Part IV Troubleshooting and Performance In this part: Chapter 15: Logging .535 Chapter 16: Tracing and Troubleshooting 563 Chapter 17: Performance and Tuning 605 Chapter 15 Logging In this chapter: What’s New? 535 Log File Formats That Have Not Changed 540 Centralized Logging 540 Remote Logging 541 Configuring IIS Logging 547 HTTP.sys Logging 556 Application Logging 557 Folder Compression Option 558 Logging Analysis Using Log Parser 559 Summary 561 Additional Resources 561 On the Disc Browse the CD for additional tools and resources Though not technology’s most fascinating topic, Web server log files are extraordinarily important They are a core resource used, for example, as the basis for billing, reliability, performance, compliance, and forensics This chapter discusses Internet Information Services logging and related features in Microsoft IIS 7.0 What’s New? In IIS 7.0, as in IIS 6.0, log files are handled by the HTTP.sys kernel mode device driver No user code runs in this service because HTTP.sys runs in kernel mode In general, not a lot has changed related to logging, but a few differences as well as new opportunities are notable You’ll find that many of the enhancements to logging introduced as late as Windows Server 2003 Service Pack (SP1) are included in IIS 7.0 For example, you can use World Wide Web Consortium (W3C) centralized logging and binary logging; you can use standard log formats such as W3C extended, National Center for Supercomputing Applications (NCSA), and IIS; and you can set the custom logging option One of the more interesting features in IIS 7.0 is its modular architecture and the Integrated Pipeline The Integrated Pipeline is covered in depth in Chapter 2, “Understanding IIS 7.0 535 536 Part IV: Troubleshooting and Performance Architecture.” Logging greatly benefits from the flexibility provided by the modularity in IIS 7.0 and the Integrated Pipeline because you can write your own logging module and inject it into the pipeline Your custom module can capture just the information needed for your application IIS 7.0 incorporates several changes pertinent to logging: ■ You use the IIS Manager to configure logging-related settings ■ The new configuration system is based on XML ■ There are a number of new logging configuration options and a new set of status codes ■ IIS 7.0 provides logging for a new service that enables remote administration of an IIS 7.0 server IIS Manager IIS 7.0 introduces a completely new user interface, the IIS Manager The IIS Manager makes it easier to browse and make changes to IIS settings, including log file settings For example, if you wanted to implement the centralized logging in IIS 6.0, you had to use ADSUtil.vbs Now, the Centralized Logging option is exposed in the IIS Manager, as shown in Figure 15-1 Figure 15-1 The Centralized Logging option in the IIS Manager Chapter 6, “Using IIS Manager,” provides an in-depth look at the IIS Manager The XML-Based Logging Schema IIS 7.0 uses a new configuration system that is XML-based and is very similar to the ASP.NET configuration system Each configuration section is defined in XML schema files located in Chapter 15: Logging 537 %SystemRoot%\system32\inetsrv\config\schema Details on the configuration sections are covered in Chapter 4, “Understanding the Configuration System.” Because information is defined in XML files, it is easy to determine what attributes, elements, and enums are used The schema for IIS 7.0 contains a list of all the configurable options, so looking in the schema file is a quick way to identify all the configurable settings for any feature, including logging The following listing is from the system.applicationHost/log section that is located in %SystemRoot%\system32\inetsrv\config\schema\IIS_Schema.xml (Some long lines have been split to fit on the printed page.) As you can see, the XML clearly defines the names and data types associated with each item Centralized Logging Configuration Options Following is the logging section defined in the ApplicationHost.config file that controls Centralized Logging options You can change this so that your files are stored on another drive or volume You can enable options you want and disable whatever options you not need SiteDefaults Configuration Options The SiteDefaults section in the ApplicationHost.config file, shown in the following code, controls the logging settings that are used when creating new sites You can configure two options: the format of the log file and the location in which Failed Request tracing files are stored Chapter 15: Logging 539 Disable HTTP Logging Configuration Options In some cases, an IIS administrator does not require log files If you would like to turn off httpLogging at the server level, you can disable logging in the IIS Manager You can also disable logging at the site level You might wonder why these options are available It’s so that you can disable logging on your test or development machines to reduce the disk space that unnecessary files use You should evaluate your options before disabling httpLogging Check with your business or legal department to be certain what your company’s logging requirements and policies are The default value for this setting, as shown here, is false Note For more information about the system.webServer/httpLogging option, see the section titled “Countermeasures” in Chapter 17, “Performance