Phase 2.8-2.10: Add Troubleshooting sections to Parts 4, 5, 6

Kristopher Turner · Kristopher Turner · commit e21c8e4b503a · 2026-03-24T20:16:09.000Z
Part 4 Cluster Deployment (12 files):
- phase-03: task-12 combined script, task-13 verification
- phase-05: monitor-deployment, monitor-validation
- phase-06: all 8 post-deployment tasks (SDN, quorum, security groups, SSH, storage, images, logical networks, verification)

Part 5 Operational Foundations (4 files):
- phase-04-security: defender, azure policy, security baselines, security logging

Part 6 Testing &amp; Validation (5 files):
- infrastructure health, network RDMA, HA testing, security compliance, backup DR

All tables follow standard Issue | Cause | Resolution format with minimum 3 rows per task.
diff --git a/docs/implementation/04-cluster-deployment/phase-03-os-configuration/task-12-complete-combined-script-all-steps.mdx b/docs/implementation/04-cluster-deployment/phase-03-os-configuration/task-12-complete-combined-script-all-steps.mdx
@@ -209,6 +209,17 @@ foreach ($node in $nodes) {
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Script fails on one node but succeeds on others | WinRM connectivity issue or credential mismatch | Verify `Enter-PSSession -ComputerName <node>` works; re-run `Enable-PSRemoting -Force` on the failing node |
+| Hostname not changed after reboot | `Rename-Computer` requires a restart to take effect | Confirm the script includes `-Restart` flag; manually reboot if needed: `Restart-Computer -Force` |
+| Static IP not applied | DHCP still enabled on the management adapter | Run `Set-NetIPInterface -InterfaceAlias "Management" -Dhcp Disabled` before assigning the static IP |
+| DNS resolution fails after configuration | DNS server addresses not set or wrong order | Verify with `Get-DnsClientServerAddress`; re-run the DNS configuration step with correct IPs from `variables.yml` |
+
+---
+
 ## Navigation
 
 [← Task 11: Clear Storage](./task-11-clear-previous-storage-configuration-conditional.mdx) · [↑ Phase 03](./index.mdx)
diff --git a/docs/implementation/04-cluster-deployment/phase-03-os-configuration/task-13-phase03-verification.mdx b/docs/implementation/04-cluster-deployment/phase-03-os-configuration/task-13-phase03-verification.mdx
@@ -227,6 +227,16 @@ scripts/deploy/04-cluster-deployment/phase-03-os-configuration/
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Verification script reports group membership mismatch | GPO not yet applied or replication delay | Run `gpupdate /force` on the affected node, wait 60 seconds, then re-run verification |
+| PSRemoting test fails for one or more nodes | WinRM service not running or firewall blocking port 5985 | On the failing node: `Enable-PSRemoting -Force`; verify firewall rule: `Get-NetFirewallRule -Name WINRM-HTTP-In-TCP` |
+| Script cannot resolve node hostname | DNS record missing or stale | Verify DNS with `Resolve-DnsName <hostname>`; re-run DNS record creation from Phase 01 Task 03 |
+
+---
+
 ## Navigation
 
