MCTS 70 – 649 Monitoring and Managing a Network Infrastructure

Monitoring and Managing a Network Infrastructure

Configure Windows Software Update Services (WSUS) server settings

If the WSUS server is configured not to download updates then their clients will be required to download their updates directly from the Microsoft Updates Servers.

The default synchronisation schedule of WSUS is manual.

WSUS hierarchies

WSUS hierarchies have to operating mode; autonomous and replica. To configure which clients are displayed at a particular WSUS console use WSUS personalisation options; the two options are include clients from downstream servers or local to this server.

Autonomous is self governing; a top level WSUS server operates in this mode.

Replica inherits settings from its parent.; branch office WSUS servers for example would use this operating mode.

Automatic approvals can be enabled or disabled; when enables this option automatically approves new revisions of a previously approved update and WSUS related updates.

You can create automatic approval rules based on classification and target group.

To detect new classifications synchronise WSUS with Microsoft, modify the products and classifications, synchronise WSUS again.

WSUS can be configured to redirect clients to Microsoft update rather than downloading updates from the local WSUS server; this configuration is configured via updates files and languages > update files tab.

Windows Updates Group Policies

Configure automatic updates – determines whether the client is disabled or enabled with scheduled install day and time or download and notify or notify. To have updates  installed on the next detection use approval deadlines.

Specify Intranet update location  – a local http address and port. NOTE if the WSUS server listens on port 80 then http://address will suffice, if the WSUS server listens on port 443 then https://address will suffice.

Client side targeting – this determines which group the client is a member of within WSUS.

WSUS Disconnected mode

Allows you to update clients connected to a network with no internet access.


  • Express install and update languages must match on the disconnected and connected WSUS server instances.
  • updates must be copied between the servers; updates can be found in \WSUS\WSUSContent\
  • Export meta data from connected WSUS server
  • wsusutil.exe export server.log
  • Import the meta data  to the disconnected server
  • wsusutil.exe import server.log

Server commands

To reconcile server updates against the database metadata use:

wsusutil /reset

Export WSUS metadata to isolated servers

wsusutil /export server.log

Client commands

Connect to WSUS and check for updates

wuauclt /detectnow

Clear the WSUS client cookie

wuauclt /resetauthorization

WSUS clients can be configured to use BITS peercaching to save bandwidth; BITS peercaching will check for updates from local peers first i.e. peers within the same subnet.

Capture performance data

Performance Monitor

Performance monitor is now part of Windows Reliability and Performance monitor (WRPM).

Performance Monitor can be accessed as follows:

Server Manager > Diagnostics > Reliability and Performance > Monitoring Tools > Performance Monitor

or just type


Performance monitor can be configured to display the maximum, minimum, average or current (latest) value samples every x no. of seconds for x no. of seconds. The source can be real time sampling or performance logs collected from the local or a remote computer. The counters can be scaled as appropriate, the output style can be a line graph, histogram or report.

Reliability Monitor

The Reliability Monitor tracks system reboots and application failures; the reliability uses this information to build a system stability index; 10 being maximum stability and 0 being the minimum stability. This index and collected data can be used to assess system stability after an application install, software update, etc.

The system stability index is calculated over the past 28 days; if there are days when the system is powered off, asleep or hibernated then these days are not included. The reliability data is kept for one year, it is collected every hour by the scheduled task named RacTask; this can be found by navigating the scheduled task hierarchy \Microsoft\Windows\RAC\

Reliability Monitor can be accessed as follows:

Server Manager > Diagnostics > Reliability and Performance > Monitoring Tools > Reliability Monitor

Data Collector Sets

The built-in data collector sets in Windows Server 2008 are:

Server Manager > Diagnostics > Reliability and Performance > Data Collector Sets > System

Active Directory diagnostics are only present on Domain Controllers and logs kernel trace data, Active Directory trace data, performance counters and Active Directory registry configuration. This collector set will run for 5 minutes.

LAN / Wireless Diagnostics  are for troubleshooting complex network problems such as network timeouts, poor network performance and VPN connectivity over wired or wireless networks. These collector sets will run until stopped.

System Performance diagnostics are for troubleshooting slow computer or intermittent performance problems. This collector set will run for 1 minute.

System Diagnostics are for troubleshooting reliability problems such as problmatic hardware, driver failures and STOP errors. This collector set will run for 1 minute.

Administrators can create custom data collector sets based on the following templates:

  • Performance template – collects performance statistics for defined counters.
  • Event trace template – collects system event information.
  • Configuration data template – collects registry, WMI and registry information.
  • Performance alert template – generates an alert when a threshold of a particular counter is met.

These custom data collector sets can be defined via the GUI, Server Manager > Diagnostics > Reliability and Performance > Data Collector Sets > User Defined

or command line

logman create counter perf_log -c "\Processor(_Total)\% Processor Time"
logman create trace trace_log -nb 16 256 -bs 64 -o c:\logfile
logman create cfg cfg_log -reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVerion\\"
logman create alert new_alert -th "\Processor(_Total)\% Processor Time>50"

logman query "perf_log"
logman start "perf_log"
logman stop "perf_log"

Monitor event logs

Event forwarding

Event forwarding enables the administrator to forward specific events to a collector computer over http or https.

In order for event forwarding to work the event collector service and Windows Remote Management (WinRM) services need to be configured and started on the collector computer and WinRM needs to be configured on the source computer.