and Tuning.” Default Log File Location One of the most significant changes in IIS 7.0 is that the folder where IIS stores WWW logs has been changed to %SystemDrive%\inetpub\logs\LogFiles For example, the Default Web Site would log to C:\inetpub\logs\LogFiles\w3svc1 This means that by default in IIS 7.0, all log files are stored in a single folder Note, however, that log files for the legacy built-in File Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP) services are still located in %windir%\System32\Logfiles You can manage these files by using the IIS Manager 6.0, an MMC console that is installed when you install the legacy FTP service or the SMTP service Note The new FTP Publishing Service for IIS 7.0 stores its log files in %SystemDrive%\ inetpub\logs\LogFiles by default You need to download and install this add-on, because it does not ship with IIS 7.0 The x86 and x64 versions are available at http://www.iis.net Click Download and search for “Microsoft FTP Publishing Service for IIS 7.0.” Default UTF-8 Encoding By default, IIS 7.0 stores log files by using UTF-8 encoding This changes the default file naming convention so that the files start with u_ (for example, u_exYYMMDD.log) Here is the portion of the IIS_Schema.xml file that sets the UTF-8 encoding option The default setting is true UTF-8 encoding allows for single-byte and multi-byte characters in one string This encoding enables you to read text-based logs (for example, logs that use W3C Extended, IIS, and NCSA 540 Part IV: Troubleshooting and Performance Common formats) in a language other than English IIS does not support the UTF-8 format for the built-in FTP Publishing Service log files UTF-8 encoding is available in IIS 6.0, but it is not enabled by default If you not want to have your logs use UTF-8 encoding, you can use ANSI as the format New Status Codes In IIS 7.0, new status codes have been introduced for HTTP and FTP These additional error codes provide more details about events and better descriptions of how to fix errors, with suggestions about what to look for or what procedures to run Appendix A provides a complete list of all status codes Management Service IIS 7.0 introduces Management Service, which enables computer and domain administrators to remotely manage a machine by using the IIS Manager The Management Service also enables nonadministrators to control sites and various applications by using the IIS Manager from a workstation This service has its own logs that are used to track information related to the Management Service This service is not installed by default If you install and enable this service, the logs will be saved in %SystemDrive%\inetpub\logs\WMSvc From a logging perspective, you should make sure the Management Service logging is enabled The logs can help you audit and troubleshoot issues when clients are connecting to your server The Management Service is discussed in depth in Chapter 8, “Remote Administration.” Log File Formats That Have Not Changed IIS 7.0 supports all the common logging formats that are available in prior versions of IIS There have been no changes in IIS 7.0 to the following log file formats: ■ Microsoft IIS ■ NCSA ■ W3Svc extended Note For descriptions, further discussion, and examples of these log formats, go to http://msdn2.microsoft.com and search for “IIS logging formats.” Centralized Logging Centralized logging in IIS 7.0 operates the same way as it does in IIS 6.0 However, you can now configure this option in the IIS 7.0 Manager To access this feature, go to Administrative Tools > Internet Information Services (IIS) Manager Click the computer name and locate the Logging option listed in the IIS section Chapter 15: Logging 541 Using the Logging option can reduce administrative costs because only one IIS log file is being maintained If you use binary logging, the log can be stored in a much smaller file than the equivalent text log file W3C Centralized Logging Format W3C centralized logging was first introduced in Windows Server 2003 SP1 W3C centralized logging is a server-level setting When you enable this feature on a server, all Web sites on that server are configured to write log data to a central log file Data is stored in the log file using the W3C Extended log file format You can enable this setting through the IIS 7.0 Manager or by using Appcmd If you use W3C centralized logging, you can view the log file with a text editor such as Notepad Note W3C centralized logging uses the W3C Extended log format, which includes the following four fields: HostHeader, Cookie, UserAgent, and Referrer These fields are not available in centralized binary logging Centralized Binary Logging Format Centralized binary logging is essentially the same as W3C centralized logging, except that the log file uses a proprietary, binary format Because the resulting file is binary, it is smaller than an equivalent text file so that you can conserve disk space It cannot be read with a text editor and requires parsing to produce useful information However, this is easier than you might think when you use the Log Parser tool, which reads the centralized binary file format natively The Log Parser tool is discussed later in this chapter Important The built-in FTP and SMTP services not support W3C centralized logging Remote Logging IIS 7.0 supports writing log files to a network share This option enables you to