 [← Task 12: Combined Script](./task-12-complete-combined-script-all-steps.mdx) · [↑ Phase 03](./index.mdx) · [Phase 04: ARC Registration →](../phase-04-arc-registration/index.mdx)
diff --git a/docs/implementation/04-cluster-deployment/phase-05-cluster-deployment/deployment-monitoring/monitor-deployment.mdx b/docs/implementation/04-cluster-deployment/phase-05-cluster-deployment/deployment-monitoring/monitor-deployment.mdx
@@ -691,6 +691,16 @@ while ($true) {
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Monitoring script shows no deployment activity | Deployment not yet started or action plan ID is wrong | Verify deployment was triggered in Azure portal; check `Get-ActionPlanInstances` for the correct action plan ID |
+| Script cannot connect to cluster nodes | WinRM not enabled or firewall blocking port 5985 | Verify connectivity: `Test-WSMan -ComputerName <node>`; enable WinRM: `Enable-PSRemoting -Force` on each node |
+| Deployment stuck at a specific step for extended time | Resource provisioning delay or prerequisite failure | Check the specific step's log file on the seed node: `C:\CloudDeployment\Logs\`; review the action plan instance details for error messages |
+
+---
+
 **Version Control**
 - Created: 2026-03-09 by Azure Local Cloudnology Team
 - Last Updated: 2026-03-09 by Azure Local Cloudnology Team
diff --git a/docs/implementation/04-cluster-deployment/phase-05-cluster-deployment/deployment-monitoring/monitor-validation.mdx b/docs/implementation/04-cluster-deployment/phase-05-cluster-deployment/deployment-monitoring/monitor-validation.mdx
@@ -683,6 +683,16 @@ while ($true) {
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Validation script reports `FAIL` on environment checks | Prerequisites not met before deployment started | Review the specific check that failed; address the prerequisite (e.g., DNS, NTP, AD connectivity) and re-run validation |
+| Script timeout waiting for validation completion | Deployment validation takes longer than expected | Increase `$RefreshInterval`; check Azure portal deployment status for progress; review `C:\CloudDeployment\Logs\` for errors |
+| All validation checks show `Unknown` status | Cluster nodes unreachable or validation service not running | Verify node connectivity: `Test-Connection <node-ip>`; check ECE agent status: `Get-Service LifeCycleManagementAgent` |
+
+---
+
 **Version Control**
 - Created: 2026-03-09 by Azure Local Cloudnology Team
 - Last Updated: 2026-03-09 by Azure Local Cloudnology Team
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-01-deploy-sdn.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-01-deploy-sdn.mdx
@@ -1492,6 +1492,17 @@ All values are defined in the `#region CONFIGURATION` block at the top. No `vari
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| `Add-EceFeature` fails with action plan error | OS build mismatch or missing prerequisites | Verify OS build is `10.0.26100` with `systeminfo`; ensure all nodes are Arc-registered and cluster is healthy |
+| Network Controller cluster group shows `Offline` | NC VMs failed to start or quorum lost | Check NC VM status: `Get-ClusterGroup \| Where-Object Name -match "Network Controller"`; restart the group: `Start-ClusterGroup <NCGroupName>` |
+| DNS resolution fails for NC FQDN | DNS record not created or propagated | Create the DNS record manually: `Add-DnsServerResourceRecordA -Name "<SDNPrefix>-NC" -ZoneName "<domain>" -IPv4Address "<NC-IP>"` |
+| SDN feature not visible in Azure portal | Arc resource bridge not synced | Wait 10-15 minutes for sync; verify bridge health: `az arcappliance show --resource-group <rg> --name <appliance>` |
+
+---
+
 ## Navigation
 
 | Previous | Up | Next |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-02-cluster-quorum-configuration.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-02-cluster-quorum-configuration.mdx
@@ -566,6 +566,16 @@ All values are defined in the `#region CONFIGURATION` block at the top. Edit tho
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| `Set-ClusterQuorum` fails with access denied | Insufficient permissions on cluster or storage account | Run as cluster administrator; verify SPN has `Storage Account Key Operator Service Role` on the witness storage account |
+| Quorum state shows `NotConfigured` | Cloud witness storage account key is incorrect or rotated | Re-configure with fresh key: `Set-ClusterQuorum -CloudWitness -AccountName <name> -AccessKey <newkey>` |
+| Witness resource shows `Failed` | Storage account firewall blocking cluster node IPs | Add cluster node public IPs to the storage account firewall allow list or enable `Allow trusted Microsoft services` |
+
+---
+
 ## Navigation
 
 | Previous | Up | Next |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-03-security-groups-applied-to-nodes.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-03-security-groups-applied-to-nodes.mdx
@@ -525,6 +525,16 @@ All values are defined in the `#region CONFIGURATION` block at the top. Edit `$O
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Security group not listed in local group membership | GPO not applied or AD replication delay | Run `gpupdate /force` on the node; verify AD group exists: `Get-ADGroup -Identity <groupname>` |
+| PSRemoting test fails with access denied | User not in `Remote Management Users` group | Add the user's group to Remote Management Users: `Add-LocalGroupMember -Group "Remote Management Users" -Member "<domain>\<group>"` |
+| Group membership shows SID instead of name | Domain controller unreachable for name resolution | Verify DC connectivity: `Test-ComputerSecureChannel`; check DNS resolution to domain controllers |
+
+---
+
 ## Navigation
 
 | Previous | Up | Next |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-04-ssh-connectivity-to-nodes.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-04-ssh-connectivity-to-nodes.mdx
@@ -767,6 +767,16 @@ HybridConnectivity tunnel — not who can authenticate to sshd itself.
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| SSH connection refused on port 22 | `sshd` service not running or Windows Firewall blocking | Start service: `Start-Service sshd; Set-Service sshd -StartupType Automatic`; verify firewall: `Get-NetFirewallRule -Name *ssh*` |
+| Arc SSH tunnel fails with RBAC error | User lacks `Virtual Machine Local User Login` role | Assign the role: `az role assignment create --role "Virtual Machine Local User Login" --assignee <objectId> --scope <resourceScope>` |
+| Authentication fails with valid credentials | `sshd_config` not configured for password or key auth | Edit `C:\ProgramData\ssh\sshd_config` to enable `PasswordAuthentication yes` or configure authorized keys; restart: `Restart-Service sshd` |
+
+---
+
 ## Navigation
 
