Implementing the Microsoft SNMP Service

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Rob Scrimger and Kelli Adam

Chapter 10 from MCSE Training Guide : TCP/IP, Second Edition, published by New Riders Publishing

This chapter will help you prepare for the exam by covering the following objective:

Configure SNMP.

  • The Simple Network Management Protocol (SNMP) service provides two major capabilities for Windows NT: the capability to remotely manage systems and, more importantly, the capability to use the Performance Monitor counters.

As you read through this chapter, you should concentrate on the following key items:

  • You need to know how to install and configure the service.

  • You need to know that TCP/IP Performance Monitor counters don't work without SNMP.

  • You need to understand the security of SNMP.

  • You need to know what a MIB is and which ones are available.

  • You should know what commands are available and how they work.

SNMP enables network administrators to remotely troubleshoot and monitor hubs, routers, and other devices (see Figure 10.1). Using SNMP, you can find out information about remote devices without having to be physically present at the device itself.

SNMP can be a useful tool if understood and used properly. You can obtain various amounts of information on a wide variety of devices, depending on the type. Some examples of information accessible using SNMP include the following:

  • The IP address of a router

  • The number of open files

  • The amount of hard drive space available

  • The version number of a Windows NT host

SNMP uses a distributed architecture design to facilitate its properties. This means that various parts of SNMP are spread throughout the network to complete the task of collecting and processing data to provide remote management.

Because SNMP is a distributed system, you can spread out the management of it in different locations so as not to overtax any one system, and for multiple management functionality (see Figure 10.2).


Figure 10.1: An SNMP management system manages devices as well as computers.


Figure 10.2: A simple network using SNMP.

The SNMP provided by Microsoft enables a machine running Windows NT to be able to transfer its current condition to a computer running an SNMP management system. However, this is only the agent side, not the management tools.

This chapter's exercises use SNMPutil.exe, a basic command-prompt utility—not a full-blown management program. Various third-party management utilities are available, including the following:

  • IBM NetView

  • Sun Net Manager

  • Hewlett-Packard OpenView

This chapter focuses primarily on the SNMP protocol rather than the management utilities; the management utilities are third-party products and, as such, are not included in Microsoft Windows NT.

On This Page

SNMP Agents and Management
Management Information Base
Microsoft SNMP Service
Installing and Configuring SNMP
Using the SNMP Utility
Essence of the Case

SNMP Agents and Management

There are two main parts to SNMP: the management station and the agent.

  • The management station is the centralized location from which you can manage SNMP.

  • The agent resides in the piece of equipment from which you are trying to extract data.

Each part is discussed in the following sections.

The SNMP Management System

The management system is the key component for obtaining information from the client; you need at least one to even be able to use the SNMP service. The management system is responsible for "asking the questions." As mentioned earlier, there are a certain number of questions it can ask each device, depending upon the type of device. The management system is, of course, a computer running one of the various software packages mentioned earlier (see Figure 10.3).

There are also certain commands that can be given specifically at the management system. These are generic commands not directly specific to any type of management system:

  • get—requests a specific value. For example, it can query how many active sessions are open.

  • get-next—requests the next object's value. For example, you can query a client's ARP cache and then ask for each subsequent value.

  • set—changes the value on an object that has the properties of read-write. This command is not often used because of security considerations and the fact that the majority of objects have a read-only attribute.

Usually, you have only one management system running the SNMP service per group of hosts. This group is known as a community. Sometimes, however, you may want to have more. Following are some reasons for wanting more than one management station:

  • You may want to have multiple management systems monitoring different parts of the same agents.


    Figure 10.3: Most of the communications between an agent and a management station are started from the management station.
  • There might be different management sites for one community.

  • As the network grows and becomes more complex, you may need to help differentiate certain aspects of your community.

The SNMP Agent

You have seen so far what the SNMP management side is responsible for and can specifically do. For the most part, the management side is the active component for getting information.

