SNMP4tPC - Implementing SNMP on Windows NT

WTCS.ORG

SNMP4NT(c)
(Implementing SNMP and Performance DLLs on Windows NT 3.51/4.0)

Last updated on: 26Aug2000
PERFMIB.MIB date: 16Aug2000 MIB.BIN date: 26Aug2000

Theory of Operation
Installing SNMP on Windows NT 3.51    Installing SNMP on Windows NT 4
Creating an SNMP Service Account    Main SNMP Components
Installing Base SNMP4NT(c)    Accessable Statistics
Generating your own PERFMIB.MIB

Do you think SNMP4NT(c) is worthy?

Theory Of Operation

The SNMP service running under Windows NT 3.51 and 4.0 supports SNMP version 1, and provides an SNMP agent that allows remote, centralized SNMP management of one or more of the following:

Windows NT Server and Workstation Computers
Windows NT-based WINS Servers
Windows NT-based DHCP Servers
Windows NT-based Internet Information Servers (IIS)
Other Microsoft (and other third party vendor) applications

Some of the information above can be made available by extracting performance counters (as can be seen in the Performance Monitor application) from the Windows NT system, and some information (i.e WINS, DHCP and IIS) must be made available by incorporating MIBS from those services into the SNMP service running on the Windows NT system.

In all cases, the MIBS for performance counters and/or others must be compiled into a binary file (called MIB.BIN) so that when an SNMP GET request is made (either locally or remotely), an intermediate system file (called PERFMIB.DLL) makes a call to MIB.BIN and the appropriate information is returned to the system that made the SNMP request.

Confused? It's really not all that complicated once you have been doing it for 3 years or so (a little humour to break up this boring, monotonous, teckno-geek stuff!).

Here is an hyperlink to an article that (I think) is one of the best descriptions of SNMP under Windows NT. Check it out at http://www.microsoft.com/technet/network/networkm.asp. In particular, there is an excellent section on configuring your system for SNMP Traps!

Before you can do anything, you MUST install the SNMP service! Reapply the service pack when finished!

Install SNMP before any applications!! If you don't, applications may not install SNMP support!

Installing the SNMP service on Windows NT 3.51

Installing:

Go into Control Panel
Select the Network icon
Choose Add Software
Select TCP/IP and Related Services
Choose SNMP

Since you will need to get the SNMP service software off your original NT installation CD, you will have to reboot your system, then re-apply Service Pack 5 (or later) before continuing. BE SURE TO DO THIS!

Configuring:

Go into Control Panel
Select the Network icon
In the Installed Software list, choose SNMP
Select the (to be added)
Add the community in the (to be added)
Select the Advanced button (to be added)

That's it! After a reboot, you have the SNMP service successfully installed for Windows NT 3.51! Now, see the "Creating an SNMP service account" section. Once you have completed that, you are now ready to install SNMP4NT(c) and are one step away from being able to access these counters using SNMP!

Installing the SNMP service on Windows NT 4

Installing:

Go into Control Panel.
Select the Network icon.
Choose the Services Tab.
Select the Add button.
Choose SNMP Service.

Configuring:

Under the Agent Tab fill in the appropriate Contact and Location information, and select ALL the Service Types (physical, applications, datalink/subnetwork, internet and end to end).
Under the Traps tab, add an SNMP community name or names (suggestion: do not use public, remove it). Trap destinations can be left blank. Add the IP address of your NMS if you have one.
Under the Security Tab, be sure the Send Authentication Trap is selected, and under Accepted Community Names, add the community name or names again (same as above).

You can also do this (later) by:

Go into Control Panel.

Select the Network icon.

Choose the Services Tab.

Highlight and double click on the SNMP Service.

Since you will need to get the SNMP service software off your original NT installation CD, you will have to reboot your system, then re-apply Service Pack 6a (or later) before continuing. BE SURE TO DO THIS!

That's it! After a reboot, you have the SNMP service successfully installed for Windows NT 4.0! Now, see the "Creating an SNMP service account" section. Once you have completed that, you are now ready to install SNMP4NT(c) and are one step away from being able to access these counters using SNMP!