 | Previous | Up | Next |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-05-storage-configuration.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-05-storage-configuration.mdx
@@ -935,6 +935,16 @@ az stack-hci-vm storagepath list `
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Storage pool `HealthStatus` shows `Degraded` | One or more physical disks are unhealthy or missing | Check disk health: `Get-PhysicalDisk \| Where-Object HealthStatus -ne Healthy`; replace failed disks and initiate repair: `Repair-VirtualDisk` |
+| CSV volume shows `Offline` or `Redirected` | Node owning the volume is offline or network partition | Verify cluster node status: `Get-ClusterNode`; move CSV ownership: `Move-ClusterSharedVolume -Name <csv> -Node <healthy-node>` |
+| Storage path registration fails in Azure | Arc resource bridge unhealthy or missing permissions | Verify bridge: `az arcappliance show`; ensure the SPN has Contributor on the resource group |
+
+---
+
 ## Navigation
 
 | Previous | Up | Next |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-06-image-downloads.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-06-image-downloads.mdx
@@ -447,6 +447,16 @@ If an image stays in `Downloading` for more than 60 minutes or enters `Failed` s
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Image stuck in `Downloading` for over 60 minutes | Insufficient CSV free space or blocked outbound connectivity | Check CSV free space: `Get-ClusterSharedVolume`; verify outbound to `*.blob.core.windows.net` on port 443 |
+| Image provisioning state is `Failed` | Invalid image source URL or Arc resource bridge issue | Delete and recreate: `az stack-hci-vm image delete --name <img> --resource-group <rg> --yes`; verify bridge health first |
+| Image not visible in Azure portal | Sync delay between cluster and Azure | Wait 10-15 minutes; if still missing, verify the custom location resource is healthy: `az customlocation show` |
+
+---
+
 ## Navigation
 
 | | |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-07-logical-network-creation.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-07-logical-network-creation.mdx
@@ -699,6 +699,16 @@ If a logical network enters `Failed` state or stays in `Updating` for more than
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Logical network creation fails with `InvalidParameter` | vSwitch name mismatch (case-sensitive) or invalid VLAN ID | Verify vSwitch name exactly: `Get-VMSwitch` on a cluster node; ensure VLAN ID is within valid range (1-4094) |
+| Logical network stuck in `Updating` state | Arc resource bridge processing delay or unhealthy | Check bridge status: `az arcappliance show`; if unhealthy, restart the bridge appliance VM on the cluster |
+| VLAN traffic not flowing on the logical network | Physical switch trunk port missing the VLAN | Verify switch configuration allows the VLAN on all uplink ports; check `Get-VMSwitch` for correct teaming config |
+
+---
+
 ## Navigation
 
 | | |
diff --git a/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-08-post-deployment-verification.mdx b/docs/implementation/04-cluster-deployment/phase-06-post-deployment/task-08-post-deployment-verification.mdx
@@ -555,6 +555,16 @@ All of the following must be true before proceeding to Phase 17:
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Verification script reports failures on storage paths | Storage path registration incomplete or ARB sync pending | Re-run storage path registration; wait 10 minutes for sync; verify: `az stack-hci-vm storagepath list` |
+| VLAN validation fails against network plan | Logical network VLAN IDs don't match site design | Compare `az stack-hci-vm network lnet list` output against site network plan; recreate mismatched logical networks |
+| Multiple verification items fail simultaneously | Cluster health issue affecting dependent services | Start with `Get-ClusterNode` and `Get-ClusterGroup` to assess overall cluster health before addressing individual failures |
+
+---
+
 ## Navigation
 
 | | |
diff --git a/docs/implementation/05-operational-foundations/phase-04-security-governance/task-01-enable-defender-for-cloud.mdx b/docs/implementation/05-operational-foundations/phase-04-security-governance/task-01-enable-defender-for-cloud.mdx
@@ -258,6 +258,16 @@ Workspace: /subscriptions/.../workspaces/law-azlmgmt-prod-eus2
 Costs vary based on usage. Use [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) for accurate estimates.
 :::
 
