Chapter 15 Performing System Recovery Functions MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER  Recover systems and user data.  Recover systems and user data by using Windows Backup.  Troubleshoot system restoration by using Safe Mode.  Recover systems and user data by using the Recovery Console. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com S ystem recovery is the process of making your computer work again in the event of failure. In this chapter, you will learn how to safeguard your computer and how to recover from a disaster. The benefit of having a disaster recovery plan is that when you expect the worst to happen and are prepared for it, you can easily recover from most system failures. One utility that you can use to diagnose system problems is Event Viewer. Through the Event Viewer utility, you can see logs that list events related to your operating system and applications. If your computer will not boot, an understanding of the Window 2000 boot process will help you identify the area of failure and correct the prob- lem. You should know the steps in each stage of the boot process, the func- tion of each boot file, and how to edit the BOOT.INI file. When you have problems starting Windows 2000, you can press F8 when prompted during the boot sequence. This calls up the Windows 2000 Advanced Options menu, which is new to Windows 2000. This menu includes several special boot options, such as Safe Mode and Last Known Good Configuration, which are useful for getting your system started so you can track down and correct problems. Startup and Recovery options are used to specify how the operating sys- tem will react in the event of system failure. For example, you can specify whether or not the system should automatically reboot and whether or not administrative alerts should be sent. You can use the Dr. Watson utility, which ships with Windows 2000 Pro- fessional, to diagnose application errors. When an application error occurs, Dr. Watson starts automatically, displaying information about the error. If you cannot boot the operating system and your CD-ROM is not acces- sible, you can recover by using the Windows 2000 Professional Setup Boot Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Safeguarding Your Computer and Recovering from Disaster 713 Disks. After you’ve created these setup disks, you can use them to reinstall Windows 2000, start the Recovery Console or access your Emergency Repair Disk. Backups are the best protection you can have against system failure. You can create backups through the Windows Backup utility. The Windows Backup utility offers options to run the Backup Wizard, run the Restore Wizard, and create an Emergency Repair Disk. Another option that experienced administrators can use to recover from a system failure is the Recovery Console. The Recovery Console boots your computer so that you have limited access to FAT16, FAT32, and NTFS volumes. In this chapter, you will learn how to use the Windows 2000 Professional system recovery functions. We’ll begin with an overview of the techniques you can use to protect your computer and recover from disasters. Safeguarding Your Computer and Recovering from Disaster O ne of the worst events you will experience is a computer that won’t boot. An even worse experience is discovering that there is no recent backup for that computer. The first step in preparing for disaster recovery is to expect that a disaster will occur at some point and take proactive steps before the failure to plan your recovery. The following are some of the preparations you can make:  Perform regular system backups.  Microsoft Exam Objective Recover systems and user data.  Recover systems and user data by using Windows Backup.  Troubleshoot system restoration by using Safe Mode.  Recover systems and user data by using the Recovery Console. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 714 Chapter 15  Performing System Recovery Functions  Use virus-scanning software.  Perform regular administrative functions, such as monitoring the logs in the Event Viewer utility. In the event that the dreaded day arrives and your system fails, there are several processes you can analyze and Windows 2000 utilities that you can use to help you get up and running. These options are summarized in Table 15.1. TABLE 15.1 Windows 2000 Professional Recovery Techniques Recovery Technique When to Use Event Viewer If the Windows 2000 operating system can be loaded through normal or Safe Mode, one of the first places to look for hints about the problem is Event Viewer. Event Viewer displays System, Security, and Application logs. Safe Mode This is generally your starting point for system recovery. Safe Mode loads the absolute mini- mum of services and drivers that are needed to boot Windows 2000. If you can load Safe Mode, you may be able to troubleshoot devices or services that keep Windows 2000 from loading normally. Last Known Good Configuration You can use this option if you made changes to your computer and are now having problems. Last Known Good Configuration is an Advanced Options menu item that you can select during startup. It loads the configuration that was used the last time the computer booted successfully. This option will not help if you have hardware errors. