Learning to Fly - Mika's Blog

I'm sitting on the last stint on the TLC at TechEd 2006. There have been quite a number of people who found this area and us technical experts here Thanks everyone for coming!

Over these five days, the most common questions and some additional info for myself were:

1) Group Policy processing problems

You can find basic flowchart for troubleshooting on Figure 1 of  the white paper entitled "Troubleshooting Group Policy in Microsoft Windows Server". You can also test your understanding of the group policy processing by checking little flowchart displayed in this figure in order to see whether you know what all different reasons for problems mean. Derek Melber just presented a session MGT425 here on this topic. You can also find additional information on our book

The first option I tend to use most often for GP troubleshooting is to open rsop.msc. The right (or secondary) mouse button is useful in this tool. A more advanced way of troubleshooting group policy is to use different log options available. I detail here the steps to enable the UserEnv log and a (free!) tool to interpret it. I can say that I learned my group policy skills with this log file I wish Policy Reporter would have been available in 1999 or that I would have found it then.

1. Either use http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833 to set the UserEnvDebugLevel registry setting OR perform steps 2-7
2. Download GPO Logging ADM Template from http://www.gpoguy.com/Tools.htm#EventLogADM.
3. Extract gpolog.adm from the zip file.
4. Open gpedit.msc (GPOE) on the machine you want to start monitoring.
5. Add the template into GPOE (right-click Administrative Templates > Add/Remove Templates… > Add… > pick the gpolog.adm
6. In the View menu, select Filtering… uncheck setting “Only show policies that can be fully managed”
7. Open Local Computer Policy\Administrative Templates\System\Group Policy\Logging
   Enable UserEnv.Log logging of policy (and profiles) with Verbose logging.
8. Restart the computer.
9. Log file userenv.log is created in %Windir%\Debug\UserMode.
10. In order to interpret this file, download Policy Reporter from http://www.sysprosoft.com/policyreporter.shtml.
11. Install Policy Reporter and start it.

The new version of Policy Reporter even displays the processing delays. Obviously, you have to run these steps as an administrator. I use runas most of the time.

Other well hidden gems worth mentioning are 32 GPMC scripts (found in %Program Files%\GPMC\Scripts after installing GPMC) that many haven't found yet. They are great for backing up GPOs and documenting them.

2) Active Directory DCs on 64-bit architecture

You can find a recent white paper entitled "Active Directory Performance for 64-bit Versions of Windows Server 2003" on this topic. Microsoft's recommendation is to start considering converting existing environments to 64-bit architecture on environments when the size of your AD database exceeds 2.75 GB.

3) Problems with large number of group memberships

Another question that we discussed with several attendees had to do with Maximum Kerberos token size which may become an issue (e.g. kb 327825) in larger environments. Good information is available on http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.  You can download command line tool called TokenSz in order to see the current token and to further diagnose it.

4) DNS problems

DNS being the cornerstone of Active Directory network is very often the culprit for various problems (authentication, replication, GP processing etc.). There is a plenty of information available on many sites. The best troubleshooting tip is to get it right the first time i.e knowing what you are doing when configuring the DNS service. In case you are having problems, you might want to start with TechNet Support WebCast: Troubleshooting DNS @ http://support.microsoft.com/?kbid=905900 & DCDIAG tool to pinpoint your problems.

Network Monitor III

The most exciting tool I've seen this week was Microsoft Network Monitor III. For many problems and troubleshooting them, I often use Network Monitor 2.0 (either the one included in Windows Server operating systems or the full version from SMS 2003). The new version 3.0 will become available on a limited beta at the end of the summer. Some of the features that we saw today, were:

• Capturing multiple interfaces simultaneously
• Dynamic display filters
• Configurable parsers
• Only network monitor tool to work on Windows Vista

I'm looking forward to the beta programme and the lauch of the tool - when it's going to be ready.

That's all for now. Regards to everyone and thanks! This was my second TechEd and the first in U.S. It was also the best TechEd so far