+---
+
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Defender plans not visible in portal | Subscription not registered for Microsoft.Security provider | Register provider: `Register-AzResourceProvider -ProviderNamespace Microsoft.Security`; wait 5 minutes |
+| Email notifications not received | Action Group email not configured or in spam | Verify Action Group configuration in Monitor > Alerts > Action Groups; check spam/junk folders |
+| Defender shows no recommendations | Initial scan not yet complete | Wait 24 hours after enabling plans for the first assessment cycle to complete |
+
 ## Next Steps
 
 Proceed to [Task 3: Apply Azure Policy Initiatives](./task-02-apply-azure-policy-initiatives.mdx) to enforce compliance policies.
diff --git a/docs/implementation/05-operational-foundations/phase-04-security-governance/task-02-apply-azure-policy-initiatives.mdx b/docs/implementation/05-operational-foundations/phase-04-security-governance/task-02-apply-azure-policy-initiatives.mdx
@@ -268,6 +268,16 @@ Unknown 2
 | Deploy Log Analytics agent | 053d3325-282c-4e5c-b944-24faffd30d77 | Monitoring agent deployment |
 | Require tag on resources | 871b6d14-10aa-478d-b590-94f262ecfa99 | Cost management tags |
 
+---
+
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Policy assignment fails with permission error | Account lacks Policy Contributor role at target scope | Assign `Resource Policy Contributor` role at the subscription or management group level |
+| Resources remain non-compliant after remediation | Remediation task not triggered or still in progress | Check remediation task status in Policy > Remediation; create a new remediation task if needed |
+| Policy effects not enforced on new resources | Assignment uses `Audit` instead of `Deny` effect | Update the assignment parameters to use `Deny` for enforcement; existing resources need remediation separately |
+
 ## Next Steps
 
 Proceed to [Task 4: Configure Security Baselines](./task-03-configure-security-baselines.mdx) to review and remediate Defender recommendations.
diff --git a/docs/implementation/05-operational-foundations/phase-04-security-governance/task-03-configure-security-baselines.mdx b/docs/implementation/05-operational-foundations/phase-04-security-governance/task-03-configure-security-baselines.mdx
@@ -289,6 +289,16 @@ Recommendation Status:
 Secure score may take up to 24 hours to reflect changes after remediation.
 :::
 
+---
+
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Secure score not updating after remediation | Assessment cycle not yet completed | Wait up to 24 hours; force refresh by navigating to Defender for Cloud > Secure score and clicking refresh |
+| Remediation script fails with authentication errors | Azure context expired or wrong subscription | Re-authenticate: `Connect-AzAccount`; verify context: `Get-AzContext`; set correct subscription |
+| Recommendations show resources not in scope | Policy evaluation includes resources outside intended scope | Review assignment scope; add exclusions for out-of-scope resource groups or subscriptions |
+
 ## Next Steps
 
