Monitoring a Server | MCSA[s]MCSE

By keeping close watch over your organization and its components , you can spot potential problems before they occur and quickly respond to the problems that do occur. Monitoring also allows you to identify trends in network use that signal opportunities for optimization and future planning. This section covers many of the Windows Server 2003 and Exchange Server 2003 tools that you will use to monitor your servers.

Windows Server 2003 Tools

Exchange Server 2003 is tightly integrated into Windows Server 2003 and leverages the management tools built into the operating system. In this section, we discuss these tools:

Control Panel > Administrative Tools > Services
Event Viewer
System Monitor
Registry Editor
Computer Management
Task Manager

Monitoring Services

Selecting Control Panel > Administrative Tools > Services (shown in Figure 10.5) can be used to check the status of the Exchange Server services. You can start, stop, and pause a service by selecting it and using the appropriate buttons on the toolbar. You can also configure the startup parameters of a service by double-clicking it to open the service ‚ s property pages.

Figure 10.5: Monitoring services in Windows Server 2003

There are a number of Exchange- related services that you should be aware of, including the following:

The Microsoft Exchange Information Store service manages the store databases.
The Microsoft Exchange Routing Engine service processes the routing information for a server.
The Microsoft Exchange System Attendant provides system-related services such as server maintenance.

There will be a number of other services listed depending on the components you have installed on the server.

Using Event Viewer

All Exchange services write event information to the Windows Event Log . Administrators should regularly (daily is recommended) view the Event Log for management and troubleshooting purposes using the Event Viewer application. Exchange services can be configured to log different amounts and types of events for diagnostics logging. Windows Server 2003 maintains three distinct logs:

The Application log is a record of events generated by applications. All Exchange Server 2003 services write their status information to this log. If you enable diagnostics logging for any Exchange Server 2003 component, that information is also recorded in the Application log. This log is the most valuable log for monitoring the general health of an Exchange server.
The Security log is a record of events based on the auditing settings specified in the Active Directory Users and Computers utility.
The System log is a record of events that concern components of the system itself, including such events as device driver and network failures.

The vast majority of Exchange information is written to the Application log. The administrator may want to increase the maximum size of this log (the default is 512 KB) if logging levels are turned up for troubleshooting or just to maintain the events that have occurred over a longer period. Event Viewer can also be used to view the Event Logs of a remote server.

Using the Performance Snap-In

The Exchange Server setup program adds Exchange-related counters to Windows Server 2003 ‚ s Performance snap-in , also called System Monitor, making it possible to view the performance of various Exchange activities. System Monitor graphically charts the performance of hundreds of individual system parameters on a Microsoft Windows Server 2003 computer and can also be used to log those parameters over time. When Exchange Server 2003 is installed on a Windows Server 2003 computer, several Exchange-specific counters can be charted as well.

Note ‚

This book uses the terms System Monitor and Performance Monitor interchangeably.

Table 10.2 shows a few of the performance objects added by Exchange and the counters for those objects.

Table 10.2: Exchange-Related Performance Objects and Counters
Object	Counter	Description
MSExchangeIS	User Count	Displays the number of users who are currently using the Information Store.
MSExchangeIS Mailbox and MSExchangeIS Public	Send Queue Size	Displays the queue of messages outbound from the Information Store.
‚	Receive Queue Size	Displays the queue of messages inbound to the Information Store.
‚	Message Sent/min	Shows the rate (per minute) at which messages are sent to the routing engine.
‚	Messages Delivered/min	Shows the rate (per minute) at which messages are delivered to all recipients.
SMTP Server	Local Queue Length	Indicates the number of messages in the local queue. A normal reading is 0. If the reading exceeds 0, the server is receiving messages faster than it can process them.
‚	Categorizer Queue Length	Displays the number of messages waiting for advanced address resolution to occur.
‚	Inbound Connections Current	Measures the number of connections that are currently inbound.
‚	Message Bytes Received/sec	Measures the rate (per second) at which inbound messages are being received.
‚	Message Bytes Sent/sec	Measures the rate (per second) at which inbound messages are being sent.
MSExchangeMTA	Messages/sec	The number of messages the MTA sends and receives per second.
‚	Work Queue Length	The number of messages queued in the MTA.
MSExchangeMTA Connections	Queue Length	Displays MTA counters on a connection-by-connection basis.
MSExchangeSRS	Replication Updates/sec	Measures the rate (per second) at which replication updates are applied to local site replication services. This object is used to monitor integration of Exchange 5.5 with Exchange 2000 Server.
‚	Remaining Replication Updates	Measures how many messages in the current replication update message have yet to be processed .

