Getting More Out of Monitoring and Alerts


Now that the reports and alerts have been configured you have at your disposal the most relevant information related to the health of your server. The next logical step is to familiarize yourself with each report and alert so that you can quickly determine what is happening with your system and take corrective action if necessary. The next couple of sections show you what to expect in each report or alert and how to customize them so that they become even more useful to you.

What's Included in Each Report

No matter whether you read the reports using your email client or via the company's intranet the HTML format will be the same. Each report contains several sections and subsections that cover different aspects of your server, from service pack level to the status of the last backup. Although most sections on each report are self-explanatory, it's a good idea to print out an actual report and carefully look at every item and consider its significance.

To help you understand each section, from the Configure Monitoring Wizard help files, Tables 19.1 and 19.2 show what to expect on a performance or usage report, respectively.

Table 19.1. Server Performance Report Sections

Report Section

Description

Summary information for ServerName

The length of time the server has been running since it was last restarted.

Links to additional details in the body of the report.

Status of Small Business Server 2003 backup.

The number of services configured to start automatically that are not running.

The number of critical alerts that occurred in the last 24 hours.

The number of critical event log errors in the last 24 hours.

Server Specifications

Specifies the operating system and service pack version, processor type and speed, and the amount of RAM installed on the server.

Performance Summary

Lists current values for today and last month and the growth rate percentage for the following performance counters:

Memory in use.

Free disk space (for each logical disk on the server).

Busy disk time (for each physical disk on the server).

CPU use.

Top 5 Processes by Memory Usage

Lists the names of the five processes that currently consume the largest percentage of server memory. As a reference, this section also includes the percentage of memory consumed by other processes in the past 24 hours and the total amount of memory installed on the server.

Top 5 Processes by CPU Time

Lists the names of the five processes that currently consume the largest percentage of CPU time.

Backup

Indicates the results from the latest run of Small Business Server 2003 Backup.

Auto-started Services Not Running

Lists services that have been configured to start automatically, but were not running at the time the report was run.

Critical Alerts

Provides detailed information that describes each critical alert that occurred in the last 24 hours.

Critical Errors in Event Logs

Lists critical errors that have occurred in the event logs in the last 24 hours. Details include information about the source of the error, the event ID, the time of the last occurrence, the total number of occurrences, and the associated error message, if any.


Table 19.2. Usage Report Sections

Report Section

Description

Internet Activity

Web Activity by ComputerThe total and average daily hours a client computer was connected to the Internet during the reporting period. Web Traffic by HourThe total and average daily number of connections made by all client computers, by hour, during the reporting period. Note: This section is only included if the basic firewall (RRAS) in SBS is enabled. If you have only one network card or are using ISA server, the section will not appear.

E-mail Activity

E-mail SentThe total number and size of email messages that each user sent to internal and external email addresses.

E-mail ReceivedThe total number and size of email messages that each user received from internal and external email addresses.

Mailbox SizeThe size of each user's mailbox at the beginning and end of the reporting period, and the percentage change in mailbox size.

Outlook Web Access

Outlook Web Access Activity by UserThe total and average daily number of visits each user made to an Outlook Web Access site.

Outlook Web Access Usage by HourThe total and average daily number of visits made to an Outlook Web Access site by all users, by hour, during the reporting period.

Remote Connections

Remote Connection Activity by UserThe total and average daily number of times each user made a remote connection to the network and the average connection duration in minutes.

Remote Connection Activity by HourThe total and average daily number of remote connections to the network by all users, by hour, during the reporting period.

Fax Activity

Faxes SentThe total and average daily number of faxes sent to a specific fax number and the average duration and size (in pages) of all faxes sent to that number during the reporting period.

Faxes ReceivedThe total and average daily number of faxes received from a specific fax number and the average duration and size (in pages) of all faxes received from that number during the reporting period.

Faxes Sent by UserThe total and average daily number of faxes sent by each user and the average duration and size (in pages) of all faxes sent by that user during the reporting period.

Fax Traffic by HourThe total and average daily number of faxes sent by all users, by hour, during the reporting period.


When Should You Expect an Alert?

When a certain event triggers an alert, you will receive an email almost immediately stating the cause of the alert and the time it occurred. By default, many events can trigger an alert, but they all can be grouped in three main categories:

  • Start/stop/restart of a critical service.

  • The threshold in a performance counter has been exceeded.

  • A critical error occurs that is recorded on the logs.

Normally, alerts in the first and last group require immediate attention. On the other hand, performance alerts might only require attention if they are recurrent.