have your log files stored in real time to a remote computer For example, suppose that you have a Web farm configured for logging to a central location The remote file server could be a server running DFS (distributed file system) DFS can provide multiple benefits including a central location to collect your log files and automatic replication of your logs to multiple locations Having such a primary collection point can make handling your reporting processes much easier Important When you set up your remote logging environment, make sure the host (A) and pointer (PTR) DNS records are set up so that authentication and resolution happens correctly This can help avoid problems such as Kerberos authentication errors when HTTP.sys is trying to write log files Chapter 17 Performance and Tuning In this chapter: Striking a Balance Between Security and Performance 606 The Impact of Constrained Resources 612 Processor 612 Memory 617 Hard Disks 621 Network 623 64-Bit Mode vs 32-Bit Mode 631 Configuring for Performance 632 Performance Monitoring 647 Scalability 649 Summary 652 Additional Resources 653 On the Disc Browse the CD for additional tools and resources This chapter will discuss performance and tuning of your Microsoft Windows Server 2008 Web servers Windows Server 2008 and Internet Information Services (IIS) 7.0 provide many options for tuning your system to balance the best possible performance with servicing the requirements of your applications You should be able use the new features in IIS 7.0 to design a system that will maximize your resource investment to meet your business requirements Tuning your servers for performance is an art and a science at the same time An example would be the tradeoff between application pool isolation and performance Particularly in some hosting scenarios, isolating application pools can be a big problem Though using application pools to isolate Web sites can make for a more secure server, it also requires more server resources (in particular, increased amounts of memory) URL filtering can also impact performance Each option you decide to implement can impact both performance and security 605 606 Part IV: Troubleshooting and Performance Striking a Balance Between Security and Performance As physics teaches us, for each action, there is an equal and opposite reaction And this is the balance between performance and security Many factors can impact your server’s performance Probably the biggest resource to help your server perform is how random access memory (RAM) usage is monitored With 64-bit operating systems being able to handle many gigabytes (GB) of RAM, you would think that keeping track of available RAM would be a thing of the past However, it is not that simple One of the main features of IIS 7.0 is the ability to load just the modules you need to support a particular application This can help keep the core server footprint to a minimum How to Measure Overhead Why you measure overhead on your server? Let’s compare it with measuring overhead in any business Each business has monthly rent, utilities, and labor costs These types of fixed costs are overhead This analogy helps illustrate the fact that every server has some base resources that are overhead to the system Security can add overhead to any application and server Depending on your requirements, it could add a delay and affect overall application performance Security also costs some performance gains For example, depending on your architecture, you can expect Secure Sockets Layer (SSL) processing to affect overall performance, both at the server and application level Following is an example of how you can establish the baseline for your server and worker process size (w3wp.exe) before you put any applications, modules, and load on the system The example uses a server with Windows Server 2008 Enterprise edition with the Default IIS 7.0 install workload: Install the Default IIS workload, which serves static content with anonymous access Note See Chapter 5, “Installing IIS 7.0,” for more information about how to set up an IIS 7.0 server with the Default IIS 7.0 workload This installation simply uses the default options selected when installing IIS 7.0 Open Internet Explorer and type http://localhost After you browse http://localhost, a w3wp.exe process should show up in Windows Task Manager Click the Processes tab and locate the memory footprint (for this example, it’s about 3.1 megabytes [MB]) If you want to see which dynamic-link libraries (DLLs) are loaded into the w3wp.exe worker process, open a command prompt and type tasklist /M /FI “Imagename eq w3wp.exe” Here is an example of the output you will see Chapter 17: Performance and Tuning 607 Image Name PID Modules ===================== ======== ============================================ w3wp.exe 3572 ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, msvcrt.dll, USER32.dll, GDI32.dll, ole32.dll, IISUTIL.dll, CRYPT32.dll, MSASN1.dll, USERENV.dll, Secur32.dll, WS2_32.dll, NSI.dll, IMM32.DLL, MSCTF.dll, LPK.DLL,USP10.dll, NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL, SAMLIB.dll, w3wphost.dll, OLEAUT32.dll, nativerd.dll, XmlLite.dll, IISRES.DLL, rsaenh.dll, mscoree.dll, SHLWAPI.dll, comctl32.dll, mscorwks.dll, MSVCR80.dll, CLBCatQ.DLL, mlang.dll, iiscore.dll, W3TP.dll, w3dt.dll, HTTPAPI.dll,slc.dll, faultrep.dll, VERSION.dll, NLAapi.dll, IPHLPAPI.DLL, dhcpcsvc.DLL, DNSAPI.dll, WINNSI.DLL, dhcpcsvc6.DLL, mswsock.dll, winrnr.dll, napinsp.dll, wshtcpip.dll, wship6.dll, rasadhlp.dll, cachuri.dll, cachfile.dll, cachtokn.dll,cachhttp.dll, compstat.dll, defdoc.dll, dirlist.dll, protsup.dll, static.dll, authanon.dll, modrqflt.dll, custerr.dll, loghttp.dll, iisreqs.dll, WSOCK32.dll, authbas.dll, authsspi.dll, NETAPI32.dll