The SNMP agent, on the other hand, is responsible for complying with the requests and responding to the SNMP manager accordingly. Generally, the agent is a router, server, or hub. The agent is usually a passive component responding only to a direct query.

In one particular instance, however, the agent is the initiator, acting on its own without a direct query. This special instance involves a trap. A trap is set up from the management side on the agent; however, the management system does not need to go to the agent to find out if the trap information has been tripped. The agent sends an alert to the management system telling it that the event has occurred.

Management Information Base

Now that you've learned a little about the management system and agents, you can delve into the different databases that you can query.

The data that the management system requests from an agent is contained in a Management Information Base (MIB). This is a list of values the management system can ask for. (The list of values depends on what type of device it is asking.) The MIB is the database of information that can be queried against.

A variety of MIB databases can be established. The MIB is stored on the SNMP agent and is similar to the Windows NT Registry in its hierarchical structure. These MIBs are available to both the agents and management system as a reference from which both can pull information.

The Microsoft SNMP Service supports the following MIB databases, by default:

  • Internet MIB II

  • LAN Manager MIB II



These databases are discussed in the following sections.

Internet MIB II

Internet MIB II defines 171 objects for fault identification and troubleshooting on the network and configuration analysis. It is defined in RFC 1212, which adds to and supersedes the previous version, Internet MIB I.

LAN Manager MIB II

LAN Manager MIB II defines about 90 objects associated with Microsoft Networking, such as

  • Shares

  • Users

  • Logon

  • Sessions

  • Statistical information

The majority of LAN Manager MIB II's objects are set to read-only mode because of the limited security of SNMP.


The DHCP MIB identifies objects that can monitor the DHCP server's actions. It is set up automatically when a DHCP server service is installed and is stored in a file called DHCPMIB.DLL. It has 14 objects that can be used for monitoring the DHCP server activity, including items such as the following:

  • The number of active leases

  • The number of failures

  • The number of DHCP discover requests received


WINS MIB (WINSMIB.DLL) is a Microsoft-specific MIB relating directly to the WINS server service. It is automatically installed when WINS is set up. It monitors WINS server activity and has approximately 70 objects. It contains information such as the following:

  • Number of resolution requests

  • Successful queries

  • Failed queries

  • The date and time of last database replication

MIB Structure

As mentioned previously, the name space for MIB objects is hierarchical. It is structured in this manner so that each manageable object can be assigned a globally unique name. Certain organizations have the authority to assign the name space for parts of the tree design.

The MIB structure is similar to TCP/IP addresses: you get only one address from the InterNIC and then can subnet it according to your needs, and you do not have to contact InterNIC for each address assignment. The same applies for MIB name space, except you receive the number from the International Standards Organization (ISO).

Organizations can assign names without consulting ISO for every specific assignment. For example, the name space assigned to Microsoft's LAN Manager is More recently, Microsoft has been assigned; any new MIB would then be identified under that branch. Figure 10.4 illustrates the hierarchical name tree.

The object identifier in the hierarchy is written as a sequence of labels beginning at the root and ending at the object. It flows down the chart, starting with the ISO and ending with the object MIB II. Labels are separated by periods. Following are examples of this labeling technique.

The object identifier for the Internet MIB II:

Object Name

Object Number

The object identifier for LAN Manager MIB II:

Object Name

Object Number

Microsoft SNMP Service

The SNMP service is an additional component of Windows NT


Figure 10.4: MIBs all start with the International Standards Organization and branch from there.

TCP/IP software. It includes the four supported MIBs; each is a dynamic-link library and can be loaded and unloaded as needed. It provides SNMP agent services to any TCP/IP host running SNMP management software. It also performs the following:

  • Reports special happenings, such as traps, to multiple hosts

  • Responds to requests for information from multiple hosts

  • Sets up counters in Performance Monitor that can be used to monitor the TCP/IP performance

  • Uses hostnames and IP addresses to recognize which hosts it receives and requests information

SNMP Architecture

The MIB architecture can be extended to allow developers to create their own MIB libraries called extension agents. Extension agents expand the list of objects that an MIB can report on, making it not only more expansive, but also directed to be specifically related to network setup and devices. Figure 10.5 illustrates the SNMP architecture.

