Services console, select the Windows Remote Management (WS-Management) service. Verify that it is started and that the Startup Type is set to Automatic
(Delayed Start).
8. Now you need to grant the collecting computer permission to read this computer’s event log. If you skipped this step, you would need to configure the subscription to use
an administrative user account. To grant access to the collecting computer account, perform these steps:
a. Click Start, right-click Computer, and then click Manage.
b. Under System Tools, expand Local Users And Groups. Then, select Groups.
c. Double-click Event Log Readers.
d. In the Event Log Readers Properties dialog box, click Add.
e. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Object Types. By default, it searches only Users and Groups. However, we need to add the collecting computer account. Select the Computers check box and clear the Groups, Users, and Service Accounts check boxes. Click OK.
f. In the Select Users, Computers, Or Groups dialog box, type the name of the collecting computer. Then, click OK.
g. Click OK again to close the Event Log Readers Properties dialog box.
EXERCISE 3
Configuring an Event Subscription
In this exercise, you create an event subscription to gather events from the forwarding computer. To complete this exercise, you must have completed Exercises 1 and 2.
1. Log on to the computer running Windows 7 that you want to use to collect events using a domain account with administrative privileges.
2. Click Start, right-click Computer, and then click Manage.
3. In the Computer Management console, expand System Tools, expand Event Viewer, right-click Subscriptions, and then click Create Subscription.
4. In the Event Viewer dialog box, click Yes to configure the Windows Event Collector service (if prompted).
The Subscription Properties dialog box appears.
5. In the Subscription Name box, type Windows Defender Warnings And Errors.
6. Click Select Computers. In the Computers dialog box, click Add Domain Computers. Type the name of the computer that will be forwarding events, and then click OK. In the Computers dialog box, click Test to verify that you can connect to the forwarding computer. Click OK twice.
7. Click Select Events. In the Query Filter dialog box, select the Error, Critical, Warning, and Information check boxes. Click By Source. Then, click the Event Sources list and
select Windows Defender (as shown in Figure 8-4). Click OK.
FIGURE 8-4 Configuring the Query Filter to forward important Windows Defender events
8. Click Advanced to open the Advanced Subscription Settings dialog box. Note that it is configured to use the Machine Account by default. This works because we have added this computer’s domain account to the forwarding computer’s Event Log Readers local group. Also, note that the subscription is configured by default to use Normal Event Delivery Optimization using the HTTP protocol. Click OK.
9. In the Subscription Properties dialog box, click OK.
10. Next, generate a Windows Defender event on the forwarding computer by following these steps:
a. Log on to the forwarding computer.
b. Click Start and type Defender. On the Start menu, click Scan For Spyware And Other Potentially Unwanted Software. Windows Defender scans the computer and adds an event to the event log.
11. While still using the forwarding computer, open Event Viewer and check the Applications And Services Logs\Microsoft\Windows\Windows Defender\Operational log. ou should see several Informational events with a source of Windows Defender.
12. Using the collecting computer, select the Forwarded Events event log. If you don’t see the Windows Defender event immediately, wait a few minutes—it might take up to
15 minutes for the event to appear.
Lesson Summary
■ Event forwarding uses HTTP by default, allowing it to pass easily through most firewalls. You can also configure event forwarding to use HTTPS. However, communications are encrypted with standard HTTP.
■ To configure event forwarding in a domain, run the winrm quickconfig command at the forwarding computer and run the wecutil qc command on the collecting computer.
Then, add the collecting computer’s account to the forwarding computer’s Event Log Readers group.
■ To configure event forwarding in a workgroup, follow the same steps that you would in a domain. In addition, you need to add a Windows Firewall exception for the Remote Event Log Management service on each forwarding computer, add a user account with administrator privileges to the forwarding computer’s Event Log Readers group, and run the winrm set command to configure the collecting computer to trust the forwarding computers.
■ To troubleshoot event forwarding, verify that you have waited long enough and that subscriptions are active, check the Windows Remote Management configuration on
both the forwarding and collecting computers, and verify that the user account you specified for the subscription is a member of the forwarding computer’s Event Log
Readers group.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1, “Forwarding Events.” The questions are also available on the companion CD if you prefer to review them in electronic form.
NOTE
ANSWERS
Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.
1. When starting with the default configuration of a computer, which of the following steps are required to enable event forwarding? (Choose all that apply.)
A. Start the Windows Remote Management service on the forwarding computer.
B. Start the Windows Remote Management service on the collecting computer.
C. Configure Microsoft Internet Information Services (IIS) on the forwarding computer.
D. Enable a Windows Firewall exception on the forwarding computer.
E. Nothing is required; event forwarding is enabled by default.
2. Which tool would you use to configure a subscription to use a 10-minute interval?
A. Event Viewer
B. Winrm
C. Wecutil
D. Wevutil
3. What is the standard interval for a subscription with a bandwidth optimization setting of Minimize Latency?
A. 30 seconds
B. 15 minutes
C. 30 minutes
D. 6 hours
4. Which of the following tasks do you need to perform in an AD DS domain environment to enable a computer to collect events from another computer?