Note Although this list of DLLs appears to include a lot of entries, most of the DLLs are required by the core IIS engine Some modules such as Default Documents (defdoc.dll) are optional and could be removed This example uses the Default install of IIS If necessary, you could reduce the number of optional role services, which would reduce the number of DLLs loaded The only way to really know whether or not you can reduce the number of optional role services is to bring up a server in an isolated environment and test your configuration Here is an example from a server running Windows Server 2008 Server Core The w3wp.exe process is approximately 2.5 MB in this example Image Name PID Modules ===================== ======== ============================================ w3wp.exe 804 ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, msvcrt.dll, USER32.dll, GDI32.dll, ole32.dll, IISUTIL.dll, CRYPT32.dll, MSASN1.dll, USERENV.dll, Secur32.dll, WS2_32.dll, NSI.dll, IMM32.DLL, MSCTF.dll, LPK.DLL,USP10.dll, NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL, SAMLIB.dll, w3wphost.dll, OLEAUT32.dll, nativerd.dll, XmlLite.dll, IISRES.DLL, rsaenh.dll, CLBCatQ.DLL, mlang.dll, comctl32.dll, SHLWAPI.dll, iiscore.dll, W3TP.dll, w3dt.dll, HTTPAPI.dll,slc.dll, faultrep.dll, VERSION.dll, mswsock.dll, DNSAPI.dll, NLAapi.dll, IPHLPAPI.DLL, 608 Part IV: Troubleshooting and Performance dhcpcsvc.DLL, WINNSI.DLL, dhcpcsvc6.DLL, wshtcpip.dll, wship6.dll, cachuri.dll, cachfile.dll, cachtokn.dll,cachhttp.dll, compstat.dll, defdoc.dll, dirlist.dll, protsup.dll, static.dll, authanon.dll, modrqflt.dll, custerr.dll, loghttp.dll, iisreqs.dll, WSOCK32.dll, gzip.dll This worker process baseline exercise shows you how to determine how big your w3wp process will be and which DLLs are loaded If you add modules, you can run through the exercise again and see how your memory footprint has changed Table 17-1 lists the new WAS_W3WP Reliability And Performance Counter (perfmon) counters in IIS 7.0 Table 17-1 WAS_W3WP Counters Counter Name Description Total Health pings Total number of health pings received by the process Total Runtime Status Queries Total number of Runtime Status queries received by the process Health Ping Reply Latency Time, in 100-nanosecond intervals, taken by worker process to reply to last health ping Active listener channels Number of currently active listener channels in the worker process Active protocol handlers Number of currently active protocol handlers in the worker process Total WAS Messages Received Total number of messages received by the worker process from Web Admin Service Messages Sent to WAS Total count of messages sent to WAS Total Requests Served Total number of requests served by the worker process; this counter is meaningful only when request-based recycling is enabled for the application pool Total Messages Sent to WAS Total number of messages sent to Web Admin Service by the worker process The new W3SVC_W3WP Reliability and Performance Counter (perfmon) counters in IIS 7.0 are listed in Table 17-2 Table 17-2 W3SVC_W3WP Counters in IIS 7.0 Counter Name Description Total HTTP Requests Served Total number of HTTP requests served by the worker process Requests / Sec HTTP requests/sec being processed by the worker process Active Requests Current number of requests being processed by the worker process Chapter 17: Performance and Tuning 609 Table 17-2 W3SVC_W3WP Counters in IIS 7.0 Counter Name Description Total Threads Total number of threads available to process requests in the worker process Active Threads Count Number of threads actively processing requests in the worker process Maximum Threads Count Maximum number of threads to which the thread pool can grow as needed Current File Cache Memory Usage Current number of bytes used by user-mode file cache Maximum File Cache Memory Usage Maximum number of bytes used by user-mode file cache Output Cache Current Memory Usage Current number of bytes used by output cache Current Files Cached Current number of files whose contents are present in user-mode cache Total Files Cached Total number of files whose contents were ever added to the user-mode cache (since service startup) File Cache Hits Total number of successful lookups in the user-mode file cache (since service startup) File Cache Misses Total number of unsuccessful lookups in the user-mode file cache (since service startup) File Cache Flushes Total number of files removed from the user-mode cache (since service startup) Active Flushed Entries Number of file handles cached in user-mode that will be closed when all current transfers complete Total Flushed Files Total number of file handles that have been removed from the user-mode cache (since service startup) Current URIs Cached URI information blocks currently in the user-mode cache Total URIs Cached Total number of URI information blocks added to the user-mode cache (since service startup) URI Cache Hits Total number of successful lookups in the user-mode URI cache (since service startup) URI