ADMIN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Management<br />
Sysinternals<br />
System monitoring with Sysinternals<br />
Health Check<br />
© Denis Tevekov, 123RF.com<br />
Administrators don’t need a massive arsenal of tools just to monitor a couple of<br />
systems. With Microsoft’s free Sysinternals suite, admins can handle all sorts of<br />
tasks. By Thomas Joos<br />
The Sysinternal tools are free tools<br />
from Microsoft that can help Windows<br />
administrators handle many<br />
tasks. This article introduces the<br />
Sysinternal tools that are useful for<br />
system monitoring. All of the tools<br />
described here can be downloaded<br />
free of charge from the Microsoft site<br />
[1], either as individual downloads or<br />
as part of the Sysinternals suite.<br />
One advantage of the Sysinternals<br />
utilities is that you don’t need to install<br />
them, so they can be launched<br />
conveniently from a USB stick. When<br />
launched for the first time, the programs<br />
display a license dialog; you<br />
can suppress this dialog with the<br />
/accepteula option, which can be<br />
useful in scripting. Unfortunately, this<br />
option does not work for all of the<br />
Sysinternal tools.<br />
The programs only run on a Windows<br />
system as of Windows 2000 Server.<br />
For this article, I used Windows<br />
Server 2008 R2 and Windows 7.<br />
Windows Server 2008 R2, Windows<br />
Server 2008, Windows Vista, and<br />
Windows 7 do not support access to<br />
the hidden System $ shares such as<br />
C$, or admin$ as easily as Windows<br />
XP or Windows Server 2003; the computers<br />
do not belong to a Windows<br />
domain because the new operating<br />
systems block access to administrative<br />
shares by authentication of local<br />
user accounts.<br />
Some Sysinternal tools, such as<br />
PSInfo.exe, require access to the<br />
admin share and thus will not work<br />
at first. To allow access, you must<br />
enable local logins to administrative<br />
shares in the Registry of standalone<br />
computers. To do so, launch the Registry<br />
Editor by typing regedit, then<br />
navigate to HKEY_LOCAL_MACHINE\SOFT‐<br />
WARE\Microsoft\Windows\CurrentVersion\Policies\System.<br />
Create a new<br />
Dword entry with the label LocalAccountTokenFilterPolicy,<br />
set the value<br />
to 1, then restart the computer.<br />
LDAP Microscope<br />
Insight for Active Directory, also<br />
known as AdInsight, lets you monitor<br />
the LDAP connections on a domain<br />
controller in real time with a GUI.<br />
The user interface is similar to the<br />
Sysinternal tools Regmon and Filemon.<br />
The tool investigates calls to<br />
the wldap32.dll file, which most programs,<br />
including Exchange, use for<br />
LDAP-based access to Active Directory<br />
per LDAP.<br />
AdInsight lists all requests including<br />
those that are blocked. This gives<br />
administrators an easy option for analyzing<br />
authentication problems with<br />
Active Directory-aware programs and<br />
identifying clients and servers that set<br />
up a connection to the domain controller.<br />
AdInsight logs all requests issued<br />
to domain controllers and stores<br />
them as an HTML report or text file<br />
for troubleshooting purposes. The<br />
logfile contains the client request and<br />
responses that the client received via<br />
LDAP.<br />
AdInsight also logs access to system<br />
services (Figure 1). When a program<br />
such as Exchange accesses the domain<br />
controller, the window fills with<br />
information; then, you can right-click<br />
to display details of the individual entries,<br />
as well as filter the display via<br />
the menu.<br />
The display also includes the name<br />
of the accessing user. Unfortunately,<br />
AdInsight only lets you monitor local<br />
access; over-the-wire diagnostics<br />
via remote access are not supported.<br />
However, AdInsight’s search function<br />
does let you filter by process, error, or<br />
request response. The tool selects the<br />
response to let you perform specific<br />
monitoring.<br />
74 Admin 01 www.admin-magazine.com