Creating an SNMP service account

Once the SNMP Performance DLL (PERFMIB.DLL) is registerd as an SNMP extension agent, it will "PROBE" all the performance counters, even if you are not asking to GET information from them. If (for example) you have SQL Server installed on a system that has SNMP "hooked" to the performance counters, SNMP will try to log into SQL Server to gather SQL stats. It will try to login continuously (like every 2 seconds), and has the potential to crash SQL. Look in the Security Event Log if you suspect this to be happening. In order to resolve this, the SNMP service must be started with an account that has the permission to access application (i.e. SQL server).

Follow these simple steps and you will see this problem disappear:

Start the User Manager or User Manger for Domains applet, and create an account. This account will be a service-only account, and will allow the SNMP service to log into the system with administrative privileges. I use snmp_service for both the account name and password.

Add this account to the local Administrators group.

Then select the Policies Menu choice, choose User Rights (show advanced user rights), select the "Log on as a Service" right, and add the snmp_service user you just created.

You must now go into the Control Panel applet, and choose Services. Select the SNMP service, and change it (in the Logon As: section) from a System Account to This Account, and browse to the snmp_service user you just created. Be sure to type in (and confirm) the snmp_service password!

Main Windows NT SNMP Components

PERFMIB.MIB - is a Windows NT Specific Management Information Base). It is a specially formatted text file that contains numeric representations (called OIDs, or Object Identifier Descriptors) of the specific performance counters you have extracted from the Performance Counter application using the utility called perf2mib.exe. Once created, it is copied to the %systemroot%\system32 directory.

PERFMIB.INI - is the corresponding INI file for PERFMIB.MIB. It is also created by perf2mib.exe when Performance Counters are extracted. Once created, it is also copied to the %systemroot%\system32 directory.

SNMP4NT(c) contains pre-extracted PERFMIB.MIB and PERFMIB.INI files. They are generated on the WTCS Corporate Server (built in Edmonton, Alberta, Canada). PERFMIB.MIB contains many base Windows NT Performance Counters (including system and network protocols), as well as extracted Performance Counters from MS Exchange 5.5 and MS Proxy Server 2.0. See the page here for details.

MIB.BIN - is a binary file that gets created once the PERFMIB.MIB and other MIBS for applications or services that may be installed on the Windows NT system are compiled. Once created, it is copied to the %systemroot%\system32 directory along with PERFMIB.MIB and PERFMIB.INI.

SNMP4NT(c) contains a pre-compiled MIB.BIN which includes the Performance Counters extracted into PERFMIB.MIB (above), as well as several others (including WINS, DCHP, IIS, HHTP, FTP, LANMAN and MS SQL Server).

PERFMIB.DLL - is a file provided by Microsoft which gets registered (or "hooked") into SNMP as an extension agent. Its' job (my defintion, I could not find an official one) is to intercept SNMP requests, and make a call to MIB.BIN, whose job it is to look up and provide the information requested. It is copied to the %systemroot%\system32 directory along with MIB.BIN, PERFMIB.MIB and PERFMIB.INI.

Installing Base SNMP4NT(c)

Since all the hard work has been done (and SNMP is correctly installed), all you need to do is download the latest SNMP4NT(c) Standard Edition (free!), extract it into a directory (or onto a floppy if you want) and run the batch file called MIBINST.BAT (located in the \MIBINST directory) to install it on the Windows NT system you want to monitor.

You can access the SNMP4NT(c) Download page here.

What MIBINST.BAT does:

Stops the SNMP service

Copy the files (PERFMIB.MIB/PERFMIB.INI/MIB.BIN and PERFMIB.DLL) into the %systemroot%\system32 directory.

Creates two registry keys (HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SNMP/Parameters/ExtensionAgents/SNMP4NT and HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/PerformanceAgent.

Populates the SNMP4NT registry key with a value that points to the PerformanceAgent registry key.