Cache Misses Total number of unsuccessful lookups in the user-mode URI cache (since service startup) URI Cache Flushes Total number of URI cache flushes (since service startup) Total Flushed URIs The number of URI information blocks that have been removed from the user-mode cache (since service startup) Current Metadata Cached The number of metadata information blocks currently present in user-mode cache Total Metadata Cached Total number of metadata information blocks added to the user-mode cache (since service startup) Metadata Cache Hits Total number of successful lookups in the user-mode metadata cache (since service startup) 610 Part IV: Troubleshooting and Performance Table 17-2 W3SVC_W3WP Counters in IIS 7.0 Counter Name Description Metadata Cache Misses Total number of unsuccessful lookups in the user-mode metadata cache (since service startup) Metadata Cache Flushes Total number of user-mode metadata cache flushes (since service startup) Total Flushed Metadata Total number of metadata information blocks removed from the user-mode cache (since service startup) Output Cache Current Items Number of items current present in output cache Output Cache Total Hits Total number of successful lookups in output cache (since service startup) Output Cache Total Misses Total number of unsuccessful lookups in output cache (since service startup) Output Cache Total Flushes Total number of flushes of output cache (since service startup) Output Cache Total Flushed Items Total number of items flushed from output cache (since service startup) File Cache Hits / sec Rate of successful lookups in file cache during last sample interval Metadata Cache Hits / sec Rate of successful lookups in metadata cache during last sample interval Uri Cache Hits / sec Rate of successful lookups in URI cache during last sample interval File Cache Misses / sec Rate of unsuccessful lookups in file cache during last sample interval Metadata Cache Misses / sec Rate of unsuccessful lookups in metadata cache during last sample interval Output Cache Misses / sec Rate of unsuccessful lookups in output cache during last sample interval Uri Cache Misses / sec Rate of unsuccessful lookups in URI cache during last sample interval Total HTTP Requests Served Total number of HTTP requests served by the worker process Requests / Sec HTTP requests/sec being processed by the worker process Authentication IIS 7.0 Manager lists seven different authentication modules The Anonymous module is installed by default; the others can be installed individually: ■ Active Directory Client Certificate Mapping Authentication ■ Anonymous Authentication ■ ASP.NET Impersonation Chapter 17: ■ Digest Authentication ■ Forms Authentication ■ 611 Basic Authentication ■ Performance and Tuning Window Authentication To help make your server more secure and perform better, install only the modules you need For more information on setup, see Chapter SSL The SSL implementation has changed in IIS 7.0 Windows Server 2003 stores all SSL configurations in the IIS metabase, and encryption and decryption happen in user mode This requires a lot of back-and-forth communication between kernel and user mode In Windows Server 2008, HTTP.sys handles SSL encryption and decryption in kernel mode Secure connections should have up to 20 percent better performance than IIS 6.0 The performance gains for decrypting data are evident because the need to bounce back and forth from kernel mode to user mode has been greatly reduced To move SSL into kernel mode, IIS 7.0 requires SSL binding information to be stored in two locations The binding information is stored in %windir%\system32\inetsrv\ applicationHost.config for each site When the site starts, IIS sends the binding to HTTP.sys, and HTTP.sys starts listening for requests on the specified IP:port The second part of SSL configuration is stored in HTTP.sys configuration You can use Netsh to view SSL binding configuration stored in HTTP.sys Note Netsh is a command line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers For more information about Netsh, go to http://technet.microsoft.com and search for Netsh overview Here is an example showing a sample binding to 192.168.0.10 The IP address is the same that would be listed in the Web site bindings netsh http show sslcert SSL Certificate bindings: IP:port Certificate Hash Application ID Certificate Store Name : : : : 192.168.0.10:443 63ca21f32543806959aed570a081fb3f311f958a {4dc3e181-e14b-4a21-b022-59fc669b0914} MY 612 Part IV: Troubleshooting and Performance Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only Usage Check : Enabled Revocation Freshness Time : URL Retrieval Timeout : Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled : Disabled When a client starts an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP and port pair that the client connected to For the SSL-based request to succeed, the HTTP.sys SSL configuration must include a certificate hash and name of the certificate’s store SSL accelerators come in two forms: an external device and internal card An external device is useful when you want to add capacity on demand or make sure there is room to grow As your requirements for SSL increase, you can add devices to handle the load An internal card, usually a PCI card, will take the load off the Web server by handling the encryption and decryption As computers continue to