Chapter 12 Monitoring Microsoft Windows Server 2003 12 - 31 ■ Use Event Viewer and the Performance console to get an accurate picture of any immediate bottleneck problems due to device failure, service misconfiguration, or application incompatibilities. Replace hardware, properly configure services, and upgrade applications where necessary to improve the component parts of the run- ning environment. ■ Once the permissions are defined, put Failure Access Auditing in place to find anyone who is attempting to gain unauthorized resource access, and through what means. ■ Use Performance Logs And Alerts to baseline the servers once clearly defined bot- tlenecks have been removed. Continue to monitor for changes in server perfor- mance against the baseline. Troubleshooting Lab Users in the Help Desk group have been creating their own Web pages to publish tech- nical data for the rest of the group, and have many utilities that they use periodically in testing applications for functionality and stability. Recently, these users have been asking for some help in determining why their computers’ performance has recently declined significantly. Using the Performance console, take a baseline of the following counters: ■ Cache\Data Map Hits % ■ Cache\Fast Reads/sec ■ Cache\Lazy Write Pages/sec ■ Logical Disk\% Free Space ■ Memory\Available Bytes ■ Memory\ Pool Nonpaged Allocs ■ Memory\ Pool Nonpaged Bytes ■ Memory\ Pool Paged Allocs ■ Memory\ Pool Paged Bytes ■ Processor(_Total)\% Processor Time ■ System\Context Switches/sec ■ System\Processor Queue Length ■ Processor(_Total)\Interrupts/sec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 12-32 Chapter 12 Monitoring Microsoft Windows Server 2003 Monitor each of the suspect computers for one week of normal activity, recording the resulting output in a log file unique to each computer. Use a remote computer to col- lect the monitoring data so as not to skew the results of your baseline. Analyze the data to determine if there are any obvious bottlenecks. This list of counters is particularly baselining memory, disk I/O, and processor performance on each of the computers. Once the bottleneck has been defined, the applications (processes) should be examined to determine which of them are the heaviest contributors to the problem. The applications can then be upgraded, if that helps; removed, or resources can be added to the computers sufficient to perform the required tasks. Chapter Summary ■ Event Viewer presents data in the form of logs. The Application, System, and Secu- rity logs are on every Windows Server 2003 server. Domain controllers have two additional logs relating to Active Directory, and other application servers (such as DNS) have their own set of log files. ■ The Performance console (perfmon.msc) consists of two snap-ins: System Monitor and Performance Logs And Alerts. System Monitor shows real-time performance data based on Object counters, and can display the log data recorded by Perfor- mance Logs And Alerts either in the form of Counter (interval polling) logs, or Trace (event-driven) logs. ■ Task Manager is used to view real-time performance data surrounding processes and applications. Processes can be initiated and ended using Task Manager. Pro- cesses can also be adjusted up or down in CPU priority, and can be assigned affin- ity to a particular processor on a multiprocessor computer. ■ WMI is a management system that collects data from computer systems. The con- trol interface of WMI Control snap-in allows for adjustment of permissions beyond the default of the local administrator to manage computers across the network. While WMI is capable of configuring many different types of system behavior including users, groups, and services, the focus of this chapter is on the ability to extract data from the WMI Repository using the command line interface to WMI, WMIC. WMIC is capable of reporting running services, installed applications, and publishing Event Viewer data to CSV or HTML files for ease of distribution and analysis. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 12 Monitoring Microsoft Windows Server 2003 12 - 33 Exam Highlights Before taking the exam, review the key points and terms that are presented below to help you identify topics you need to review. Return to the lessons for additional prac- tice and review the “Further Readings” sections in Part 2 for pointers to more informa- tion about topics covered by the exam objectives. Key Points ■ Event Viewer does not perform configuration, but collects data from different reporting providers. Data reported is organized into the appropriate log, and can be filtered, sorted, and exported for ease of analysis. ■ Task Manager is a tool used only on the local computer, and does not allow con- figuration of memory, processor, or other settings. Task Manager is exclusively used to start, stop, prioritize, and set processor affinity for applications. ■ The Performance Logs And Alerts snap-in can do no configuration, only reporting data through Counter Logs as reported by providers (object counters) on a config- ured interval, or through Trace Logs as reported by event-driven providers. ■ WMI requires