Although the Microsoft SNMP service doesn't include management software, it does have a Microsoft Win32 SNMP Manager API that works with the Windows Sockets. The API can then be used by developers to create third-party SNMP management utilities.

The Microsoft SNMP uses User Datagram Protocol (UDP port 161) to send and receive messages and IP to route messages.

SNMP Communities

A community creates a management group for a set of hosts running the SNMP service. These usually consist of a management system and multiple agents. Figure 10.6 illustrates SNMP communities.

Communities are given a community name just like an NT group. This name is case sensitive and, by default, all SNMP agents respond to any manager requests from the community name "public." By using unique community names, however, you can provide basic security and segregation of hosts.

Agents do not accept requests or respond to hosts that are not from their configured community. Agents can be members of multiple communities at the same time, but they must be explicitly configured as such. This enables them to respond to different SNMP managers from various communities.

In the example in Figure 10.6, two separate communities are defined: CommA and CommB. Only the managers and agents that are members of the same community can communicate.

  • Agent1 can send and receive messages to and from Manager1 because they are both members of the CommA community.


    Figure 10.5: The SNMP architecture.


    Figure 10.6: A network example showing SNMP communities.

    Community Name and Security Even if you are installing the SNMP service only to enable the TCP/IP Performance Monitor counters, you should change the community name. If you don't remember to do this, you have no defined management stations and are potentially leaving yourself open to attack.

  • Agent2 and Agent3 can send and receive messages to and from Manager2 because they are all members of the CommB community.

  • Agent4 can send and receive messages to Manager1 and Manager2 because Agent4 is a member of the CommA and CommB communities.


There really is no established security with SNMP. The data is not encrypted, and there is no specific setup to stop someone from accessing the network, discovering the community names and addresses used, and sending fake requests to agents.

A major reason most MIBs are read-only is so that unauthorized changes cannot be made. The best security you can have is to use unique community names. Choose Send Authentication Trap and specify a trap destination, and choose Only Accept SNMP Packets from these Hosts.

You might also set up traps that let you know whether the agents receive requests from unspecified communities or addresses. This way, you can track down unauthorized SNMP activity.

Installing and Configuring SNMP

The SNMP Service can be installed for the following reasons:

  • You want to monitor TCP/IP with Performance Monitor.

  • You want to monitor a Windows NT–based system with a third-party application.

The following steps for installing the SNMP service assume that you already have TCP/IP installed and set up, and that you have administrative privileges to install and use SNMP.

Step by step

10.1 Installing the SNMP Service

  1. Open the Network dialog box and, from the Services tab, click Add.

  2. The Select Network Service dialog box appears (see Figure 10.7). Choose the SNMP service and click OK.

  3. Specify the location of the Microsoft Windows NT distribution files.

  4. After the files are copied, the Microsoft SNMP Properties dialog box appears (see Figure 10.8). Here you should enter the Community Name and Trap Destination.

  5. Choose OK to close the SNMP Properties dialog box. Then choose Close to exit the Network dialog box; when prompted, click Yes to restart your computer.


    Figure 10.7: Installing the SNMP service.


    Figure 10.8: Entering the basic SNMP configuration.


    Figure 10.9: Configuration tab for SNMP security.


    Figure 10.10: he Agent configuration tab.

SNMP Security Parameters

There are several options that you can set that affect the security _of the SNMP agent (see Figure 10.9). By default, the agent will respond to any manager using the community name "public." Because this can be inside or outside your organization, you should _at the very least change the community name.

The following are available security options:

  • Send Authentication Trap—sends a trap to the configured management station if an attempt is made to access SNMP from a manager that is not from the same community or that is not on the Only Accept SNMP Packets From list.