get faster and add more CPU cores, there may no longer be any need for the external device Whatever solution you decide regarding SSL will depend on your application needs IIS 7.0 has improved the performance of how it handles SSL, compared to IIS 6.0 After you have load-tested your application, only then will you determine if you need an external device No matter which way you proceed, following best practices, you should put your application in a controlled environment and load-test it If you determine under load that your servers can handle all the operations, then this can help determine what your production environment will look like Testing will help you clarify your decision about SSL performance The Impact of Constrained Resources Every administrator has to deal with a server with constrained resources Windows Server 2008 and IIS 7.0 offer the Reliability and Performance Monitor This is a new and expanded performance tool in Windows Server 2008 Using it can help determine what is causing a resource issue Processor The first resource performance issue usually noticed by administrators is high CPU (Central Processing Unit) usage When users report slow performance, the first thing most administrators is open Windows Task Manager and look at processor usage This problem is usually a symptom of something else going on with the machine or application It doesn’t take much for an immediate CPU spike—it could be as simple as an infinite loop in code Chapter 17: Performance and Tuning 613 What Causes CPU Pressure? If there was an easy answer to the question of what causes CPU pressure, an administrator’s job would be a lot easier Let’s look at a list of common items that cause pressure: ■ Poorly written applications ■ Memory-intensive services ■ Servers not sized to support the applications ■ Too many processes on the server ■ Servers not having enough RAM As you can see by the preceding list, a variety of issues can cause CPU pressure Throttling Throttling an application or process is one way of keeping server resources available and not allowing the server to become unresponsive The term throttling means limiting the amount of server resources a particular process or resource can use For example, IIS 7.0 offers various ways to throttle resources—from bandwidth to connection time-outs and limits If your server hosts multiple Web sites, you can throttle the number of connections one Web site receives This would help keep it from using too many connections or server resources and also prevent other Web sites hosted on the server from being affected Figure 17-1 shows the available options in IIS 7.0 that you can throttle This can be done a per–Web site basis Figure 17-1 Per–Web site limits available in IIS 7.0 IIS 7.0 offers several ways using application pool limits to throttle resources You can set limits on worker process CPU settings, Rapid Fail Protection, Recycling, and several settings in the Process model section located in application pool settings You can learn more about general application pool settings in Chapter 10, “Managing Applications and Application Pools.” 614 Part IV: Troubleshooting and Performance Caching provides one of the better ways to enhance your application’s performance There are also ways to throttle how much of the server resources are used Locking down how much RAM caching is allowed to use can impact the performance gains your application experiences You can use application pool options to help lower CPU usage so that your higher impact sites have resources available This is one example of how you could control resources on your server and maximize application performance CPU Counters to Monitor See Table 17-3 for a list of common counters that help identify which processes and how much of the server resources are being used when your IIS 7.0 server is experiencing high CPU conditions Table 17-3 CPU Counters to Measure Counter Name Description Processor(_Total)\% Interrupt Time The time the processor spends receiving and servicing hardware interrupts during sample intervals This value is an indirect indicator of the activity of devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication lines, network interface cards, and other peripheral devices These devices normally interrupt the processor when they have completed a task or require attention Normal thread execution is suspended during interrupts Most system clocks interrupt the processor every 10 milliseconds, creating a background of interrupt activity This counter displays the average busy time as a percentage of the sample time Processor(_Total)\% Privileged Time The time the processor spends receiving and servicing hardware interrupts during sample intervals This value is an indirect indicator of the activity of devices that generate interrupts, such as the system clock, the mouse, disk drivers, data communication lines, network interface cards, and other peripheral devices These devices normally interrupt the processor when they have completed a task or require attention Normal thread execution is suspended during interrupts Most system clocks interrupt the processor every 10 milliseconds, creating a background of interrupt activity This counter displays the average busy time as a percentage of the sample time Chapter 17: Performance and Tuning 615 Table 17-3 CPU Counters to Measure Counter Name Description