The truth is that some alerts can be annoying and sometimes even useless, for example, receiving an alert each time a fax fails to send or a printer has an error. Receiving only alerts that are truly critical is a key factor in any monitoring solution, especially if you are managing more than one server.

In the next few of sections you learn how to tweak the alerts so that you only get what you want, but first you should learn what the defaults are. From the Configure Monitoring Wizard help files, Tables 19.3, 19.4, and 19.5 show the preconfigured events that would trigger an alert and what the repercussions might be.

Table 19.3. Default Alert NotificationsServices

Service

Description

DHCP Server

Performs TCP/IP configuration for DHCP client computers, including dynamic assignments of IP addresses, specification of the WINS and DNS servers, and connection-specific DNS names. If this service is stopped, the DHCP server will not perform TCP/IP configuration for client computers.

DNS Server

Activates Domain Name System (DNS) client computers to resolve DNS names by answering DNS queries and DNS dynamic update requests. If this service is stopped, DNS name resolution will fail, and DNS updates will not occur. This can prevent users from accessing the server and the Internet.

Error Reporting Service

Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, Error Reporting will occur only for kernel faults and some types of user mode faults.

Event Log

Activates event log messages issued by Windows-based programs and components to be viewed in Event Viewer.

Fax

Allows users to send and receive faxes, utilizing fax resources available on the computer running Small Business Server 2003.

By default, service and performance alerts for Fax are not enabled. If you install and configure a fax modem, you can enable the Fax alerts by using the Alert Notifications configuration tool.

IPSEC Services

Provides end-to-end security between client computers and servers on TCP/IP networks. If this service is stopped, TCP/IP security between client computers and servers on the network will be impaired.

Kerberos Key Distribution Center

Allows users to log on to the network using the Kerberos authentication protocol. If this service is stopped, users will be unable to log on to the network.

Microsoft Exchange Information Store

Manages the Exchange mailbox and public folder stores. If this service is stopped, mailbox stores and public folder stores on the computer running Small Business Server 2003 will be unavailable.

Microsoft Exchange Management

Manages Exchange management information that uses Windows Management Instrumentation (WMI). If this service is stopped, Exchange management information using WMI will be unavailable.

Microsoft Exchange POP3

Provides Post Office Protocol version 3 (POP3) services to client users. If this service is stopped, client computers will be unable to connect to the computer running Small Business Server 2003 by using the POP3 protocol. This alert is disabled by default.

Microsoft Exchange Routing Engine

Provides Exchange routing services using link state information. If this service is stopped, messages will not be routed by the computer running Small Business Server 2003.

Microsoft Exchange System Attendant

Provides monitoring, maintenance, and Active Directory lookup services, such as monitoring of services and connectors, defragmenting the Exchange store, and forwarding Active Directory queries to a Global Catalog server. Most Exchange services depend on the Microsoft Exchange System Attendant service and will stop if this service is stopped. Additionally, if this service is stopped, monitoring, maintenance, and query services will be unavailable.

MSSQL$ SBSMonitoring

This service is required to manage information displayed in server performance reports and usage reports. If this service is stopped, users will be unable to view server performance or usage reports.

MSSQL$ SharePoint

Allows users access to your Windows SharePoint-based intranet site. This service is required for access to your Windows SharePoint-based intranet.

Print Spooler

Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the computer running Small Business Server 2003 will be unavailable.

Routing and Remote Access

Activates virtual private network (VPN) and network address translation (NAT) routing services. If this service is stopped, these services will be unavailable. This service is enabled if you configure router, firewall, or VPN services.

SBCore Service

Provides core server services.

Security Accounts Manager

Signals other services that the Security Accounts Manager (SAM) is ready to accept requests.

Server

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable.

Simple Mail Transfer Protocol (SMTP)

Transports email across the network. If this service is stopped, alert notifications will not be delivered to the recipients.

Terminal Services

Allows multiple users to be connected interactively to the computer running Small Business Server 2003.

Windows Internet Name Service (WINS)

Resolves NetBIOS names for TCP/IP clients by locating network services that use NetBIOS names. If this service is stopped, network NetBIOS services will not function properly.

World Wide Web Publishing

Provides web connectivity and administration through the Internet Information Services snap-in.