  • Accepted Community Names—a list of community names that the agent will respond to. When a manager sends a query, a community name is included.

  • Accept SNMP Packets from Any Host—responds to any query from any management system in any community.

  • Only Accept SNMP Packets from These Hosts—responds to only the hosts listed.

SNMP Agent

In some cases you will configure other aspects of the SNMP agent (see Figure 10.10). These settings set the type of devices that you will monitor and who is responsible for the system.

The options available are as follows:

  • Contact. This is the contact name of the person you want to be alerted about conditions on this station—generally the user of the computer.

  • Location. This is a descriptive field for the computer to help keep track of the system sending the alert.

    Service. The items in this box identify the types of connections and devices this agent will monitor. These include the following:

    • Physical. This should be used if this system is managing physical devices such as repeaters or hubs.

  • Applications. Set this if the Windows NT computer uses an application that uses TCP/IP. This should always be selected.

  • Datalink/Subnetwork. Selecting this indicates this system is managing a bridge.

  • Internet. This should be selected if the Windows NT computer acts as an IP router.

  • End-to-End. Set this if the Windows NT computer uses TCP/IP. Obviously, this should always be selected.

Any errors with SNMP will be recorded in the system log, which records any SNMP activity. Use Event Viewer to look at the errors and to find the problem and possible solutions.

Using the SNMP Utility

The SNMP utility does not come with Windows NT, but it is included in the Windows NT Resource Kit (SNMPUTIL.EXE). Basically, it is a command-line management system utility. It checks that the SNMP service has been set up and is working correctly; you can also use it to make command calls. You cannot do full SNMP management from this utility; but, as you will see, you would not want to because of its complex syntax.

The following is the general syntax structure:

snmputil command agent community object_identifier_(OID)

The following are the commands you can use:

  • walk—moves through the MIB branch identified by what you have placed in the object_identifer.

  • get—returns the value of the item specified by the object_identifier.

  • getnext—returns the value of the next object after the one specified by the get command.

To find out the time the WINS server service began, for example, (providing WINS is installed and the SNMP agent is running) query the WINS MIB with the following command:

c:\>snmputil getnext localhost public .

In this example, the first part refers to the Microsoft branch:

. (or The last part of the example refers to the specific

MIB and object you are querying: . (or .software.Wins.Par.ParWinsStartTime). A returned value might look like the following:

Value = OCTET STRING - 01:17:22 on 11:23:1997.<0xa>

Essence of the Case

There are several important aspects that you will need to look at in this case. Most notably, you will be attempting to cause a protocol you are installing not to work. The following are important points to remember:

  • The SNMP protocol provides next to no security.

  • The default community name, "public," is just that: public knowledge.

  • The systems will have Internet access, and this could leave you open to attack.

  • You need to enable the protocol so the Performance Monitor counters will work.

  • You know that SNMP uses UDP port 161 and 162.

  • You don't actually have any management software.

In this case, there is no need to run SNMP. The network that you are designing does not have a great number of routers or bridges that need to be remotely monitored (which is what SNMP is mostly used for).


You will want to be able to use the Windows NT Performance Monitor to check the performance of all servers on your network. Because the SNMP agent needs to installed to enable these counters, this case study will look at how SNMP can be installed without compromising the security of the network.

In this case, you will be installing the SNMP agent on all the servers that will be located in the remote offices, and you will be using the Internet connection to reach them remotely using the Performance Monitor.


In this case, things might look hopeless. However, with some simple precautions you can enable the protocol without great exposure.

Before you even install the SNMP agent on the servers, you should set up the routers coming into your network so they do not forward UDP ports 161 and 162. This will reduce the threat of attack greatly.

Now you can install the SNMP agent. You should configure the community name to something other than "public." In this case, because the protocol will never be used, you can generate a sequence of random characters with a different sequence for each server. This will make it more difficult for internal hackers; they might get the community name for one server, but they won't have the name for all the agents.