Processor(_Total)\% Processor Time The percentage of elapsed time that the processor spends to execute a non-idle thread It is calculated by measuring the percentage of time that the processor spends executing the idle thread and then subtracting that value from 100% (Each processor has an idle thread that consumes cycles when no other threads are ready to run.) This counter is the primary indicator of processor activity and displays the average percentage of busy time observed during the sample interval It should be noted that the accounting calculation of whether or not the processor is idle is performed at an internal sampling interval of the system clock (10 ms) On today’s fast processors, % Processor Time can therefore underestimate the processor utilization, as the processor may be spending a lot of time servicing threads between the system clock sampling intervals Workload-based timer applications are one example of applications that are more likely to be measured inaccurately, as timers are signaled just after the sample is taken Processor(_Total)\% User Time The percentage of elapsed time the processor spends in user mode User mode is a restricted processing mode designed for applications, environment subsystems, and integral subsystems The alternative, privileged (kernel) mode, is designed for operating system components, and it allows direct access to hardware and all memory The operating system switches application threads to privileged mode to access operating system services This counter displays the average busy time as a percentage of the sample time System\Context Switches/sec The combined rate at which all processors on the computer are switched from one thread to another Context switches occur when a running thread voluntarily relinquishes the processor, is preempted by a higher priority ready thread, or switches between user-mode and privileged (kernel) mode to use an Executive or subsystem service It is the sum of Thread\\Context Switches/sec for all threads running on all processors in the computer and is measured in numbers of switches There are context switch counters on the System and Thread objects This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval System\System Calls/sec The combined rate of calls to operating system service routines by all processes running on the computer These routines perform all of the basic scheduling and synchronization of activities on the computer and provide access to nongraphic devices, memory management, and namespace management This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval 616 Part IV: Troubleshooting and Performance Reliability and Performance Monitor counters can help you establish a baseline for your server and can help you understand the number of resources used during normal and peak times When an issue arises, you can use the server’s baseline information and then compare the statistics collected to help identify the issue Using Reliability and Performance Monitor counters provides a lot of information When used effectively, using these counters will help isolate and resolve a performance problem Impact of Constraints Constraining the CPU resources on a server can impact how your application performs This applies only when you are putting constraints on your application When you so, it impacts performance—one application frees up resources for another application Countermeasures One example of how IIS 7.0 can help counter high CPU usage is by implementing Web gardens Web gardens are an available feature on worker processes that help spread the workload across multiple processes See Figure 17-2 Figure 17-2 Maximum worker processes setting in IIS 7.0 Chapter 17: Performance and Tuning 617 One thing to keep in mind is that Web gardens not work on applications requiring stateful sessions What does that mean? If you have a caching application, the variables will be cached in each application pool process and will not be shared among other processes The reason for this is that each process has its own copy of the application state, so values are independent of other worker processes and would not match across other processes in the Web garden Consider this example of when to use Web gardens Steve at Contoso Ltd has an application that is hitting the GB x86 process limit and is crashing The application does not use session state, so it is a candidate for enabling Web gardens After enabling Web gardens, Steve is able to spread the application load across multiple worker processes, preventing the application from crashing Let’s take a look at another example from Steve at Contoso Ltd He also has a database process that experiences latency From time to time, this causes the application pool to crash To help with performance and tuning of the application, Steve adds processes to give the application multiple processes accessing the resource (in this case, it’s a database) Memory Memory—or the lack of it—is probably the most common bottleneck in any system, causing a slowdown that is evident to users It’s the first issue you should look at when server issues appear With the introduction of 64-bit computing, you have the luxury of servers supporting literally terabytes of RAM If your application requires that much RAM that users must access, you can probably find room for performance enhancements However, 64-bit computing can help applications