 Proceed to [Task 5: Enable Security Logging](./task-04-enable-security-logging.mdx) to configure security event collection.
diff --git a/docs/implementation/05-operational-foundations/phase-04-security-governance/task-04-enable-security-logging.mdx b/docs/implementation/05-operational-foundations/phase-04-security-governance/task-04-enable-security-logging.mdx
@@ -401,6 +401,16 @@ New-AzDataCollectionRuleAssociation `
  -RuleId $dcrId
 ```
 
+---
+
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| DCR creation fails with `WorkspaceId invalid` | Log Analytics workspace not found or wrong region | Verify workspace exists with `Get-AzOperationalInsightsWorkspace`; ensure DCR and workspace are in the same region |
+| Security events not appearing in Log Analytics | AMA not installed or DCR association missing | Verify AMA extension: `az connectedmachine extension list`; check DCR association: `Get-AzDataCollectionRuleAssociation` |
+| Partial event collection (some event types missing) | DCR XPath queries don't cover required event channels | Update DCR data sources to include all required Windows event channels (Security, System, Application) |
+
 ## Next Steps
 
 Proceed to [Task 6: PIM & Conditional Access](./task-05-configure-azure-update-manager.mdx) to configure just-in-time access and identity protection.
diff --git a/docs/implementation/06-testing-validation/task-01-infrastructure-health-validation.mdx b/docs/implementation/06-testing-validation/task-01-infrastructure-health-validation.mdx
@@ -357,6 +357,16 @@ azcmagent connect --resource-group <RG> --tenant-id <TenantID> --subscription-id
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Cluster validation reports node unreachable | WinRM disabled or network partition | Verify connectivity: `Test-Connection <node-ip>`; enable WinRM: `Enable-PSRemoting -Force` on the failing node |
+| Storage pool health shows `Degraded` | Physical disk failure or missing | Run `Get-PhysicalDisk \| Where-Object HealthStatus -ne Healthy` to identify failed disks; replace and repair |
+| Arc agent shows `Disconnected` status | Agent service stopped or token expired | Restart agent: `Restart-Service himds`; if persists, reconnect: `azcmagent connect` with fresh credentials |
+
+---
+
 ## Next Step
 
 Proceed to [Task 2: VMFleet Storage Testing](task-02-vmfleet-storage-testing.mdx) once infrastructure validation passes.
diff --git a/docs/implementation/06-testing-validation/task-03-network-rdma-validation.mdx b/docs/implementation/06-testing-validation/task-03-network-rdma-validation.mdx
@@ -465,6 +465,16 @@ w32tm /query /source
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| RDMA validation shows `Not Operational` | Network adapter driver missing RDMA support or disabled | Verify driver: `Get-NetAdapterRdma`; enable: `Enable-NetAdapterRdma -Name <adapter>`; update NIC firmware if needed |
+| DCB/PFC misconfiguration detected | QoS policies conflicting or missing | Reset DCB: `Get-NetQosPolicy \| Remove-NetQosPolicy -Confirm:$false`; recreate SMB Direct policy with correct priority class |
+| RDMA throughput below expected baseline | Incorrect MTU or flow control settings | Verify jumbo frames: `Get-NetAdapterAdvancedProperty -Name <adapter> -RegistryKeyword *JumboPacket`; set MTU to 9014 |
+
+---
+
 ## Next Step
 
 Proceed to [Task 4: High Availability Testing](task-04-high-availability-testing.mdx) once network validation is complete.
diff --git a/docs/implementation/06-testing-validation/task-04-high-availability-testing.mdx b/docs/implementation/06-testing-validation/task-04-high-availability-testing.mdx
@@ -583,6 +583,16 @@ Write-Host $Summary
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Live migration fails or exceeds time threshold | Insufficient bandwidth or memory pressure on target node | Check network bandwidth on live migration network; verify target node has enough available memory |
+| Node drain times out | VM with local storage or anti-affinity rule blocking move | Identify stuck VMs: `Get-ClusterGroup \| Where-Object State -eq 'Pending'`; manually move or shut down blocking VMs |
+| Cluster quorum lost during failover test | Too many nodes taken offline simultaneously | Only drain/fail one node at a time; verify quorum configuration: `Get-ClusterQuorum` before testing |
+
+---
+
 ## Next Step
 
 Proceed to [Task 5: Security & Compliance Validation](task-05-security-compliance-validation.mdx) once HA testing is complete.
diff --git a/docs/implementation/06-testing-validation/task-05-security-compliance-validation.mdx b/docs/implementation/06-testing-validation/task-05-security-compliance-validation.mdx
@@ -496,6 +496,16 @@ Update-MpSignature -UpdateSource MicrosoftUpdateServer
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Secure score shows 0% or no data | Defender for Cloud plans not enabled or initial scan pending | Enable all required Defender plans; wait 24 hours for first assessment cycle |
+| BitLocker encryption fails | TPM not available or not initialized | Verify TPM: `Get-Tpm`; initialize if needed: `Initialize-Tpm`; retry BitLocker enablement |
+| Policy compliance shows unknown state | Azure Monitor Agent not reporting or DCR misconfigured | Verify AMA health: `az connectedmachine extension list`; check DCR associations are correct |
+
+---
+
 ## Next Step
 
 Proceed to [Task 6: Backup & DR Validation](task-06-backup-dr-validation.mdx) once security validation is complete.
diff --git a/docs/implementation/06-testing-validation/task-06-backup-dr-validation.mdx b/docs/implementation/06-testing-validation/task-06-backup-dr-validation.mdx
@@ -643,6 +643,16 @@ Write-Host $Summary
 
 ---
 
+## Troubleshooting
+
+| Issue | Cause | Resolution |
+|-------|-------|------------|
+| Backup job fails with VSS writer error | VSS writer in failed state on the node | Reset VSS writers: `vssadmin list writers`; restart the failing writer's service; retry backup |
+| Restore test fails with timeout | Large backup or slow network to Recovery Services vault | Increase restore timeout; verify network bandwidth to Azure; consider restoring to a closer region |
+| ASR replication shows `Critical` health | Replication agent offline or process server overloaded | Check process server health in Site Recovery; restart mobility service on affected VMs: `Restart-Service InMage Scout VX Agent - Sentinel/Outpost` |
+
+---
+
 ## Next Steps
 
 After backup/DR validation is complete:
