Professor Windows - July 2005

Proactive Monitoring

Professor Windows

Written By:
Shira Kimchi
Technology Specialist, Microsoft Israel
Professor Windows

Reviewed By:
Baelson Duque, Program Manager, Microsoft Corporation
Bill Weis, Lead Architect, Microsoft Consulting Services
Graeme Bennett, Editor, Microsoft Corporation


Proactive monitoring is a term you get to hear more and more from system administrators. These days it's not enough to know how to troubleshoot problems when they occur. System administrators who know how to closely monitor servers and services when they are working fine are those who are able to prevent problems before they happen.

This article provides an overview of the Microsoft products and technologies you can use to help proactively monitor your IT environment.

What Should We Monitor?

In most IT environments, there are both servers and desktops. For the most part, servers are monitored more closely than desktops due to the services they offer and the number of clients that they serve. The business impact of a server outage is greater than a client outage.

The server components we are concerned with comprise of three layers: Applications, Operating System (OS), and Hardware. All three layers work together to provide various services and each should be closely monitored.

Since the operating system is used as the mediator between the software and hardware layers, monitoring the operating system can give us the information about itself, the hardware attached to it (physically or logically) and the applications which are installed on the operating system.

So how do we know what is normal behavior and what deviates from normal behavior? It's imperative for us to define a baseline. A baseline defines normal and abnormal behavior of our servers. It can be established by performing a simple monitoring of our servers over a period of time. In the next section of this article, we take a look at a number of monitoring technologies that we can use.

Perfmon Revisited

So you think you know System Monitor (or Perfmon), huh?

Included in the Administrative Tools group of Windows Servers and Desktops since the Windows NT days, Perfmon is one of those "quick and dirty" hands-on monitoring tools you tend to pass by when you work with Windows. However, Perfmon can help us with our proactive monitoring.

Perfmon monitors system counters of all types and can be used to identify bottlenecks and to get statistics about both our OS and hardware.

For example, a user in the organization complains to the IT team that his computer is working slower than usual. The system admin checks his computer, sees that the disk is working very hard, opens Perfmon and adds the physical hard disk counters and the paging file counters. The paging file counter shows excessive paging that led to the performance problem. Changing the paging file values could help, could other solutions.

Beyond providing us with useful information that can be viewed in graphs, reports and histograms, we can configure Perfmon to act when the counters hit thresholds that we define, such as sending alerts over the network, running scripts and more. A useful explanation button helps us understand each counter and what it monitors.

If your browser does not support inline frames, click here to view on a separate page.

Figure 1: System Monitor (Perfmon)

Using Perfmon is quite straightforward. You simply choose the object you want to monitor such as processor, RAM, or hard disk, then choose the counter you want to monitor, such as average queue length when monitoring the physical disk object. We can also choose the instance we want to monitor, such as a specific processor, when dealing with a multi-CPU server.

TIP: Perfmon also works as an ActiveX control, so you can use it from within a browser. Instead of launching the MMC every time you need to look at Perfmon, simply load Perfmon and configure the desired counters, right-click on the graph and choose to 'Save As' a Web page, and you're done. You can send this Web page to users in your organization - this is especially useful for supporting remote users.

Network Monitor

Cannot connect to a network? Another handy tool tool that is available in the operating system is Network Monitor (or Netmon). It is used to monitor network traffic; it enables an administrator to record and analyze the data packets that travel across your network. You'll find it essential for troubleshooting communications problems with network adapters or switches, or monitoring various activities on the network.

Although it is more complex to use than Perfmon, Netmon can be very useful in certain scenarios. For example:

  • Users report that it takes forever to open a mapped network drive.
  • Users report that saving files to a file server is taking longer than normal.
  • The IT team restarts the network switch but the problem remains.

Netmon is not installed by default on the server. Installation is done by selecting it from the Add/Remove Windows Components options in the Add or Remove Programs Control Panel. Administrative privileges are needed in order to use the tool.

Opening Netmon on one of the client computers can show that the computer is sending network broadcasts. From there, the administrator can diagnose that the DHCP relay agent on the segment is down, leaving client machines without an IP address. In this case, they are probably transmitting broadcasts, looking for DHCP servers, but there is no relay agent present on that network segment to pick up these broadcasts and forward them to the DHCP server.

Using Network Monitor, you can view network packets going to and from your host machine in real-time and save the data in several formats for future reference.

If your browser does not support inline frames, click here to view on a separate page.

Figure 2: Network Monitor

Where "Heavier" Tools Are In Need

Sometimes it can be tricky to pinpoint an issue in a more complex scenario. For example, one of my customers, a big insurance company, had problems with Terminal Services. They ran Terminal services connections over the WAN to a number of sites. At a couple of the sites, a strange problem occurred. They were getting disconnected in the middle of their work. The IT team began troubleshooting the problem. They looked at the Terminal Services server and the client computers at the sites but did not find anything unusual. They turned to the company supporting their communication lines to the site, but again came up with nothing. Our solution was to put a Microsoft Operations Manager (MOM) 2005 server at the main office, monitoring the Terminal Services server's applications, operating system, and hardware.

After a couple of hours of monitoring using the Windows Terminal Server Management Pack for MOM 2005, MOM alerted us that the network interface card was showing errors. The IT team turned to the server's hardware company, which replaced the network interface card and the problem was solved.

MOM relies on Agents running on target servers to monitor whatever we choose. MOM's topology is outlined in Figure 3.

If your browser does not support inline frames, click here to view on a separate page.

Figure 3: Microsoft Operations Manager Topology

With MOM, we do not need to define what we want to monitor. Instead, we can use the Management Packs designed to match common systems, applications and hardware deployment scenarios. As of this writing, MOM offers almost two hundred Management Packs, supporting applications and technologies such as Exchange Server, Active Directory, SQL Server, and Biztalk Server. There are also specific hardware Management Packs for many servers, such as Dell, HP, IBM, and more.

A Management Pack includes the following:

  • Rules � monitors wide array of server health indicators
  • Alerts � calls attention to critical actionable events
  • Knowledge � provides best practice guidance
  • State monitoring � tracks health of servers and applications
  • Tasks � investigates and repairs issues from the console
  • Reports � measures operations performance and capacity

In order to set up a MOM environment the following is required:

  • A MOM server that is used for MOM administrative tasks, such as installing agents and importing relevant Management Packs.
  • A SQL Server to store data in order to see trends and reports over time and to store monitoring data.
  • MOM agents that are installed on the servers we want to monitor. They perform the monitoring locally on the servers and forward the information to the MOM server.

For More Information

For more information about Microsoft products and technologies discussed in this article, see the following:

For a list and additional information on all Professor Windows columns, click here.

For any feedback regarding the content of this column, please write to Microsoft TechNet. Please be aware that this is not a technical support alias and a response is not guaranteed.