This section provides procedures for monitoring ILS. Monitoring involves using a set of tools to view the inner workings of the service. Use these procedures to spot irregularities and correct them before they interrupt service.
iiiiiiiiiiiMonitoring the health of the ILS service is critical to maintaining performance. Monitoring informs you which services are running at a given time and whether the service has frozen or failed.
A number of tools will help you monitor the health of ILS. You can use ISM or the Services applet on the Control Panel to determine whether ILS is running. The Windows NT event logs and ILS logs can be used to monitor significant conditions or to review the operational history of ILS. The event logs primarily give information about error conditions, and the ILS logs can give a historical picture of the client connections made to the server. ILS also implements Performance Monitor counters, which means the Windows NT Performance Monitor can be used for a real-time picture of the health of the system.
Monitoring service health involves the following tasks:
The following are procedures for each of these tasks.
Ping is a network command used to determine whether there are problems between system components. If a ping operation to a hostname succeeds, then you have verified basic network functionality between the two computers. If the ping operation to a hostname fails, try to ping a computer’s IP address.
Ping returns the IP address of the host, number of bytes read, time to read packet, and time to live (TTL). A failure to connect to the server causes ping to return an error. This usually indicates a network or DNS problem between computers.
Successful ping operations that take more than 10 milliseconds to complete usually indicate that the network is becoming overused.
Note For information about arguments to the ping command, see the Windows NT documentation. For details on how to solve problems indicated by a failure with the ping command, see "Troubleshooting ILS" later in this chapter.
Windows NT Event Viewer is used to monitor service events, including informational, warning, and error events. You can view the events on each ILS server, not just on the local computer. In particular, you can look for warning or error events generated by the ILS service as indicators of problems or partial system failures.
Note For descriptions of each event, see Chapter 2 in the Internet Locator Server Operations Reference.
You can use LDAP perfmon counters to track typical user behavior, and to spot any anomalous trends in user behavior. Excessive logon activity—that is, numbers higher than what you normally experience—can be an indication of unauthorized logon attempts. You can also track the number of directory searches per second, or the number of user information refreshes. The rates for these counters tend to stay low (less than one per second per user), although this varies according to the popularity and content of a given site.
The following paragraphs describe some of the primary indicators to look at when you are monitoring ILS:
For definitions of each performance counter, see Chapter 2 in the Internet Locator Server Operations Reference.
Performance varies widely depending on the installation, typical user activity on a given site, the machines used, and how those machines are configured. After your initial installation, sample the activity on your site to determine the per-user CPU activity. Percentage of processor utilization contains a certain fixed overhead because of the operating system and from running the ILS system. To factor out that amount and to determine the per-user CPU rate, you can use the following formula:
# ILS USERS / ((current avg. % CPU) - (avg % CPU with zero ILS users on system))
To use this formula, subtract the average CPU percentage you get with an average number of users logged on from the average CPU percentage with no users logged on and divide the result into the number of ILS users. This will give you a rough estimate. Using this number, you can predict when the CPU utilization will reach its maximum capacity. The system percentage should stay at or below 70 percent, and performance is likely to degrade when CPU utilization reaches 80 to 90 percent
iiiiSecurity monitoring involves detecting whether the service is under attack or whether it is being compromised. Typically, attacks against ILS take the form of denial of service or bogus entry generation.
ILS offers the configurable levels of security listed in the following table.
|
Authorization type |
Description |
|
Anonymous |
Any anonymous client can connect to the server and access the directory. |
|
Windows NT Challenge/Response |
When enabled, a user can access the directory only after being authenticated. |
Occasionally, a user may try to either gain unauthorized access to ILS or to deny service to others by flooding ILS with directory requests. System attacks such as these can be monitored through Windows NT Event Viewer, Performance Monitor, and the ILS transaction logs. i
You can monitor failed logon attempts using performance counters and the Windows NT event logs.
Monitoring security involves the following tasks:
The following are procedures for each of these tasks.
IIS transaction logs are used to monitor particular service actions. For example, IIS transaction logs can be used to review individual HTTP commands issued on behalf of a particular client against ILS. The logs can also be used to monitor possible attacks on a service. In particular, many logon failures by the same user indicates that the user at the logged IP address is trying to gain entry into the logged user’s account. To identify flooding of ILS, check to see whether repeated entries are being generated from the same site. To determine the location of the transaction log file, see the ILS Logging page in ISM.
Windows NT Event Viewer is used to monitor service events, including information, warning, and error events. You can view the events on each ILS server, not just on the local computer. In particular, you can look for warning or error events generated by the ILS service as indicators of problems or partial system failures.
Note For descriptions of each event, see Chapter 2 in the Internet Locator Server Operations Reference.
Using the LDAP server performance counters to monitor logon failures tracks typical logon activity. When measurements are out of range, it can indicate unauthorized logon attempts. Although readings vary depending on your site size and utilization, they should typically range less than 1 percent of utilization. When the reading exceeds 10 percent, you should look for possible security problems.