Don ‚ t underestimate the benefit of using the Performance snap-in in your Exchange environment. The Performance snap-in can be used to collect and analyze data, perform a baseline of your Exchange servers, detect problems and provide the proper notification, as well as analyze the problems when they occur.

In addition to the Exchange-specific counters represented in the preceding table, there are several critical areas in which you should use the Performance snap-in to monitor an Exchange server ‚ s performance. These areas include the following:

Central Processing Unit (CPU) The Processor object has several counters you can use to monitor the CPU for potential bottleneck issues.

Network The Network Segment, Redirector, Server, and Server Work Queue objects hold counters that can help identify network subsystem bottlenecks.

Disk Input/Output (I/O) You should monitor both the logical and physical disk counters to help identify disk subsystem bottlenecks.

Memory The Memory object has several counters useful in determining the scope of memory-related bottlenecks.

System Monitor can also be used to warn you of a situation and therefore help you prevent a particular problem. For example, if all available disk space is used, your IS will stop. You could configure System Monitor to send you an e-mail message when the available disk space reaches a specified low level. You could then take steps to prevent all disk space from being used and therefore prevent the IS from being stopped .

Using System Monitor to Check Exchange

Here is a case study of using the Performance snap-in to monitor Exchange Server. An administrator is receiving reports from users that the Exchange server response time is slow. A quick examination shows that the server ‚ s disk is almost constantly active. The administrator decides to take a deeper look and, using System Monitor, collects the following information about that particular Exchange server:

%Processor time = 70

%Disk free space = 60

Pages/sec = 40

Avg. Disk sec/Transfer = 0.02

The administrator then compares these statistics to the ‚“rule of thumb ‚½ thresholds that their organization has determined. The following are those thresholds, which when exceeded have been associated with performance problems:

%Processor time > 80%

%Disk free space < 10%

Pages/sec > 5

Avg. Disk sec/Transfer > .3

Comparing the current statistics with the thresholds, the administrator sees that the Pages/sec number is over the threshold. This suggests that there is not enough memory to cache information, therefore leading the system to page data to the disk. The administrator decides to add memory to this server and continue to monitor the situation.

Using Registry Editor

Like all Windows applications, Exchange Server stores some configuration information in the Registry. This information can be read and modified using the Registry Editor application (regedit.exe). All the Registry settings for Exchange Server are stored under the keys HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM. Normally, you will not need to edit the Registry directly (which can be dangerous, because there are no safeguards to prevent mistakes). Most configurations are made through the Exchange Administrator program and are written to the Registry automatically.

Computer Management

The Computer Management snap-in (available in Control Panel > Administrative Tools) holds a variety of management utilities, including the following:

Event Viewer
Disk Management Tools, which allows you to partition and format hard disks
Various pieces of information about services and applications running on the server

Using Task Manager

Task Manager displays the programs and processes running on a computer. It also displays various performance information, such as CPU and memory usage. An Exchange administrator can use this tool to view the overall health of a server. You access Task Manager by right-clicking the taskbar and choosing Task Manager from the drop-down menu.

Exchange Tools

In addition to the Windows Server 2003 tools used for monitoring and managing a server, Exchange Server 2003 provides a number of its own tools, as well.

Configuring Diagnostics Logging

All Exchange services log certain critical events to the Windows Application Log. For certain services, however, you can configure additional levels of logging. Diagnostics logging is one of the most useful tools for troubleshooting problems in Exchange Server 2003.

You can modify the levels of diagnostics logging for all services on a particular Exchange server by using the Diagnostics Logging property page for the server object in System Manager (see Figure 10.6).

Figure 10.6: Configuring diagnostics logging

Note ‚

Do not leave a production server configured for diagnostics logging. Once you have completed troubleshooting using diagnostics logging, remember to turn it off because it uses a large amount of resources.

On the left side of this page, you ‚ ll find a hierarchical view of all the major services on the server for which you can enable advanced diagnostics logging. These services include many items, such as the following:

MSExchangeIS (Microsoft Exchange Information Store Service) You do not actually enable logging for the Information Store service as a whole. The MSExchangeIS item expands, allowing you to enable diagnostics logging individually for the Public and Private Information Stores and for the various Internet protocols.

MSExchangeMTA (Microsoft Exchange Message Transfer Agent) Use diagnostics logging on this service to troubleshoot problems with message delivery and gateway connectivity.

On the right side of the Diagnostics Logging page, you ‚ ll find a list of categories that can be logged for the selected service. You can enable four distinct levels of logging by using the radio buttons on the bottom of the page. All events that occur in Exchange Server 2003 are given an event level of 0, 1, 3, or 5. The logging level you set will determine which levels of events are logged:

When the None option is selected, only events with a logging level of 0 are logged. These events include application and system failures.
When the Minimum option is selected, all events with a logging level of 1 or lower are logged.
When the Medium option is selected, all events with a logging level of 3 or lower are logged.
When the Maximum option is selected, all events with a logging level of 5 or lower are logged. All events concerning a particular service are logged. This level can fill an Event Log quickly and is used mainly when working on an issue with Microsoft Product Support.

Monitoring Messages

Ensuring the efficient delivery of messages is paramount to an administrator ‚ s job. To accomplish this task, you need to first understand how messaging works within the Exchange system. Messaging architecture is covered in detail in Chapter 2, ‚“Microsoft Exchange Architecture. ‚½ Chapter 8, ‚“Building Administrative and Routing Groups, ‚½ also shows you how to construct and link routing groups and the role they play in the flow of messages in an Exchange organization. In this section, you will learn about managing message queues and tracking messages in the organization.

Managing Message Queues

Should you suspect a problem with a particular queue (such as in the case of messages not being delivered in a timely fashion), System Manager provides a tool called the Queue Viewer that can help you troubleshoot it. In the Queues container of each server in System Manager, you will find a list of queues on the server, as seen in Figure 10.7.

Figure 10.7: Viewing the Queues container

Selecting any particular queue within the Queues container allows you to search for messages in that queue. You can also freeze messages so that the Message Tracking Agent (MTA) does not attempt to send them while you troubleshoot the queue and then unfreeze them to let the MTA go ahead with the send. You can also delete messages from the queue altogether.

Tracking Messages

Message tracking is enabled at the server level using the General property page for the server object, as seen in Figure 10.8. You can also enable it using system policies, which are covered later in the chapter. Once message tracking is enabled, Exchange Server keeps a log of all messages transferred to and from the server. Log files are maintained by the System Attendant service on each server.

Figure 10.8: Enabling message tracking

When message tracking has been enabled, you can track individual messages by using the Message Tracking Center (MTC), a component of System Manager. You can use the MTC to trace the route of test messages you send through the system or to help diagnose the cause of undelivered messages for which users have received non-delivery reports.

To use the MTC, open it by first navigating to and selecting the Message Tracking Center container in System Manager, as shown in Figure 10.9.

Figure 10.9: Using the Message Tracking Center

Click the buttons next to the Sender or Recipients boxes to open a standard address book, from which you can choose the originator or recipient of the message that you want to track in the MTC. You can also browse for the server(s) on which you would like to search for the messages. After you enter your criteria, click Find Now to perform the search.

When the messages that meet your criteria are displayed in the bottom of the MTC window, you can open the property sheet of any message by selecting it and then clicking the Details button. Use this method to find the actual message that you want to track. When you find that message, select it and then click the Message History button to start the MTC tracking the history of the message. The results are displayed in the Message History window, shown in Figure 10.10. As you can see, the Message History window displays basic information about the message and a history of the message that shows each service the message has been through.

Figure 10.10: Viewing the tracking history for a message

Using Exchange Monitors

By default, Exchange Server 2003 monitors the status of all connectors and a group of default services on every Exchange server. You can change the default services monitored , configure Exchange to monitor other services, and set up notification events to occur when problems arise. You do all of this using the Monitoring and Status tool (shown in Figure 10.11), which is actually a container in System Manager.

Figure 10.11: Accessing the Monitoring and Status tool

Monitoring Status

Status monitoring is configured using the Status container. Selecting the Status container in the System Manager snap-in, as shown in Figure 10.12, displays the basic status of all connectors and servers in the right-hand pane. This display gives you a quick overview of the names of the connectors and servers, the administrative group they belong to, and whether they are available or not.

Figure 10.12: Using the Status container

Right-clicking the Status container provides access to two commands. The first is a filtering command that lets you filter the view of connectors and servers in the status window ‚ useful for large organizations. The second command lets you connect to a specific Exchange server in the organization.

There are two types of objects that appear in the Status container: connectors and servers. For the connector objects, you really can ‚ t do much more than see whether the connector is available or not. Connector objects don ‚ t have property pages, so they are not configurable at this location. Server objects, on the other hand, are quite configurable. Right-click any server and choose Properties to open the property page shown in Figure 10.13.

Figure 10.13: Configuring properties for a server monitor

By default, Exchange Server 2003 monitors the following services on every Exchange server and logs a critical or warning state whenever any of the services stops:

Microsoft Exchange Information Store service
Microsoft Exchange MTA Stacks
Microsoft Exchange Routing Engine
Microsoft Exchange System Attendant
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing service

You can add a new default service to be monitored by selecting the Default Microsoft Exchange Services entry and clicking the Detail button. This brings up a dialog box that lists the services currently being monitored. Use the controls on this dialog to add and remove services from the list. Note that you are not restricted to monitoring only Exchange-related services. You can add any service on the computer to be one of the default monitored services.