Populates the PerformanceAgent registry key with a value that points to %systemroot%\system32\PERFMIB.DLL

Restarts the SNMP service

Once that has been done, you are ready to roll. If you have a Network Management Station (NMS) you will need to copy the MIBS in the \MIBINST\MIBS directory to the appropriate directory in your NMS. Otherwise, if you know the OIDs to query, you can use SNMPUTIL.EXE and access them from a command prompt. I would suggest that you go to the Testing your implementation Page, and download getif. If you are using getif, follow these instructions:

1) Stop getif if you are using it.
2) Copy ALL the MIBS in the \MIBINST\MIBS subdirectory to the MIBS directory below the getif installation directory.
3) Delete the ".index" file in the MIBS directory
4) Restart getif

Remember that the SNMP MUST have SNMP sucessfully installed and configured (i.e. community name). It does not have to have SNMP4NT(c) installed on it in order to query another system that does have SNMP4NT installed.

If you have a need or desire to add additional counters, see the section called "Generating your own Performance Counter MIB (PERFMIB.MIB)".

Performance counters accessable after SNMP4NT Installation

This section lists some of the more "meaningful" statistics you will be able to monitor after installing SNMP on your Windows NT server. A short definition accompanies each.

A complete summary listing of Performance Counters currently available after installing SNMP4NT(c) is available here.

The complete list of available PERFMIB.MIB statistics is available here.

All SNMP4NT(c) OIDs including PERFMIB.MIB (above), as well as DHCP.MIB, WINS.MIB, INETSRV.MIB, HTTP.MIB, FTP.MIB LMMIB2.MIB, LMALRT2.MIB and MSSQL.MIB is available here.

Since SNMP4NT's PERFMIB.MIB is compiled with numerous other MIBs (including HTTP.MIB, FTP.MIB and INETSRV.MIB), the result is that MIB.BIN allows Internet Server (IIS), HTTP and FTP stats to be queried as well (but you must have installed IIS AFTER SNMP!

CPU % Usage - Processor Time is expressed as a percentage of the elapsed time that a processor is busy executing a non-Idle thread. It can be viewed as the fraction of the time spent doing useful work. Each processor is assigned an Idle thread in the Idle process which consumes those unproductive processor cycles not used by any other threads
Memory Available - Available Bytes displays the size of the virtual memory currently on the Zeroed, Free, and Standby lists. Zeroed and Free memory is ready for use, with Zeroed memory cleared to zeros. Standby memory is memory removed from a process's Working Set but still available.
Memory Pages per Second - Pages/sec is the number of pages read from the disk or written to the disk to resolve memory references to pages that were not in memory at the time of the reference. This is the sum of Pages Input/sec and Pages Output/sec. This counter includes paging traffic on behalf of the system Cache to access file data for applications. This value also includes the pages to/from non-cached mapped memory files. This is the primary counter to observe if you are concerned about excessive memory pressure (that is, thrashing), and the excessive paging that may result.
Memory Page Reads per Second - Page Reads/sec is the number of times the disk was read to retrieve pages of virtual memory necessary to resolve page faults. Multiple pages can be read during a disk read operation. Known as "hard faults", sustained rates of 5 or more page reads per second indicate a serious memory shortage.
Memory Page Faults per Second - Page Faults/sec is a count of the Page Faults in the processor. A page fault occurs when a process refers to a virtual memory page that is not in its Working Set in main memory. A Page Fault will not cause the page to be fetched from disk if that page is on the standby list, and hence already in main memory, or if it is in use by another process with whom the page is shared.
Network Statistics - Bytes Total/sec is the rate that bytes are sent and received on the interface, including framing characters. On a 10Mbps syste, this rate is 1,250,000 Bytes Per Second, and on a 100Mbps system this is 12,500,000 Bytes per Second. If you are using full duplex 100Mbps NICs and switches, this value could be as high as 25,000,000 Bytes per Second.
Disk Free (remaining) - Shows how many megabytes (MB) of disk space remain on the servers hard disk(s).
HTTP Statistics - Information on the HTTP server if it is running (i.e. how many anonymous users, etc.).
FTP Statistics - Information on the FTP server if it is running (i.e. how many anonymous users/transfer rate, etc.).
Current Sessions (logins) - Shows how many client sessions are currently active on the server.
NT Redirector - Shows how the redirector is managing data.
NT System - Shows how the Windows NT system (i.e. kernel) is performing.
IP Protocol - Shows Datagram and Fragmentation statistics for the IP protocol (if installed). A datagram is an independent, self-contained message sent over the network whose arrival, arrival time, and content are not guaranteed.
NetBT (NetBIOS over TCP/IP) Protocol - Shows performance statistics on this protocol (if IP installed)
NWLink IPX (NetWare compatible) Protocol - Shows performance statistics on this protocol (if installed)
NWLink SPX (NetWare compatible) Protocol - Shows performance statistics on this protocol (if installed)
NetBEUI Protocol - Shows performance statistics on this protocol (if installed)
Remote Access Service - Shows performance statistics on this protocol (if RAS Service is installed)
Microsoft Exchange 5.5 (MTA/IS/DS) - Shows performance statistics on this protocol (if Exchange Server is installed)
Microsoft Proxy Server 2.0 - Shows users/traffic/etc. for this product (if Proxy Server is installed)
IIS Web Service - Shows users/traffic/etc. for virtual servers on IIS 4.0m (must be installed)
MS SQL Server 6.5/7 - A wide variety of performance stats are opened up!