Note For descriptions of each counter, see Chapter 2 in the Internet Locator Server Operations Reference.
iiiiMonitoring configuration involves identifying the most critical settings and registry keys and monitoring their use. Monitoring tells you whether the service settings are new or have been modified. You can monitor any changes to the configuration of ILS through Windows NT Event Viewer.i
iiiiiiiiiiiiiiiMonitoring the performance of ILS involves measuring its responsiveness. This type of monitoring warns you about processing slowdowns and latencies that need attention.
You can use the Windows NT performance counters to monitor ILS performance. Performance counters can be used to monitor a number of rates that reflect the system status and activity. You can set up Performance Monitor to log events for later analysis and to view performance in real time.
The following procedure describes how to set up performance monitoring. You can monitor online or save to a log file.
To monitor performance in real time
When setting up Performance Monitor logging, you are asked for an interval in seconds. When choosing an interval, consider the size of the log, the overhead introduced by logging performance data and your needs. General guidelines suggest ten- to fifteen-minute intervals for trending and ten- to fifteen-second intervals for troubleshooting performance problems.
To set up Performance Monitor logging
In general, processor and memory utilization are the key hardware resources you need to monitor.
Monitoring ILS performance involves the following tasks:
Note For complete information about using Performance Monitor, see the Optimizing Windows NT section in the Windows NT Resource Kit documentation.
This task describes how to monitor for processor bottlenecks on all servers. You will need to capture the % Processor Time counter of the Processor object in Performance Monitor. This counter tells you whether the processors on a given computer are being overused. To set up Performance Monitor logging, follow the steps outlined in the procedure "Monitoring performance in real time" earlier in this chapter.
The normal reading of this counter should be less than 75 percent. If the reading is greater, it means the data is processor-bound. For additional configuration and troubleshooting suggestions regarding manipulating maximum connections, see "Solving Configuration Problems" in "Troubleshooting ILS" later in this chapter.
You should monitor memory utilization if you are running ILS. ILS is a memory-resident database. Its performance is directly related to available memory. To monitor memory, you will need to capture the Available Bytes counter of the Memory object in Performance Monitor. This counter tells you how much virtual memory is available.
The normal reading for this counter should be greater than 4 MB. If the reading is lower, it means the computer does not have enough memory. You should consider adding more memory.
To set up Performance Monitor logging, follow the steps outlined in the procedure "Monitoring performance in real time" earlier in this section.
This task describes how to monitor specific ILS service performance through the LDAP server object. All ILS-specific performance counters are exposed through the LDAP server object. Using the LDAP server object you can get totals and per-second counters for ILS queries, and for add, modify and delete operations. You can also determine how many users are currently connected to the server.
Note For descriptions of each counter, see Chapter 2 in the Internet Locator Server Operations Reference.
To set up Performance Monitor logging, follow the steps outlined in the procedure "Monitoring performance in real time" earlier in this section.
Monitoring capacity involves comparing actual usage to available resources. This type of monitoring provides advanced warning of resource shortages.
To monitor capacity, you need to look at physical resource capacity, as well as ILS service capacity. A physical resource reaches capacity when it is busy 100 percent of the time. A service reaches capacity when requests for service start experiencing delays.
You can monitor physical resource capacity by using Performance Monitor to observe critical resource utilization such as average disk queue length, percent processor time, and available memory. You can monitor network capacity by observing the receipt rate. For the ILS service you need to monitor service requests like queries, adds, and deletes. You need to monitor physical resource capacity as well, especially if you have other services running on the servers that may push physical resource utilization to 100 percent.
Monitoring capacity involves the following tasks:
Note For more information about using Performance Monitor, see the section on optimizing Windows NT in the Windows NT Resource Kit documentation.
The procedures for monitoring capacity are similar to those for performance monitoring, except the meaning is different. Performance and capacity monitoring should be done simultaneously.
The following are procedures for each of these tasks.
To monitor for processor capacity on all servers, you will need to capture the % Processor Time counter of the Processor object in Performance Monitor. This counter measures whether processors on a given computer are being overused.
The normal reading for this counter should be less than 75 percent. If the reading is 90 percent or greater, it means the processor load is reaching capacity. You should consider adding another processor or scaling up your service by using two servers.
To set up Performance Monitor logging, follow the steps outlined in the procedure "Monitoring performance in real time" earlier in this section.
To monitor for memory capacity on all servers, you need to capture the Available Bytes counter of the System object in Performance Monitor. This counter measures the amount of virtual memory available. The normal reading of this counter should be greater than 4 MB. If the reading is less, it means the computer is short of memory. You should consider adding more memory.
For the procedure for setting up Performance Monitor, see "Monitoring Processor Performance" earlier in this chapter.
ILS maintains performance counters for a number of service parameters. In particular, you may want to request the queue length. You need to capture this counters to determine how the server is being loaded. The size of the value depends on the quality of service provided. Adding more servers can help reduce queue length.