administrative credentials for access to the remote computer for configuration of settings. ■ WMIC is not an Active Directory Schema Management Tool. WMI maintains its own schema. Key Terms Windows Management Instrumentation (WMI) The Microsoft implementation of Web-Based Enterprise Management Initiative to establish standards of data in Enterprise Management Windows Management Instrumentation Control (WMIC) A command line utility that interfaces with the WMI Repository (database) for configuration and monitor- ing management Task Manager An interface tool for the manipulation of processes System Monitor A component of the Performance console, as is the Performance Logs And Alerts snap-in, and should not be confused with System Properties Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 12-34 Chapter 12 Monitoring Microsoft Windows Server 2003 Questions and Answers Lesson 1 Review Page 1. On a Domain Controller running DNS, what logs will Event Viewer display by 12-7 default? What are these logs, and what data do they collect? ■ Application Developers of an application can program their software to report configura­ tion changes, errors, or other events to this log. ■ System The Windows Server 2003 operating system will report events (service start or abnormal shutdown, device failures, and so on) to this log. The events reported to this log are preconfigured. ■ Security Logon and resource access events (audits) are reported to this log. Configura­ tion for most of these events is at the discrimination of the system administrator. ■ Directory Service This log contains events related to the Active Directory, such as irrec­ oncilable object replication or significant events within the directory. ■ File Replication Service This log contains errors or significant events reported by the File Replication Service related to the copying of information between domain controllers during a replication cycle. ■ DNS Server This log contains errors or significant events reported by the DNS server. 2. You have configured your Windows Server 2003 computer to audit all failed object access, and all files and folders have auditing configured for List Folder / Read Data Failure. All other Event Viewer and Security log settings are at their default configurations. What will happen when the number of entries in the Security log reaches 512 KB? The default configuration puts the maximum log file size at 512 KB, and allows for the file to overwrite, so once the file reaches 512 KB, the older data in the log will be overwritten. 3. You do not want data in the Security log to be overwritten, but also do not want your Windows Server 2003 computer to stop serving the network at any time. What settings will you configure on your server? In the properties for the Security log, configure the log to Do Not Overwrite Events (Clear Log Manually). You will not define the Group Policy that defines the Security Option: Audit: Shut Down System Immediately If Unable To Log Security Audits, as this will discontinue the server’s availability to the network if the Security log fills. You will need to schedule a regular period of Security log analysis as good administrative practice, but you will not need to do so at such a frequency as to keep the server from shutting down because you did not clear the log soon enough. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Questions and Answers 12 - 35 Page 12-17 Page 12-23 Lesson 2 Review 1. Your goal is to monitor all your Windows Server 2003 servers so that they can be defragmented on a regular schedule, and as efficiently as possible. The disk defragmentation program that you use requires at least 20% free disk space on each volume in order to defragment properly. What should you do? Configure Performance Logs And Alerts on a workstation (or less-utilized server) to monitor all the remote servers’ LogicalDisk object, % Free Space counter for each instance on that com­ puter. In addition, configure each counter as an Alert with a threshold of Below 20% free space. Finally, configure each of the Alerts to send a message to the administrator (and any other user accounts that you want to receive the message). 2. You have been monitoring one of your Windows Server 2003 servers due to poor performance on the network. The following data is representative of your findings: ❑ Processor: % Processor Time: High ❑ Physical Disk: % Disk Time: Low ❑ Memory: Pages/sec: Low ❑ Processor: Interrupts/sec: High ❑ Process: % Processor Time (for non-service processes): Low ❑ Process: % Processor Time (for system services): Low What is the most likely explanation for the problem? It is likely that the Network Interface Card (or another device) is experiencing a problem at the device level. The high number of interrupts per second would cause the processor to be busy processing requests for service from the network interface. With all other counters being low, it is unlikely that an application or any System service is at fault. 