A. Run the following command on the collecting computer: winrm set winrm/config/ client @{Trusted Hosts=”<forwarding_computers>”}.
B. Run the following command on the forwarding computer: winrm set winrm/config/ client @{Trusted Hosts=”<collecting_computers>”}.
C. Add the forwarding computer’s machine account to the Event Log Readers local group.
D. Add the collecting computer’s machine account to the Event Log Readers local group.
Lesson 2: Troubleshooting Performance Problems
When a user experiences a performance problem, you need to know how to identify the source of the problem quickly and, if necessary, resolve it. Fortunately, Windows 7 provides Task Manager to give you an overview of system performance. Task Manager also allows you to change the priority and affinity of a process to limit the processing resources it can consume. With Performance Monitor, you can examine thousands of details about system and application performance in real time, or log the data for later analysis.
Data collector sets create a snapshot of a system’s state, storing detailed information about a computer’s configuration for later analysis. If you identify disk input/output time
as the source of a performance problem, you might be able to resolve it by freeing up disk space and defragmenting the disk. For mobile computers, you must consider settings that compromise system performance in favor of extended battery life. If a problem seems to be related to a startup service or application, you can use the System Configuration tool to selectively disable startup processes until you identify the process causing the problem.
After this lesson, you will be able to:
■ Use Task Manager to examine system performance and control individual processes.
■ Use Performance Monitor to examine real-time statistics and compare logged data to a performance baseline.
■ Use data collector sets to generate reports that provide detailed information about a computer’s configuration and the problems it’s experiencing.
■ Troubleshoot disk performance problems by freeing wasted disk space.
■ Adjust how mobile computers optimize performance and battery life to meet users’ needs.
■ Use the System Configuration tool to disable startup services and applications selectively.
Estimated lesson time: 45 minutes
Task Manager
Task Manager is the quickest way to identify common performance problems. Windows 7 makes it easy to open Task Manager even if the user interface isn’t responding correctly.
You can open Task Manager in the following ways:
■ Right-click the taskbar or the system clock and then click Start Task Manager.
■ Press Ctrl+Alt+Del, and then click Start Task Manager. You can do this even if the user interface is completely non-responsive.
Task Manager has six tabs:
■ Applications A list of applications open by the current user. You can close an application by clicking it and then clicking End Task. If the Start menu is not working, you can start a new application by clicking New Task. If the Windows Explorer interface is not open, you can click New Task and then run Windows Explorer to open it.
■ Processes A list of processes open by the current user. You can view processes open by all users by clicking Show Processes From All Users. You can quickly identify the process that is using the most processor time by clicking the CPU column header to sort the processes by processor utilization. To end a process, select the process and then click End Process. Ending a process is particularly useful when a non-responsive application is consuming all the processor time and slowing the computer down.
■ Services Lists all the services on the computer, running or stopped. You can start and stop services by right-clicking the service. This tab provides similar functionality to the
Services console, but with the convenience of Task Manager.
■ Performance Shows current processor and memory utilization. If a computer seems slow, open the Performance tab to determine whether processor or memory utilization is causing the problem. If processor utilization is causing the problem, one or more of the processors in the CPU Usage History chart will be at 100%, as the first processor is in Figure 8-5. If memory utilization is causing the problem, the value shown in the Memory chart will be close to the Total value shown in the Physical Memory group.
FIGURE 8-5 Task Manager shows processor and memory utilization.
■ Networking Charts the network utilization of each network interface. Use this tab to determine whether a slow network might be caused by an application using all the available bandwidth. Wired network connections typically do not support more than 70% utilization; therefore, a wired network at 65% utilization can be considered completely saturated. Available bandwidth for wireless network connections varies, but is typically around 35% as shown by the charts on the Networking tab.
■ Users Lists the users currently logged on to the computer. The sections that follow discuss how to perform different tasks with Task Manager.
How Windows Shares Processor Time Between Applications
To understand how to troubleshoot performance, you must know how applications, processes, and threads relate. An application or service typically has a single process associated with it, though some applications or services might start multiple processes. Processes run within threads. Every application has at least one thread, and it might start
multiple threads. Some applications might use hundreds of threads.
A processor (or processor core) can only run one thread at a time. A computer with one processor can still run multiple applications, however, because Windows switches the processor between different processes and threads. Higher-priority threads receive more processor time than lower-priority threads.
Today, most new computers have processors with multiple cores. Each processor core functions like a separate processor. If you view the Performance tab of Task Manager, the
CPU Usage graph shows the total utilization across all processors, and the CPU Usage History graph shows a separate graph for each processor core. If you see only one graph in the CPU Usage History box, click the View menu, click CPU History, and then click One Graph Per CPU. One of the most important tasks Windows performs is distributing processor time. With multiple applications running, many having multiple threads, and multiple processor cores, the task of distributing processor time can be very complicated. Fortunately, as Figure 8-6 illustrates, Windows handles it automatically, and you rarely need to adjust the default settings.
FIGURE 8-6 Windows assigns threads processor time.
FIGURE 8-6 Windows assigns threads processor time.
No hay comentarios:
Publicar un comentario