Determining if performance is acceptable can be highly subjective. It varies depending on the system, role, and environment.There are several general counters and specific thresholds for these counters that you can use to monitor performance.You should examine these counters as ratios over a period of regular intervals, rather than as the average of specific instances.This will provide a more realistic picture of the actual activity occurring on your system. In addition, watch for consistent occurrences of the threshold values being exceeded. It is not uncommon for momentary activity in a system to cause one or more counters to exceed threshold values, which may or may not be acceptable in your environment. You can use System Monitor and Performance Logs and Alerts to monitor the local system or another computer on the network, as shown in Figure 7.13. It can be useful to compare the perfor- mance of the same resource on multiple systems. Be cautious when you do this, though. Ensure that you are comparing appropriately similar objects. Watch out for the “apples and oranges” mismatch. Also, consider that a server being monitored locally may have less monitoring overhead than one that is monitored remotely.This is particularly true regarding the network- and server-related coun- ters, which can be skewed by the transmission of the performance data to your monitoring system. Be sure to account for this difference when developing your statistics. If the Explain button in the Add Counters dialog box is not grayed out, a supporting expla- nation of the counter is available.The explanation for the Memory:Pages/sec counter is shown in Figure 7.14. 256 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.13 Selecting Counters from Another Computer Figure 7.14 Viewing a Counter Explanation 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 256 Once you have become comfortable and proficient with reading counters, developing baselines, unobtrusively monitoring system activity, and comparing performance, you are ready for the final performance task: determining when your system will no longer be capable of performing the tasks that you want it to perform. Eventually, every computer will be outdated or outgrown. If you have developed the skills for monitoring your system, you should be able to determine in advance when your system will be outgrown.This will allow you to plan for the eventual expansion, enhancement, or replacement of the system. By taking this proactive approach, you can further reduce unplanned downtime by being prepared. Use the following steps to create a system monitor console. Refer to Table 7.1, earlier in the chapter, for information about common counters. Creating a System Monitor Console 1. Select Start | All Programs | Administrative Tools | Performance. Click System Monitor. If any counters are already present, click the Delete (X) button on the toolbar, circled in Figure 7.16, until the System Monitor window is empty. 2. Click the Add (+) button on the toolbar.The Add Counters dialog box appears, as shown in Figure 7.16. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 257 Figure 7.15 Empty System Monitor Figure 7.16 Add Counters 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 257 3. In the Performance object drop-down list, select the Logical Disk object. 4. In the Select counters from list box, select the %Free Space counter. 5. In the Select instances from list box, select _Total, and then click Add. 6. Repeat steps 3, 4 and 5, but select the following performance objects and counters (listed in the form performance object:counter): ■ Physical Disk:%Disk Time ■ Logical Disk:%Disk Time ■ Paging File:%Usage ■ Processor:%Processor Time 7. Click Close. 8. You should now see a System Monitor window similar to Figure 7.17. Observe the graph as it progresses. Compare the scale of the counters to each other. 9. Click the Add (+) button. 10. In the Performance object drop-down list, select Physical Disk:Disk Reads/sec. 11. In the Select instances from list box, select _Total, and then click Add. 12. Repeat steps 9, 10, and 11 to add the following counters: ■ Physical Disk:Disk Writes/sec ■ Physical Disk:Avg. Disk Queue Length ■ Memory:Available Bytes ■ Memory:Pages/sec ■ Processor:Interrupts/sec ■ Server Work Queues:Queue Length ■ System:Processor Queue Length 258 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.17 Percentage-based Counters in System Monitor 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 258 13. Click Close. 14. Your System Monitor window should look similar to Figure 7.18. Notice how busy the chart is beginning to look. Again, compare the scale of the counters to each other. Notice how several counters seem to stay at the bottom of the chart even though they are active. This illustrates that you should consider scale and try not to mix percentage-based coun- ters with nonpercentage-based counters on the same graph. 15. Click Logical Disk:%Free Space. 16. Click the Delete (X) button. 17. Repeat steps 9, 10, and 11 to add the following counters: ■ Physical Disk:%Disk Time ■ Logical Disk:%Disk Time ■ Paging File:%Usage ■ Processor:%Processor Time 18. You have removed all of the percentage-based counters from the graph.Your System Monitor window should appear similar to Figure 7.19. Compare the scale of the nonper- centage counters. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 259 Figure 7.18 All Common Counters in System Monitor 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 259 19. Close the Performance console. Using Event Viewer to Monitor Servers Windows Server 2003 includes several log files that collect information on events that occur in the system. Using these log files, you can view your system’s history of events.A standard Windows Server 2003 system has three event logs that record specific categories of events: ■ Application Contains events generated by server-based applications, such as Microsoft Exchange and WINS.The specific events logged by each application are determined by the application itself and may be configurable by an administrator within the application. ■ Security Contains events relating to system security, including successful and failed logon attempts, file creation or deletion, and user and group account activity.The contents of this file will vary depending on the auditing settings selected by the system administrator. ■ System Contains events relating to the activity of the operating system. Startups and shutdowns, device driver events, and system service events are recorded in the System log. The configuration and installed options of the operating system determine the events recorded in this log. Because of the nature of its entries, this log is the most important for maintaining system health. In addition to these three basic logs, a Windows Server 2003 system configured as a domain controller will also have the following two logs: ■ Directory Service Contains events related to the operation of Active Directory (AD).AD database health, replication events, and Global Catalog activities are recorded in this log. ■ File Replication Service Contains events related the File Replication Service (FRS), which is responsible for the replication of the file system-based portion of Group Policy Objects (GPOs) between domain controllers. 