3. The server that you are using to monitor the other servers on your network is overburdened with the task, so you must lighten its load of monitoring. To make the greatest impact for the monitoring computer’s performance while maintaining as much monitored data as possible, what should you do? Increase the polling interval for recording the data from the remote computers. By decreasing the frequency of the data poll, and perhaps staggering the logging times, the greatest amount of monitoring data can be maintained while reducing the load on the monitoring computer. Lesson 3 Review 1. What information can Task Manager provide about the performance of applications? Task Manager can provide processor, memory usage (including the page file), and basic Input/ Output on a process-by-process basis. 2. Your computer crashes with almost clocklike predictability approximately one hour after each system startup. You suspect an application with a memory leak Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 12-36 Chapter 12 Monitoring Microsoft Windows Server 2003 that is causing the system to run out of memory. How can you use Task Manager to determine which application is causing the problem? Start all applications normally. In Task Manager, select the Memory Usage Delta column (View- Select Columns), and click on the column header. If you leave the system idle, then memory usage by any of the processes running on the computer should stabilize. If there is an applica­ tion with a memory leak, it should stay at or near the top of the list of processes running on the computer, and its value for Memory Usage Delta should continue to increase even with no activ­ ity on the system. 3. You are running a database application on your computer. Your computer has two processors. You want the database application to run on the second processor. How can you use Task Manager to do this? Right-click the database application in the Applications tab, and then choose Go To Process. Right-click the process, and set the processor affinity from the shortcut menu. Page Lesson 4 Review 12-29 1. You need to get patch and hotfix information from a number of servers on your network. You would like to do this remotely. How can you use WMI to accom- plish the task? Use the OS ASSOC alias with the /node: switch to run the WMIC command on any number of the computers remotely. Output to a CSV or HTML file for later use is possible as well using the /output alias and /format switch. For example, if Server01 and Server02 were the target com­ puters for WMIC, the command would be /NODE:"SERVER01","SERVER02" OS ASSOC. 2. You want to get a list of all installed applications on 17 computers in the develop- ment department. You would like to do this remotely. How can you use WMI to accomplish this? Type the computer names into a text file (computers.txt, for example). Use the WMIC PRODUCT alias with the node /node:@ switch to get the list of installed applications on each of the com­ puters in the list. Output to a CSV or HTML file for later use is possible as well using the /out- put alias and /format switch. For example, /NODE:@c:\computers.txt PRODUCT would produce the desired results. 3. You want to give a small group of engineers the ability to use WMI to get infor- mation from some of the development servers, but you do not want to give them administrator privileges on the servers. What can you do to give the engineers access? Give each engineer, or a group of all engineers, permission to the WMI namespace using WMI Control snap-in (Wmimgmt.msc), in the WMI MMC. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 13 Recovering from System Failure Exam Objectives in this Chapter: ■ Perform Automated System Recovery (ASR) ■ Perform server system recovery Why This Chapter Matters Although Microsoft Windows Server 2003 offers superior levels of stability and reliability, power supplies, cooling fans, chip sets and yes, even code, can cause a computer to fail. And when a server fails in the forest, everyone hears it fall. Throughout this training kit, you have learned how to implement and support best practices that will minimize the risk of failure. You have also learned how to recover from the failure of specific services, drivers, and hardware configurations. In this chapter, you will learn the remaining skills that are required to recover a server when the operating system itself is corrupted or inaccessible due to cata- strophic failure. Lessons in this Chapter: ■ Lesson 1: Recovering from System Failure . . . . . . . . . . . . . . . . . . . . . . . . . .13-2 Before You Begin This chapter covers the concepts and skills related to recovering a failed server. To complete the exercises in this chapter, prepare the following: ■ A computer running Windows Server 2003. The examples use the computer name Server01. It can be a member server or a domain controller. Backups that are cre- ated during the exercises will complete more quickly if the computer is a member server. ■ A second physical disk is required to perform the exercise that demonstrates Auto- mated System Recovery. ■ If you complete the Automated System Recovery exercise, all data on the disk con- taining the system volume will be erased. Do not perform the Automated System Recovery if you want to maintain any data on that disk. 13-1 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 13-2 Chapter 