Next you should add an IP address for a management station (any address will do) and set the agent to accept SNMP commands only from that address. Again, a different address could be used for each server.

This chapter has covered Simple Network Management Protocol. As you have seen, SNMP is a very simple protocol that can be used to look at the information stored in a Management Information Base. This allows management software (such as HP's OpenView) to read information from a Windows NT system.

If you intend to use SNMP, you must purchase SNMP management software (you could use SNMPUTIL, but you would need to memorize all the numbers, which is not realistic). SNMP can be installed whether you are using it directly or not; this is done to allow the Performance Monitor counters to function correctly.

The following list summarizes the key points in this chapter:

  • You need to understand that the SNMP agent is only an agent, and only an SNMP Manager API (no software) is provided.

  • You need to know the three commands that a manager can send an agent: set, get, and get-next.

  • You need to know what a trap (event notification) is, and that this is sent from the agent.

  • You need to know the five areas the agent can monitor and where each is used: physical, applications, datalink/subnetwork, Internet, and end-to-end.

  • You need to know how to install the agent.

  • You need to know how to configure an authentication trap.

  • You need to know how to configure the community names and the addresses of the stations that will be acting as managers.

  • You need to understand the structure of a MIB and which four MIBs come with Windows NT: LAN Manager MIB II, Internet MIB II, DHCP MIB, and WINS MIB.

  • You need to know that the SNMP agent must be installed to enable the Performance Monitor counters.


This set of exercises covers use of the SNMP agent. The lab uses SNMPUTIL, which is available in the Windows NT Resource Kit and from various sites on the Internet.

10.1 Installing the Protocol

The first step in working with SNMP is to install the protocol. In this exercise, you will install the SNMP agent.

Estimated Time: About 10 minutes.

  1. Open the Network dialog box, and click the Services tab.

  2. Choose Add, select the SNMP Agent, click OK, and enter the source directory.

  3. Choose Close on the Network Setting dialog box and restart your system when prompted.

A. Using SNMPUTIL to Test SNMP

In this lab, you will need a copy of the SNMPUTIL, which can be found in the Windows NT Resource Kit. If you do not have the Resource Kit, you can also find SNMPUTIL on the Internet (however, the Windows NT Resource Kit is recommended).

Estimated Time: About 15 minutes.

You will want to increase the number of lines in the command prompt for this lab. To do this, click the Control Menu box in the upper left corner of the window and select Properties. On the Layout tab, change the height value to a higher number, such as 300.

  1. Start a command prompt.

  2. Enter the following commands:

    SNMPUTIL get public .

    SNMPUTIL get public .

  3. Verify the numbers that you received. To verify the first number, open the Services icon in the Control Panel and count the number of services that are started. (Or type net start from the prompt and count the services listed.)

    To verify the second number, open the User Manager for Domains and count the number of users.

  4. In User Manager for Domains, add a test user. Switch to the Command Prompt, and enter the second SNMPUTIL command again (use the up arrow to repeat the command).

  5. Verify that the user you added increased the number, and then enter the following command:

    SNMPUTIL walk public .

    This should list the names of all the users.

  6. Open the Services icon from the Control Panel again. Stop the Server service. It will warn you that this will also stop the Computer Browser service—this is fine.

  7. Re-enter the command:

    SNMPUTIL get public .

    The number should be two fewer than before.

  8. Verify that the services are not running, and then enter the following command:

    SNMPUTIL walk public .

    The services that are running will be listed. Server and Computer Browser should not be included on the list.

    Why It Still Works You are still able to access this information using the sockets interface even though the server service is stopped. Remember that the server service is a NetBIOS server. Because you are communicating over sockets directly, you are able to use the SNMP agent, which uses UDP port 161 directly.

  9. Restart the server service and the Computer Browser service.

  10. You can enter the following optional command, which will give you a list of all the information in the LAN Manager MIB:

    SNMPUTIL walk public .