Generating your own Performance Counter MIB (PERFMIB.MIB)

In order for SNMP to access performance counter and application informaion from your Windows NT server or workstation, the following steps must be performed.

Install and configure the SNMP service (and make sure the latest service pack is reapplied).
Extract Windows NT Performance Counter information and create a Performance MIB (PERFMIB.MIB).
Compile this PERFMIB.MIB (and others) into a MIB.BIN file.
Copy this MIB.BIN file (which contains support for all the MIBS compiled in step 3) and a support DLL (PERFMIB.DLL) into the %SYSTEMROOT%\SYSTEM32 directory
Register the Performance Counter "Extension Agent" or "hook" the Performance Counter MIB into the SNMP service.

If for some reason, you did not want to extract performance counter information, you could eliminate step 2, and (in step 3) only compile the MIBS you wanted (i.e. WINS/DHCP/SQL) into MIB.BIN. Then carry on on with steps 4 and 5.

So... How is this done?

If you have added a program to your WIndows NT system, and would like to add it's performance counters to PERFMIB.MIB, then you will need to run PERFM.BAT. Specifically, you will need to modify the part of perfm.bat that takes performance counters and adds them to the MIB file (PERFMIB.MIB). This is done by editting the PERF2MIB.EXE line in PERFM.BAT.

PERFM.BAT is a batch file that will create a MIB file (PERFMIB.MIB) from the performance counters, compile it into a binary file (MIB.BIN), stop the SNMP service, copy some files (PERFMIB.MIB, PERFMIB.DLL, PERFMIB.INI and MIB.BIN) to your Windows NT system directory, and restart SNMP.

Here's how it works ...

We will use 2 theoretical counters for examples. Lets say you start Performance Monitor, and you can see 2 counters (in the object field) that you would like to add to PERFMIB.MIB. One is called ProgStat and the other is called Program Statistics (note the space between the words).

In PERFM.BAT (as part of SNMP4NT.EXE - 16Aug2000), the perf2mib.exe line currently looks like this (note that it is a single line!)...

perf2mib PERFMIB.MIB PERFMIB.INI memory 1 memory processor 2 CPU "Network Interface" 3 net PhysicalDisk 4 pdisk LogicalDisk 5 ldisk "Paging File" 6 pagefile Process 7 process Redirector 8 redirector TCP 9 tcp IP 10 ip UDP 11 udp NetBEUI 12 netbeui "NBT Connection" 13 nbtconn "NWLink IPX" 14 nwlinkipx "NWLink SPX" 15 nwlinkspx "RAS Total" 16 rastotal Server 17 server "Server Work Queues" 18 srvrqueues Cache 19 cache MSExchangeMTA 20 ExchMTA "MSExchangeMTA Connections" 21 ExchMTAConn MSExchangeIMC 22 ExchIMC MSExchangeIS 23 ExchIS "MSExchangeIS Public" 24 ExchISPub "MSExchangeIS Private" 25 ExchISPriv MSExchangeDS 26 ExchDS "Web Proxy Server Service" 27 WebProxySrvr "WinSock Proxy Server" 28 WinSockProxySrvr "Web Proxy Server Cache" 29 WebProxySrvrCache Telephony 30 Telephony "RAS Port" 31 RASPort "NWLink NetBIOS" 32 NWNetBIOS System 33 NTSystem "Packet Filtering" 34 PacketFilter "Web Service" 35 WebService