To start WinRM type winrm qc -q from an elevated command prompt.

To start Windows Event Collector type wecutil qc -q from an elevated command prompt.

Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.

Event subscriptions with user access denied errors e.g. 0x5 is caused by the user account not having administrative access.

Source initiated subscription

The following policy objects must be configured on the source computer (either Group policy or Local policy)

  • Computer Configuration\Administrative Templates\Windows Components\Event Forwarding\Configure the server address, refresh interval, and issuer certificate authority of a target Subscription Manager = server=fqdn
  • Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow automatic configuration of listeners = *

Create a subscription of the collector computer specifying source initiated and which events are which to collect.

Collector initiated subscription

The collector computers computer account must be added to the Event Log Readers local group on the source computer or Administrators group if you want to read the security log.

Configure the following group policy object on the collector computer: Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow automatic configuration of listeners = *

Create a subscription of the collector computer specifying collector initiated and which events are which to collect.

Custom configuration

To collect existing event log entries type wecutil ss “Subscription Name” /ree:true from an elevated command prompt.

To collect events from non-domain computers you will need computer certificates which are trusted the collector and source computers.

To attach a task to a log or an event.

The security event log can only be delegated out to non-administrative users by configured a SDDL value within the registry.

Custom Views

Custom views are permanent filters applied to one or more event logs; some server roles create their own custom views, such as Active Directory Domain Services, DHCP, DNS etc.

To create a custom view right click custom views > new custom view > build the filter > name the view

To export a custom view, right click > export custom view… > name it and save

To import a custom view, custom views > right click > import custom view… > select xml file > OK

You can also create custom views by saving a event filter.

Other ways of finding events


Get-EventLog Application | ? {$_.EventId -eq 1}


wevtutil qe Application /rd:true /q:"*[System[(EventID=1)]]"

Using Applications and Services Logs

Application and Service logs are new in Windows server 2008. These logs store events from applications and components. There are four sub-types:

  • Admin – indicates problems with a well-defined solution.
  • Operational – displays events to help analyse and diagnose problems
  • Analytic – low level logging of program or application operation
  • Debug – used by developers to troubleshoot

Analytic and Debug logs are hidden and do not log by default. To view these logs select view in event viewer then show analytic and debug logs. Logging can be enabled within the properties of the log or by typing wevtutil “log name” /e:true.

Using the DNS Event Viewer

All DNS related events are now accessible from the DNS console.

DNS debug logging can be enabled per server by enabling ‘log packets for debugging’ within the debug logging tab.

Gather network data

Network data can be collected using the following tools:

  • Microsoft Baseline Security Analyser (MBSA)
  • Simple Network Management Protocol (SNMP)
  • Microsoft Network Monitor


MBSA is used to scan for vulnerabilities within Windows, IIS and SQL. It also scans for missing updates.

The scanning account must be an administrators on the target servers.

MBSA requirements:

  • Scanner
    • Workstation service enabled
    • client for Microsoft Networks enabled
    • Windows Update Agent 3.0
    • IIS Common files (for IIS vulnerability scanning)
  • Targets
    • Remote Registry service enabled
    • Server service
    • file and print services enabled
    • DCOM
    • Windows Update Agent 3.0
  • Ports
    • TCP 135, 139, 445
    • UDP 137, 138


The Windows Server 2008 SNMP service provides agent features only i.e. you can capture the traps from a management application. SNMP will use DNS, WINS or the local hosts file for name resolution.

You can use the registry or group policies to configure the following settings:

  • SNMP Community – used to group managers and client together.
    • HKLM\System\CurrentControlSet\Services\SNMP\ValidCommunities registry key
    • Computer configuration\Policies\Administrative Templates\Network\SNMP\Communities
  • Permitted Manager – SNMP management hosts which this client will respond to.
    • HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
    • Computer configuration\Policies\Administrative Templates\Network\SNMP\Permitted Managers
  • Trap Configuration – where will SNMP traps be sent.
    • HKLM\System\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration
    • Computer configuration\Policies\Administrative Templates\Network\SNMP\Traps

To enable SNMP to send traps run dism /online /enable-feature /feature name: snmp-sc.

To modify SNMP settings go to SNMP service > agent settings.

Network Monitor

Network monitor is a downloadable packet sniffer from Microsoft.

To run the packet sniffer you need to be member of the Network Configuration Operators group or if using Vista the Netmon Users group.

To sniff packets crossing a switch you’d need to plug the network monitor computer into the switches monitor port.

nmcap.exe is the command line tool of network monitor for usage run nmcap.exe /usage


  • nmcap.exe /network [network card name] or * /capture [filtering] /file captureoutput.cap
  • nmcap.exe /network [network card name] or * /capture “DNS” /file captureoutput.cap

The default capture file limit is 20MB; you can specify any size up to 500MB.

You can filter a capture file further using:

nmcap.exe /inputcapture filename.cap /capture [protocol| IP] /file newfilename.cap


  1. Pingback: MCTS 70-646 Plan server management strategies | Notes from stuff I'm working on
  2. Pingback: MCTS 70-646 Implement patch management strategy | Notes from stuff I'm working on
  3. Pingback: Windows Server 2012 – Monitor and maintain servers | Notes from stuff I'm working on
  4. Pingback: MCTS 70-646 Monitor servers for performance evaluation and optimisation | Notes from stuff I'm working on

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.