We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps. Join the community!
Scenario 1: Slow Internet Access through Forefront TMG
Potential Issue 1
What to look for at this stage
Get a dump of wspsrv.exe process while the issue is happening
Use the approach from this post
Load the wspsrv.exe dump and quick review all the threads within this process
On WinDBG type:
Check for critical sections
Dump the information related to the critical section that is locked
!cs -o <owning thread>
Potential Issue 2
If critical section doesn’t show any result but there are still suspicious patterns on the user mode dump, start to review perfmon.
Use TMG PAL while reviewing Perfmon Data.
Don’t focus only on TMG counters, also review Windows core counters
Memory/*, Processor/*, Network Interface/*, Process/*, Physical Disk/*, Threads/*
Enable netlogon logging to review potential authentication issues:
Scenario 2: Firewall Service Crash
Make sure to attach a debugger to wspsrv.exe process in order to collect the dump when service crashes
Use Adplus or DebugDiag
Load the crash dump on WinDBG
If the faulting module is not a TMG component, review who is the owner
lmvm <faulting module>
Scenario 3: TMG Stop Responding
First make sure that is TMG that stops responding or the Windows OS that stops responding
Get answer for the following questions:
1) What do you do in order to put the server in production again?
2) Does the server get back in production if you restart Firewall Service?
3) How frequent does this issue happens?
If the whole server stops answering, get complete (or kernel) memory dump
Use the approach from this article to configure the server.
Load the kernel dump on WinDBG
Once you find a thread that might be waiting for a resource, dump the thread
!thread <thread number>
If the thread has IRPs, dump the IRP
!irp <irp number>
Download the PDF version of this Cheat Sheet from here.
This article was originally written by:
Yuri Diogenes, Senior Technical Writer
Windows Server iX | IT Pro Security
Yuri’s Blog: http://blogs.technet.com/yuridiogenes
Team’s Blog: http://blogs.technet.com/b/securitycontent
Excellent Yuri, really helpful document
Aweseome stuff Bud.. Keep the good work going :).. Missing you at CSS :(
Amazing work Yuri..to be honest i used one of them today i.e. Scenario 2: Firewall Service Crash
and the link mentioned for this scenario..Keep on adding to this sheet...