13 Recovering from System Failure Lesson 1: Recovering from System Failure In a worst-case scenario, server hardware fails and cannot be recovered. To return to operations, you must have a complete backup of the server that you can restore to a new piece of hardware. This complete backup will include data stored on the server, applications, and the operating system itself. In Chapter 7, you learned how to use the Backup Utility and the Ntbackup command-line tool to back up data. In this lesson, you will learn how to use the same utilities to back up the system so that you can return to operational status quickly in the event of such a worst-case scenario. You will also learn how to use the Recovery Console to perform surgical repairs of specific problems including service or driver failures. After this lesson, you will be able to ■ Back up the System State ■ Prepare an ASR backup set and repair a computer using Automated System Recovery ■ Install and use the Windows Server 2003 Recovery Console Estimated lesson time: 60 minutes A Review of Recovery Options Throughout this book, we have addressed methods used to repair and recover from specific types of failures: ■ Data loss or corruption: Chapter 7 discussed the backup and restore of data as well as the Volume Shadow Copy Service, the new feature in Windows Server 2003 that allows users to access or restore previous versions of files in shared fold- ers on servers. ■ Driver updates resulting in system instability: Chapter 10 introduced the new driver rollback capability of Windows Server 2003. If a driver has been updated and the system becomes unstable, that driver and any new settings that were con- figured can be rolled back to a previously installed version and state. Printer driv- ers cannot be rolled back. You also learned that it is easy, using Device Manager, to disable a device that causes instability. If an application or supporting software contributes to the instability, use Add Or Remove Programs to remove the offend- ing component. ■ Driver or service installation or update results in the inability to start the system: Chapter 10 covered the use of the Last Known Good Configuration, which rolls back the active ControlSet of the system’s registry to the ControlSet that was used Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Lesson 1 Recovering from System Failure 13 - 3 the last time a user successfully logged on to the system. If you install or update a service or driver and the system crashes or cannot reboot to the logon screen, the Last Known Good Configuration effectively takes you back to the version of the registry that was active before the driver or service was installed. You also learned about the variety of Safe mode options, which enable the system to start with spe- cific drivers or services disabled. Safe mode can often allow you to start an other- wise unbootable computer and, using Device Manager, disable, uninstall, or roll back a troublesome driver or service. ■ Failure of the disk subsystem: Chapter 11 discussed the steps required to configure disk redundancy through mirrored (RAID-1) or RAID-5 volumes, and how to recover from the failure of a single disk within a fault-tolerant volume. Each of these recovery and repair processes makes the assumption that a system can be restarted to some extent. When a system cannot be restarted, the System State, Auto- mated System Recovery, and the Recovery Console can return the system to opera- tional status. System State Windows 2000 and Windows Server 2003 introduced the concept of System State to the backup process. System State data contains critical elements of a system’s configuration including: ■ The system’s registry ■ The COM+ Class Registration Database ■ The boot files, which include boot.ini, ntdetect.com, ntldr, bootsect.dos, and ntbootdd.sys ■ System files that are protected by the Windows File Protection service In addition, the following are included in the System State when the corresponding ser- vices have been installed on the system: ■ Certificate Services database on a certificate server ■ Active Directory and the Sysvol folder on a domain controller ■ Cluster service information on a cluster server ■ Internet Information Services (IIS) metabase on a server with IIS installed Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 13-4 Chapter 13 Recovering from System Failure To back up the System State in the Backup Utility, include the System State node as part of the backup selection. The System State and its components are shown in Figure 13-1. Figure 13-1 The System State If you prefer to use the command line, use Ntbackup with the following syntax: Ntbackup backup systemstate /J "backup job name" . Followed by the /F switch to indicate backing up to a file, or appropriate /T, /G, /N, /P switches to back up to a tape. The switches for the Ntbackup command are described fully in Chapter 7. There are several important notes and considerations related to backing up the Sys- tem State: ■ You cannot back up individual components of the System State. For example, you cannot back up the COM+ Class Registration Database alone. Because of interde- pendencies among System State