Review Questions

  1. What three things will you gain if you install the SNMP agent?

  2. For an SNMP Manager to be able to request information from an agent, what conditions must be true?

  3. There are four commands in the SNMP protocol. What are they? Which system will initiate the command?

  4. What MIBs does Windows NT use?

Exam Questions

  1. Which of the following commands are you able to implement on the management system side when making requests to the agents?

    1. get, set, go

    2. walk, get, get-next

    3. get, get-next, trap

    4. set, get-next, get

  2. Where are the set of manageable objects that SNMP works with stored?

    1. MIIB

    2. Management Information Base

    3. MHB

    4. Management Internet Information Base

  3. A community is a group of hosts running SNMP, to which they all belong, and respond to requests from a management system. The default community name for all communities is _____.

    1. punic

    2. comm

    3. community

    4. public

  4. When setting up an SNMP management system on a Windows NT host machine, what MIBs are supported by default under Windows NT 4.0?

    1. Internet MIB I, LAN Manager MIB II, WINS MIB, DHCP MIB

    2. Internet MIB II, LAN Manager MIB I, WINS MIB, DHCP MIB

    3. Internet MIB II, LAN Manager MIB II, WINS MIB, DHCP MIB

    4. Internet MIB II, LAN Manager MIB II, WINS MIB I, DHCP MIB

  5. Which SNMP operation does the agent instead of the management system institute?

    1. walk

    2. set

    3. trap

    4. get

Answers to Review Questions

  1. With the SNMP agent you will get an SNMP agent and the SNMP Management API, and the TCP/IP Performance Monitor counters will be added. See "Microsoft SNMP Service."

  2. The agent and manager must at least share a common community name. See "Microsoft SNMP Service."

  3. The manager will send the get, get-next, and set commands. The agent will respond to those commands and will also send traps when significant events occur. See "SNMP Agents and Management."

  4. There are four MIBs that come with Windows NT: Internet MIB II, LAN Manager MIB II, DHCP MIB, and WINS MIB. See "Management Information Base."

Answers to Exam Questions

  1. D. There are three commands that can be issued by a management station. The three are get, get-next, and set. See "The SNMP Management System."

  2. B. The MIB, or Management Information Base, contains the set of manageable objects for a service. There can be multiple MIBs installed at the same time on Windows NT. See "Management Information Base."

  3. D. The default community name is "public." This should be changed to increased security even if you are only installing SNMP to activate the Performance Monitor counters. See "SNMP Communities."

  4. C. The four MIBs available from Windows NT are Internet MIB II, LAN Manager MIB II, WINS MIB, and DHCP MIB. See "Management Information Base."

  5. C. Of the four commands that can be issued, the only one that the SNMP agent will initiate is the trap command. See "The SNMP Agent."

About The Authors

Robert Scrimger, MCT, MCSE+Internet, is the Product Stream Leader, Microsoft, for Learnix, where he spends a great number of hours arguing the merits of Windows NT versus Solaris. After spending several years in the filed with companies such as Bell Canada Internet, Canada Post, and Ricoh Canda, he moved into training, which he has been doing for over 10 years. This was fate more than design, since the reason for the change was that the small company he was working for went bankrupt—and the first ad he saw was for a computer trainer.

Kelli Adam (MCT, MCSE+I) has earn an international reputation for technical training, support, and computer networking. Respected by Microsoft as an industry leader, she is regularly contracted to write exams and teach courses for Microsoft Certified Professionals (MCPs). In addition to providing technical consulting, managing Web hosting and media streaming servers, and speaking at computer conferences, Kelli also makes time to run ConnectOS Corporation, which she founded in 1995. At the end of her day, she goes home to her two house bunnies, husband, and new baby in Kirkland, Washington.

Copyright © 1999 by New Riders Publishing, Pearson PTR

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

International rights = English only.

Copyright © 2000, Microsoft Corporation.

Click to order