In addition to monitoring services, a server monitor can be configured to monitor other resources, as well. By clicking the Add button on the Monitoring tab, you can add any of the following resources to the list to be monitored:

Available virtual memory
CPU utilization
Free disk space SMTP queue growth Any Windows service
X.400 queue growth

EXERCISE 10.2: Setting Up a Monitor

Click Start > Programs > Microsoft Exchange > System Manager.
Expand the Tools container and the Monitoring and Status container inside it, and then select the Status container.
Right-click the server you want to monitor, and select Properties from the shortcut menu.
Click Add.
In the dialog box that opens, select the Free Disk Space entry, and then click OK.
In the Disk Space Thresholds dialog, select the Critical State (MB) option and type 250 .
Click OK twice to return to System Manager.

For each of these resources, you will need to configure what threshold must be crossed to send the monitor into a warning state or a critical state. For example, you might want the monitor to enter a warning state when the amount of free disk space on a server reaches 500 MB and to enter a critical state when it reaches 100 MB.

Exercise 10.2 outlines the process for configuring a server to monitor the free disk space and enter a critical state when space falls below 250 MB.

SETTING UP NOTIFICATIONS

As the previous section just described, the Status container is used to configure whether stopped services or certain resource thresholds trigger a warning state or a critical state. A notification defines what happens when those states are entered. By default, the Notifications container is empty. This means that the only way you really have of noticing that a server or connector has entered a warning or critical state is by checking out the Status container yourself. The Notifications container lets you set up a notification that can either send you an e-mail or run an executable script when something goes amiss.

Figure 10.14 shows the property page for an e-mail notification. A script notification is quite similar but has parameters for running a script instead of sending an e-mail.

Figure 10.14: Setting up an e-mail notification

For each notification, you must set up the following in its property page: Select an individual server, all servers or connectors, a routing group, or a customized list of servers and connectors to which the notification will apply.

Choose whether the notification should occur when the monitored resource enters a warning or critical state. For example, you could set an e-mail notification to inform you when a warning state is entered and a script notification to run a script that pages you when a critical state is entered.

For e-mail notifications, you must configure the e-mail address and server to which the notification is to be sent.

For script notifications, you must enter the path to the executable file and any command-line parameters.

Exercise 10.3 outlines the steps for setting up an e-mail notification to warn you when a server enters a critical state.

The monitoring server is the server that actually performs the monitoring and triggers the notification.

Note ‚

It is often good to put one server in charge of monitoring another, because a server sometimes can ‚ t send out a notification when one of its own services goes down.

Using SNMP and the MADMAN MIB

Simple Network Management Protocol (SNMP) is used to collect information from devices on a TCP/IP network. SNMP was developed in the Internet community to monitor activity on network devices such as routers and bridges. Since then, SNMP acceptance and support have grown. Many devices, including computers running Windows Server 2003, can now be monitored with SNMP.

SNMP has a small command set and maintains a centralized database of management information. An SNMP system has three parts :

The SNMP Agent is the device on a network that is being monitored. This device is typically a computer that has the SNMP Agent software installed. Windows Server 2003 includes SNMP Agent software in the form of the Microsoft SNMP Service, which you install by using the Windows Component Wizard in the Add or Remove Programs applet of the Control Panel.
The SNMP Management System is the component that does the actual monitoring in an SNMP environment. Windows Server 2003 does not provide an SNMP Management System; third-party SNMP Management Systems include Hewlett-Packard ‚ s OpenView and IBM ‚ s NetView.
The Management Information Base (MIB) is a centralized database of all the values that can be monitored for all the devices in an SNMP system. Different MIBs are provided for monitoring various types of devices and systems. Windows Server 2003 comes with four MIBs: Internet MIB II, LAN Manager MIB II, DHCP MIB, and WINS MIB. These four MIBs allow the remote monitoring and management of most components of Windows Server 2003.

EXERCISE 10.3: Setting Up an E-mail Notification

Click Start > Programs > Microsoft Exchange > System Manager.
Expand the Tools container and the Monitoring and Status container inside it.
Right-click the Notifications container and select New E-Mail Notification from the shortcut menu.
Click the Select button.
In the Select Exchange Server dialog box, select the Exchange server that you want to perform the monitoring and to send the notification, and click OK.
Click the To button.
In the Select Recipient dialog box, select the user to whom the notification should be sent, and click OK.
Click OK to create the notification and return to System Manager.

Exchange Server 2003 includes a special MIB that you can use to enable an SNMP Management System that manages many Exchange 2000 Server functions. This MIB is based on a standardized MIB named the Mail and Directory Management (MADMAN) MIB , which is detailed in Internet Request for Comments (RFC) 1566.