that have high memory requirements scale better than running the applications on a 32-bit platform What Causes Memory Pressure? Normally, Web applications that consume memory by design or due to poor code implementation lead to bottlenecks You can identify many memory bottlenecks during testing or during a pilot of your application Following proper development processes and stress testing at the early stages can help minimize the pressure With the ever-growing list of features and situations an application must handle, you should— first and foremost—not push more data or information to the client In a distributed environment, typical Web applications can try to select and cache 10,000 records Imagine hundreds of people hitting your Web site at the same time If your information has been cached on the server, the lack of available memory available on the server can affect your application performance 618 Part IV: Troubleshooting and Performance Memory Counters to Monitor Table 17-4 lists common memory counters that help identify which processes and how many of the server resources are being used when your IIS 7.0 server is experiencing high memory conditions Table 17-4 Memory Counters to Measure Counter Name Description Memory\Available Mbytes The amount of physical memory, in megabytes, immediately available for allocation to a process or for system use It is equal to the sum of memory assigned to the standby (cached), free, and zero page lists For a full explanation of the memory manager, refer to MSDN and/or the System Performance and Troubleshooting Guide chapter in the Microsoft Windows Server 2003 Resource Kit (Microsoft Press, 2005) Memory\Cache Faults/sec The rate at which faults occur when a page sought in the file system cache is not found and must be retrieved from elsewhere in memory (a soft fault) or from disk (a hard fault) The file system cache is an area of physical memory that stores recently used pages of data for applications Cache activity is a reliable indicator of most application I/O operations This counter shows the number of faults, without regard for the number of pages faulted in each operation Memory\Demand Zero Faults/sec The rate at which a zeroed page is required to satisfy the fault Zeroed pages, pages emptied of previously stored data and filled with zeros, are a security feature of Windows that prevent processes from seeing data stored by earlier processes that used the memory space Windows maintains a list of zeroed pages to accelerate this process This counter shows the number of faults, without regard to the number of pages retrieved to satisfy the fault This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval Chapter 17: Performance and Tuning 619 Table 17-4 Memory Counters to Measure Counter Name Description Memory\Pages/sec The rate at which pages are read from or written to disk to resolve hard page faults This counter is a primary indicator of the kinds of faults that cause system-wide delays It is the sum of Memory\\Pages Input/sec and Memory\\Pages Output/sec It is counted in numbers of pages, so it can be compared to other counts of pages, such as Memory\\Page Faults/sec, without conversion It includes pages retrieved to satisfy faults in the file system cache (usually requested by applications) and non-cached mapped memory files Memory\Transition Faults/sec The rate at which page faults are resolved by recovering pages that were being used by another process sharing the page, or were on the modified page list or the standby list, or were being written to disk at the time of the page fault The pages were recovered without additional disk activity Transition faults are counted in numbers of faults; because only one page is faulted in each operation, it is also equal to the number of pages faulted Process(inetinfo)\% Processor Time The percentage of elapsed time that all process threads used the processor to execution instructions An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run Code executed to handle some hardware interrupts and trap conditions are included in this count Process(w3wp)\% Processor Time Process(w3wp)\Handle Count The total number of handles currently open by this process This number is equal to the sum of the handles currently open by each thread in this process Process(w3wp)\ID Process The unique identifier of this process ID Process numbers are reused, so they only identify a process for the lifetime of that process Process(w3wp)\Private Bytes The current size, in bytes, of memory that this process has allocated that cannot be shared with other processes Process(w3wp)\Thread Count The number of threads currently active in this process An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions Every running process has at least one thread ... with IIS 7.0 The x86 and x64 versions are available at http://www .iis. net Click Download and search for ? ?Microsoft FTP Publishing Service for IIS 7.0.” Default UTF -8 Encoding By default, IIS 7.0... codes ■ IIS 7.0 provides logging for a new service that enables remote administration of an IIS 7.0 server IIS Manager IIS 7.0 introduces a completely new user interface, the IIS Manager The IIS. .. http://support .microsoft. com/kb/91 181 6 IIS Events Other processes related to IIS also log to the Windows Event log This includes the HTTP, IISAdmin, FTP Publishing Service, and W3SVC services For