Table 19.4. Default Alert NotificationsPerformance Counters

Alert Name

Performance Counter

Default Threshold

Allocated Memory

Committed Bytes

> 2 gigabytes (GB)

Disk Activity

% Disk Idle Time

< 5%

inetinfo.exe private bytes

Process - Private Bytes

> 100 megabytes (MB)

Low Disk Space

Disk Free Megabytes

< 500 MB

Isass.exe private bytes

Process - Private Bytes

> 100 MB

Memory Available

Available Mbytes

< 4 MB

Printing Errors

Print Job Errors

> 1

Processor Activity

% Idle Time

< 5%

Received Fax Failures

Failed Receptions

> 1

Sent Fax Failures

Failed Outgoing Connections

> 1

SMTP Server Remote Queue Length

Remote Queue Length

> 30

store.exe private bytes

Process - Private Bytes

> 100 MB

System Up Time

System Up Time

< 600 seconds


Table 19.5. Default Alert NotificationsEvent Log Errors

Event Log Error

Event ID

Event Log File

Description

Account Lockout

539

Security

An account was locked out due to multiple failed logon attempts that occurred in a short period of time.

Windows Small Business

5634

Application

One or more components of Windows Small

Server Backup failed

  

Business Server Backup failed.


Modifying the Default Reports and Alerts

The default reports let you monitor any system with minimal effort and although they are a good start you might feel that you want to monitor other items as well. Fortunately, SBS allows you to customize certain details on the reports so that they become even more useful to you.

Best Practice: Customize Your Alerts

Adjust the alerts so that they are meaningful to you. Receiving 10 unwarranted alerts each day from a single server can render the whole system useless.


A particularly useful modification is attaching the backup logs to the daily performance report. By default, the Server Performance Report shows you the status of the last backup. However, if the backup has failed for any reason, it just shows an error and issues an alert forcing you to log on to the server and look at the logs directly to determine the cause of the error. Sending the backup logs along the report gives you all the information you need.

Best Practice: Add Important Logs to Performance Reports

One of the examples presented in the previous section dealt with adding the backup logs to the daily performance report, but you can add whatever you feel is important. For example, if you are using SQL Manager to back up a database to a flat file you might want to add those logs to the report as well.


Follow these steps to attach logs or files to the Server Performance Report:

1.

Open the Server Management Console. On the left pane expand Standard Management, click on Monitoring and Reporting to open the Monitoring MMC, and then select Change Server Status Reports Settings.

2.

When the Server Status Reports box appears select Server Performance Report and click on Edit. Click on the Content tab and select the logs you want to attach, as shown in Figure 19.8. Click OK to accept the changes and exit the screen.

Figure 19.8. Adding logs and files to a report.


3.

OPTIONALIf the log you want to attach is not on the list, click Add and select Browse. Then locate the file that you want to attach and give it a meaningful name. Click OK to accept the changes and exit the screen.

Similarly, you can change the frequency of the reports or the time when they are run by opening the Server Status Reports box and changing the settings on the Schedule tab. Remember not to set the daily report so early that the backup job has not finished running by that time.

In general, reports don't require much customization out of the box to be useful. Alerts on the other hand might need a few modifications to get the most out of them. In particular, performance counters usually need to be adjusted to adapt to your situation.

Follow these steps to modify alert notifications:

1.

Open the Server Management Console. On the left pane expand Standard Management, click on Monitoring and Reporting to open the Monitoring MMC, and then select Change Alert Notifications.

2.

When the Alert Notifications screen appears click on the Performance Counters tab and select the counter that you want to modify, as shown in Figure 19.9. For example, select Received or Sent Fax Failures and click on Edit. Now modify the threshold to something that is meaningful for you and click OK two times to accept the changes and exit the screen.

Figure 19.9. Perfomance counters in the Alert Notifications screen.


Deciding what values to use as thresholds can be challenging. Use your own judgment to decide what value makes sense to your particular situation. For example, one or two fax failures in 24 hours could just mean that the recipient's fax number was entered incorrectly. In a low fax volume situation four errors could be a symptom that the fax line has been disconnected, but if you are sending 100 faxes every day, four might be an insignificant number.

Remember that in some cases alerts can help you fix problems before they happen. One common scenario is that somebody brings a device (maybe a printer or a scanner) to the network without your knowledge. The device is configured to be a DHCP server, thus SBS senses it and disables its own DHCP service. If you leave it like that, it's possible that the users experience connectivity issues when their DHCP lease expires or their PC is restarted. Fortunately, SBS has sent you an alert telling you that the DHCP service has been stopped. You promptly proceed to check the logs and find out what happened even before the clients notice that the DHCP service is not running. You have saved the day and nobody will ever notice, welcome to world of unsung heroes!

Best Practice: Be Creative with Your Alerts and Reports

If you manage a significant number of servers, creating a rudimentary routing system for the alerts and reports can be useful. You can create special accounts or public folders to store the reports and/or create email rules to forward critical alerts to your phone. The possibilities are truly endless.





Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net