If you want to add the ProgStat counter to PERFMIB.MIB, you would add another counter to the perf2mib line (remember, the last statistic on the perf2mib line is 35!) like so...

ProgStat 36 ProgStat

Note that you have incremented the number from 35 to 36!

If you want to add the Program Statistics counter to PERFMIB.MIB, you would (again) add another counter to the perf2mib line (the last statistic on the perf2mib line is now 36!) like so...

"Program Statistics" 37 ProgramStat

Note that when a counter has 2 or more words, you must surround them with " " characters. The name you insert AFTER the number is up to you. Keep it short and unique.

By the Way, the number you use DIRECTLY INFLUENCES THE OID. For example, since the last counter is now 35 (the "Program Statistics" counter you just added), the corresponding OID is:

1.3.6.1.4.1.311.1.1.3.1.1.37

You can test this OID by running the following command:
snmputil walk 127.0.0.1 community .1.3.6.1.4.1.311.1.1.3.1.1.37.

Pretty Simple, huh?

You can use this tehnique to add counters from (almost) any program that installs them into Performance Monitor.

Then, this MIB must be compiled. A program called MIBCC.EXE joins PERFMIB.MIB and more MIBS (some NT system specific, some may be from other applications) into a binary file called MIB.BIN

This binary file, another one (this one called PERFMIB.DLL) and a file called PERFMIB.INI (a text file listing the OIDs of the Windows NT performance counters are copied to the %SYSTEMROOT%\System32 directory, usually (\WINNT\SYSTEM32).

Finally, the SNMP Performance DLL must be registered. Windows must be "told" that when the SNMP service is queried, it should run the PERFMIB.DLL program (which will execute the MIB.BIN code, and (provided a valid OID is passed to it) access the applicable performance counter to retrieve and return that data to the querying program.

Once perfm.bat has completed, you should be ready to use SNMP from your NMS to access the system performance counters listed above!

See the Testing your implementation page to see if you got it working!

warning.gif (19508 bytes) READ BEFORE RUNNING PERFM.BAT!!

NOTE 1:	The programs required to make this work come as part of the Windows NT Resource Kit. Buy it if you do not already own it!
NOTE 2:	Back up your SNMP registry key first! - Run regedt32, and navigate to HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services. - Scroll down, and highlight the SNMP key - Select Registry/Save Key, and save it (it will save sub-keys) as X:\TEMP\SNMP.KEY. That way if anything screws up, you can restore the key. To restore: - Do the same thing you did to save it only select Registry/Restore, and select the key you saved (X:\TEMP\SNMP.KEY.)
NOTE 3:	PERFM.BAT will perform an operation or two, then pause. When it does, it will tell you to edit a file (perfmib.mib) on a:\ or in the current directory. READ THE SCREEN INFORMATION THAT PERFM.BAT PUTS OUT!! Follow the instructions! DO NOT CONTINUE UNTIL YOU EDIT THAT FILE! There is a typo in one of Microsoft's MIBs and it tells you what to edit to fix the Microsoft typo.
NOTE 4:	If you reference performance counters in the perf2mib line that do not exist in your system, then perfm.bat will fail! Using the example above, perfm.bat will fail if you do not have IPX/SPX, TCP/IP, RAS or MS Exchange 5.5 installed on your system. Remove the counters that do not exist on your system. Be sure to correctly re-adjust the numbering in the perf2mib line!

To return the the main page, click the logo!