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Safeguarding Your Computer and Recovering from Disaster 715 All of these Windows 2000 Professional recovery techniques are covered in detail in this chapter. Windows 2000 Profes- sional Setup Boot Disks You can use this option if you suspect that Win- dows 2000 is not loading due to missing or cor- rupt boot files. This option allows you to load all the Windows 2000 boot files. If you can boot from a boot disk, you can restore the necessary files from the Emergency Repair Disk. Emergency Repair Disk (ERD) You can use this option if you need to correct configuration errors or to repair system files. The ERD can be used to repair problems that pre- vent your computer from starting. The ERD stores portions of the Registry, the system files, a copy of your partition boot sector, and infor- mation that relates to the startup environment. Dr. Watson You can use this utility if you are experiencing problems with an application. Dr. Watson is used to diagnose and troubleshoot application errors. Windows Backup You should use this utility to safeguard your computer. Through the Backup utility, you can create an ERD, back up the system or parts of the system, and restore data from backups that you have made. Recovery Console You can use this option if none of the other op- tions or utilities works. The Recovery Console starts Windows 2000 without the graphical inter- face and allows the administrator limited capa- bilities, such as adding or replacing files and enable and disable services. TABLE 15.1 Windows 2000 Professional Recovery Techniques (continued) Recovery Technique When to Use Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 716 Chapter 15  Performing System Recovery Functions Using Event Viewer Y ou can use the Event Viewer utility to track information about your computer’s hardware and software, as well as to monitor security events. All of the information that is tracked is stored in three types of log files:  The System log tracks events that relate to the Windows 2000 operat- ing system.  The Security log tracks events that are related to Windows 2000 auditing.  Application logs track events that are related to applications that are running on your computer. You can access Event Viewer by selecting Start  Settings  Control Panel  Administrative Tools  Event Viewer. Alternatively, right-click My Com- puter, select Manage from the pop-up menu, and access Event Viewer under System Tools. From Event Viewer, select the log you want to view. Figure 15.1 shows Event Viewer with the System log displayed. FIGURE 15.1 A System log in Event Viewer Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Using Event Viewer 717 You can also add Event Viewer as a Microsoft Management Console (MMC) snap-in. Adding MMC snap-ins is covered in Chapter 4, “Configuring the Win- dows 2000 Environment.” In the log file, you will see all of the events that have been recorded. By default, you see the oldest events at the bottom of the screen and the newest events at the top of the screen. This can be misleading in troubleshooting, since one error can precipitate other errors. You should always resolve the oldest errors first. To change the default listing order, click one of the three logs and select View  Oldest First. The following sections describe how to view events and manage logs. Reviewing Event Types The Event Viewer logs display five event types, denoted by their icons. Table 15.2 describes each event type. TABLE 15.2 Event Viewer Log Events Event Type Icon Description Information White dialog bubble with blue I Informs you of the occurrence of a specific action, such as a sys- tem shutting down or starting. Information events are logged for informative purposes. Warning Yellow triangle with black exclamation point Indicates that you should be con- cerned with the event. Warning events may not be critical in na- ture but may be indicative of future errors. Error Red circle with white X Indicates the occurrence of an error, such as a driver failing to load. You should be very concerned with Error events . Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 718 Chapter 15  Performing System Recovery Functions Getting Event Details Clicking an event in an Event Viewer log file brings up the Event Properties dialog box, which shows details about the event. An example of the Event Properties dialog box for an Information event is shown in Figure 15.2. Table 15.3 describes the information that appears in this dialog box. FIGURE 15.2 The Event Properties dialog box Success Audit Yellow key Indicates the occurrence of an event that has been audited for success. For example, a Success Audit event is a successful logon when system logons are being audited. Failure Audit Yellow lock Indicates the occurrence of an event that has been audited for failure. For example, a Failure Audit event is a failed logon due to an invalid username and/or password when system logons are being audited. TABLE 15.2 Event Viewer Log Events (continued) Event Type Icon Description Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com Using Event Viewer 719 Managing Log Files Over time, your log files will grow, and you will need to decide how to man- age them. You can clear a log file for a fresh start. You may want to save the TABLE 15.3 Event Properties Dialog Box Items Item Description Date The date that the event was generated Time The time that the event was generated Type The type of event that was generated: Information, Warning, Error, Success Audit, or Failure Audit User The name of the user that the event is attributed to, if applicable (not all events are attributed to a user) Computer The name of the computer on which the event occurred Source The software that generated the event (e.g., operating system components or drivers) Category The source that logged the event (this field will say None until this feature has been fully implemented in Windows 2000) Event ID The event number specific to the type of event that was generated (e.g., a print error event has the event ID 45) Description A detailed description of the event Data The binary data generated by the event (if any; some events do not generate binary data) in hexadecimal bytes or DWORD format (programmers can use this information to interpret the event) Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com 720 Chapter 15  Performing