components, you can back up only the collection of System State components as a whole. ■ You cannot use Ntbackup or the Backup Utility to back up the System State from a remote machine. You must run Ntbackup or the Backup Utility on the system that is being backed up. You can, however, direct the backup to a file on a remote server, which can then transfer the file onto another backup media. Or you can purchase a third-party backup utility that can remotely back up the System State. ■ The System State contains most elements of a system’s configuration, but may not include every element required to return the system to full operational capacity. It is therefore recommended to back up all boot, system, data, and application vol- umes when you back up the system state. The System State is a critical piece of a complete backup, but is only one piece. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Windows Server 2003 systems Microsoft Corporation Windows Server 2003 Help and Support Center Review “Change a Basic Disk to a Dynamic Disk.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “Initialize And Convert Disk Wizard.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “Disk Management.” Objective 1.2 Review Chapter 12, “Monitoring Microsoft Windows. .. Objective 1.2 Review Chapter 12, “Monitoring Microsoft Windows Server 2003.” This chapter reviews the different tools that can be used to monitor different aspects of the Windows Server 2003 operating system Microsoft Corporation Windows Server 2003 Help and Support Center Review “View Power Allocations for USB Hubs.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “View Bandwidth... at a medium-sized organization that has a single Windows Server 2003 domain His team is responsible for installing and maintaining six Windows Server 2003 systems Each server has been configured as a stand-alone server and is not a member of the 2003 domain Twelve new disk drives have arrived and two each are to be installed in each of these member servers Rooslan delegates this task to an intern named... Center Review “View Bandwidth Allocations for USB Host Controller.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “Print Information About a Specific Device.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “How to View Hidden Devices.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “Device Manager.” Please purchase PDF Split-Merge... Review Chapter 11, Lesson 4, “Implementing RAID.” This section details how various methods of software RAID can be implemented on Windows Server 2003 systems Microsoft Corporation Windows Server 2003 Help and Support Center Review “Disk Defragmenter.” Microsoft Corporation Windows Server 2003 Help and Support Center Review “Disk Management.” Objective 1.4 Review Chapter 10, Lessons 1 and 2: “Installing Hardware... and choose Automatic as the Startup Type 4 Restart the server 5 When the server presents the startup boot menu, select Microsoft Windows Recov­ ery Console 6 When prompted, type 1 to select the installation of Windows Server 2003 7 Type the password for the local Administrator account 8 When the Recovery Console prompt appears (by default, C: \Windows> ), type help to display a list of commands 9 Type... Administrators group on each of these Windows Server 2003 stand-alone servers? A Rooslan should add Alex’s account to the Backup Operators group on each server B Rooslan should add Alex’s account to the Backup Operators group in the domain C Rooslan should add Alex’s account to the Power Users group in the domain D Rooslan should modify the local GPO on each Windows Server 2003 to give Alex’s account... give Alex’s account the Perform Volume Maintenance Tasks user right E Rooslan should modify the local GPO on each Windows Server 2003 to give Alex’s account the Take Ownership Of Files And Other Objects user right 2 Rooslan is the systems administrator of a Windows Server 2003 file server The server currently has two disk drives The first disk, which is 30 gigabytes (GB) in size, hosts all the operating... Automated System Recovery and a minimal version of the operating system is loaded This step will take some time to complete 8 Eventually, a Windows Server 2003 Setup screen will appear 9 Windows Server 2003 Setup, partitions and formats the disk, copies files, initializes the Windows configuration and then prepares to restart 10 Remove the floppy disk from the disk drive and allow the computer to restart The... 14-11 Lee has two 100 GB SCSI hard disk drives connected to a Windows Server 2003 server that he is responsible for administering The server also has a single hardware RAID controller that supports RAID-0, RAID-1 and RAID-5 Currently 70 GB on the first drive is used and the second drive is empty Lee is concerned that the hard disk drive of the server might fail and he would lose all the information on . Eventually, a Windows Server 2003 Setup screen will appear. 9. Windows Server 2003 Setup, partitions and formats the disk, copies files, initializes the Windows. replication cycle. ■ DNS Server This log contains errors or significant events reported by the DNS server. 2. You have configured your Windows Server 2003 computer