Monitoring Remote Computers

In general, monitoring remote computers differs little from monitoring local computers. This section discusses some facts to consider when evaluating whether to monitor remotely or locally.

Methods of Monitoring

When monitoring activity on remote computers, you have some options with regard to how to collect data. For example, you could run a counter log on the administrator's computer, drawing data continuously from each remote computer. In another case, you could have each computer that is running the service collect data and, at regular intervals, run a batch program to transfer the data to the administrator's computer for analysis and archiving. Figure 5.12 illustrates these options.

Figure 5.12 Comparison of Performance Data Logging Options

Choose a monitoring method based on your needs from the ones described in the following list:

• Centralized data collection (that is, collection on a local computer from remote computers that you are monitoring) is simple to implement because only one logging service is running. You can collect data from multiple systems into a single log file. However, it causes additional network traffic and might be constrained by available memory on the administrator's computer. Frequent updating also adds to network activity. Centralized monitoring is useful for a small number of servers (25 or fewer). For centralized monitoring, use the Add Counters dialog box to select a remote computer while running System Monitor on your local computer.

• Distributed data collection (that is, data collection that occurs on the remote computers you are monitoring) does not incur the memory and network traffic problems of local collection. However, it does result in delayed availability of the data, requiring that the collected data be transferred to the administrator's computer for review. This kind of monitoring might be useful if you suspect the server is part of the problem. It is also useful if you suspect that the network is the cause of performance problems and you are concerned that data packets you want to monitor are being lost, because it isolates the computers from the network during data collection. In general, local monitoring creates more disk traffic on each monitored computer. For distributed monitoring, use Performance Logs and Alerts under Computer Management to select the computer you want to monitor.

Security Issues

If you are collecting data using the registry, monitoring a remote computer requires the use of the Remote Registry Service. If the service stops due to failure, the system restarts it automatically only once. Therefore, if the service stops more than once, you must restart the service manually on the second and any subsequent failures. To change this default behavior, modify the properties for Remote Registry Service. You can access service properties using Services under Services and Applications in Computer Management or under Administrative Tools . Also check the application and system logs in Event Viewer for events that might explain why the service stopped.

In addition, remote data collection requires access to certain registry subkeys and system files. Users need a minimum of Read access to the Winreg subkey in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \SecurePipeServers to provide remote access to the registry for the purpose of collecting data on remote systems. By default, members of the Administrators group have Full Control access and members of the Backup Operators group have Read access. Users also need Read access to the registry subkey that stores counter names and descriptions used by System Monitor. This subkey is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Perflib\ LanguageID , where LanguageID is the numeric code for the spoken language for the operating system installation. (For the English language, the subkey is Perflib\009.) By default, members of the Administrators and Creator Owners groups, and the System account, have Full Control access. Therefore, a local user on a server who isn't logged in as an administrator will not be able to see performance counters.

Users might also require read access to the files that supply counter names and descriptions to the registry, Perfc*.dat and Perfh*.dat. (The asterisk is a wildcard character representing the specific language code; for English, these are Perfc009.dat and Perfh009.dat.) If these files reside on an NTFS volume, then, in order to have access to them, the access control lists (ACLs) on these files must specify that the user has such access. By default, members of the Administrators and Interactive groups have sufficient access.

The remote computer allows access only to user accounts that have permission to access it. In order to monitor remote computers, the Performance Logs and Alerts service must be started in an account that has permission to access the remote computers you are attempting to monitor. By default, the service is started under the local computer's system account, which generally has permission to access only services and resources on the local computer. To start this under a different account, start Computer Management, click the plus sign ( + ) beside Services and Applications , and click Services . Click Performance Logs and Alerts , and update the properties under the Log On tab. To monitor using counter logs or alerts, you must also have permission to read the HKEY_CURRENT_MACHINE\SYSTEM \CurrentControlSet\Services\SysmonLog\LogQueries registry subkey.) In general, administrators have this access by default. In each case, attempting to use the tools without appropriate permissions will generate an error message.

If you are collecting data remotely by means of WMI, the user must be a member of the Administrators group.