260 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.19 Common Nonpercentage Counters 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 260 Finally, a server configured to run the DNS Server service will have the DNS Server log, which contains events related to the operations of that service. Client DNS messages are recorded in the System log. Events entered into these log files occur as one of five different event types.The type of an event defines it level of severity.The five types of events are as follows: ■ Error Indicates the most severe or dangerous type of event.The failure of a device driver or service to start or a failed procedure call to a dynamic link library (DLL) can generate this type of event.These events indicate problems that could lead to downtime and need to be resolved.The icon of an error event appears as a red circle with a white X in the middle. ■ Warning Indicates a problem that is not necessarily an immediate issue but has the potential to become one. Low disk space is an example of a Warning event.This event type icon is a yellow triangle with a white exclamation point (!) in it. ■ Information Usually indicates success. Proper loading of a driver or startup of a service will generate an Information event.This icon is a white message balloon with a blue, low- ercase letter i in it. ■ Success Audit In the Security log, indicates the successful completion of an event con- figured for security auditing.A successful logon will generate this event.This icon is a gold key. ■ Failure Audit In the Security log, indicates the unsuccessful completion of an event con- figured for security auditing.An attempted logon with an incorrect password or an attempt to access a file without sufficient permissions will generate this type of event.The event’s icon is a locked padlock. The event logs are very helpful for collecting data, but we need a tool to present, filter, search, and help us interpret the data.That tool is Event Viewer, shown in Figure 7.20, which can be accessed by selecting Start | All Programs | Administrative Tools | Event Viewer. Event Viewer can also be accessed as a component of the System Tools snap-in within the Computer Management utility, as shown in Figure 7.21. When viewing an event log, the events appear in the order they occurred. Double-clicking an event will bring up the properties of that event, as shown in Figure 7.22. Click the arrows to navi- gate to either the next or previous event. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 261 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 261 262 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.20 The Event Viewer Window Figure 7.21 Event Viewer, as Viewed from Computer Management Figure 7.22 Viewing Event Properties 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 262 Each event captured follows the same format and contains the same set of data points.Those data points form the event header and are as follows: ■ Date The date the event occurred. ■ Time The time the event occurred. ■ Type The applicable type of event (Error, Warning, and so on). ■ User The user or account context that generated the event. ■ Computer The name of the computer where the event occurred. ■ Source The application or system component that generated the event. ■ Category The classification of the event from the event source’s perspective. ■ Event ID A number identifying the specific event from the source’s perspective. ■ Description A textual description of the event.This may be in any readable structure. ■ Data A hexadecimal representation of any data recorded for the event by the source. An event log can contain thousands or even millions of events. Because the event header follows the same structure regardless of the event source, you can use the filter function to focus in on spe- cific patterns of events.The filter function is available from the log’s Properties dialog box. Right- click a log in the left tree view and select Properties from the context menu, as shown in Figure 7.23, to view its properties. Click the Filter tab to display the filter options, as shown in Figure 7.24. (You can also access the filter function by clicking View | Filter.) By changing the selections on the Filter tab, you can exclude from view those events that do not fit the filter selections. Put another way, events that do not match the filter selections are filtered out.The events are still in the log; they are just not displayed as long as the filter is active. In addition to using the filter function, you can search event logs for specific events. From the Event Viewer main window, select View | Find…, as shown in Figure 7.25. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 263 Figure 7.23 Accessing the Properties of an Event Log 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 263 In the Find dialog box, enter your criteria for the search and click the Find Next button.The next event that matches your criteria will be highlighted in the Event Viewer main window, as shown in the example in Figure 7.26. The event log files themselves are stored in a compact binary format in the %systemroot%\System32\Config directory.You can configure the maximum size of these files and what action is taken when this size is reached on the General tab of the log Properties dialog box, as shown in Figure 7.27. 264 Chapter 7 • Planning, Implementing, and Maintaining a High-Availability Strategy Figure 7.24 Filtering Event Log Data Figure 7.25 Using Find in an Event Log 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 264 Accessing the Properties dialog box of an event log gives you access to information about the log itself and allows you to change certain characteristics of the log. Referring to Figure 7.27, you can see the log’s name, location, and size.The Maximum log size option allows you to limit the amount of space the log consumes.The three radio buttons below this option allow you to specify what will happen when this maximum size is reached. Event logs can be archived on the computer on which they occur for long-term storage and analysis.This can be accomplished in two ways.The first is through the use of the Clear Log button on the event log Properties dialog box.You can click this button to delete all entries from a log file, but this process will also prompt you to save the events prior to deletion.The second method is through the use of the Save Log File As… option on the context menu for a log file, as shown in Figure 7.28. Planning, Implementing, and Maintaining a High-Availability Strategy • Chapter 7 265 Figure 7.26 Finding Event Log Data Figure 7.27 Event Log General Properties 301_BD_w2k3_07.qxd 5/11/04 5:01 PM Page 265 . Notice how busy the chart is beginning to look. Again, compare the scale of the counters to each other. Notice how several counters seem to stay at the bottom of the chart even though they are active. This. 259 19. Close the Performance console. Using Event Viewer to Monitor Servers Windows Server 2003 includes several log files that collect information on events that occur in the system. Using these log. 260 Finally, a server configured to run the DNS Server service will have the DNS Server log, which contains events related to the operations of that service. Client DNS messages are recorded in the System