System Recovery Functions existing log file before you clear it, to keep that log file available for reference or future analysis. To clear all log file events, right-click the log you wish to clear and choose Clear All Events from the pop-up menu. Then specify whether or not you want to save the log before it is cleared. If you just want to save an existing log file, right-click that log and choose Save Log File As. Then specify the location and name of the file. To open an existing log file, right-click the log you wish to open and choose Open Log File. Then specify the name and location of the log file and click the Open button. Setting Log File Properties Each Event Viewer log has two sets of properties associated with it:  General properties control items such as the log filename, its maxi- mum size, and the action to take when the log file reaches its max- imum size.  Filter properties specify which events are displayed. To access the log Properties dialog box, right-click the log you want to manage and select Properties from the pop-up menu. The following sections describe the properties available on the General and Filter tabs of this dialog box. General Properties The General tab of the log Properties dialog box, shown in Figure 15.3, dis- plays information about the log file and includes options to control its size. Table 15.4 describes the properties on the General tab. Copyright © 2000 SYBEX Inc., Alameda, CA. www.sybex.com [...]... Configuration option Using Startup and Recovery Options T he Startup and Recovery options are used to specify the default operating system that is loaded and specify which action should be taken in the event of system failure You can access the Startup and Recovery Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 746 Chapter 15 Performing System Recovery Functions options from your Desktop by... www.sybex.com 726 Chapter 15 Performing System Recovery Functions sections describe the steps in each boot process stage, the files used, and the errors that might occur Finding the Boot Process Files Most of the boot process files reside in the root of the system partition In the Windows 2000 Professional documentation, you will see the terms system partition and boot partition The system partition is the... Startup and Recovery button Alternatively, select Start Settings Control Panel System Advanced Startup and Recovery You will see the dialog box shown in Figure 15.10 FIGURE 15.10 The Startup and Recovery dialog box The options that can be specified through the Startup and Recovery dialog box are described in Table 15.8 TABLE 15.8 Startup and Recovery Options Option Description Default Operating System Specifies... © 2000 SYBEX Inc., Alameda, CA www.sybex.com 739 740 Chapter 15 Performing System Recovery Functions Using Advanced Startup Options The Windows 2000 advanced startup options can be used to troubleshoot errors that keep Windows 2000 Professional from successfully booting Microsoft Exam Objective Recover systems and user data Troubleshoot system restoration by using Safe Mode To access the Windows 2000... attached to the controller and will always be a 0 or a 1 On a SCSI system, this is the ordinal number of the SCSI drive partition (z) Specifies the partition number that contains the operating system files The first partition is always 1 Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 734 Chapter 15 Performing System Recovery Functions As an example, the BOOT.INI file shown in Figure 15.5 contains... for Known File Types and Hide Protected Operating System Files (Recommended) check boxes, as shown in Figure 15.6 Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 736 Chapter 15 Performing System Recovery Functions FIGURE 15.6 The View tab of the Folder Options dialog box 5 You see a dialog box with a warning about displaying protected oper- ating system files Click the Yes button to display these... computer’s active partition where the files needed to boot the operating system are stored This is typically the C: drive The boot partition refers to the partition where the system files are stored You can place the system files anywhere The default folder for the system files is \WINNT and is referred to as the variable Windir The system partition and boot partition can be on the same partition or on... Viruses that are specifically designed to infect the MBR can corrupt it You can protect your system from this type of error by using virus-scanning software Also, most virus-scanning programs can correct an infected MBR Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 728 Chapter 15 Performing System Recovery Functions No partition is marked as active This can happen if you used the FDISK utility... of the files that reside at the root of C: and their current file attributes 3 Type ATTRIB BOOT.INI –S –H and press Enter to remove the System and Hidden file attributes Copyright © 2000 SYBEX Inc., Alameda, CA www.sybex.com 738 Chapter 15 Performing System Recovery Functions 4 Type EDIT BOOT.INI and press Enter to execute the EDIT program and open the BOOT.INI file for editing 5 When you’re finished... partition This file is located in the root of the system partition It has the file attributes of System and Hidden BOOTSECT.DOS is an optional file that is loaded if you choose to load an operating system other than Windows 2000 It is only used in dualboot or multi-boot computers This file is located in the root of the system partition It has the file attributes of System and Hidden Copyright © 2000 SYBEX Inc., . 15 Performing System Recovery Functions MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER  Recover systems and user data.  Recover systems. CA. www.sybex.com 714 Chapter 15  Performing System Recovery Functions  Use virus-scanning software.  Perform regular administrative functions, such as monitoring