Chapter 11 - Using SNMP for Network Management
Simple Network Management Protocol (SNMP) is a network management standard widely used in TCP/IP networks and, more recently, with Internet Package Exchange (IPX) networks. Windows NT Server and Windows NT Workstation 4.0 include an SNMP service that allows Windows NT– based computers to be managed by using SNMP network management programs.
The information in this chapter is for the administrator who needs to understand SNMP and the SNMP-based service running under Windows NT 4.0.
This chapter begins with a review of basic SNMP concepts, and provides a glossary of the network management terms that are used throughout this chapter. The next two sections describe the SNMP network management standard and the Windows NT implementation of SNMP. The remaining sections in the chapter provide information about using and troubleshooting the SNMP service running under Windows NT. At the end of the chapter there is a list of reference materials that provide detailed information about SNMP, TCP/IP, and IPX.
Overview of SNMP
Simple Network Management Protocol (SNMP) is a network management protocol frequently used in TCP/IP networks to monitor and manage computers and other devices (such as printers) connected to the network. SNMP is supported in Windows NT Server and Windows NT Workstation by the SNMP service.
As part of the Internet TCP/IP protocol suite, SNMP is defined in the Internet Engineering Task Force (IETF) Request for Comments (RFCs) 1155, 1157, and 1213. The following table describes these RFCs.
Requirements for Network Management
The term network management generally refers to specific administrative functions and the ability to perform these functions from a centralized computer, often referred to as a management console.
To perform centralized network management, the managing computer must be able to get data from other computers on the network, including the following:
How SNMP Uses the Registry
The Registry, the operating system database on each Windows NT-based computer, contains information that is needed for network management. The SNMP service accesses the Registry and converts the information into a format that can be used by third-party SNMP network management programs.
Figure 11.1 The Windows NT Registry
The following sections — "Management Information Base," "Agents," and "Managers" — provide a high-level overview of the major software components of SNMP. Windows NT implements SNMP-based MIBs and an SNMP agent component to provide the necessary framework for SNMP network management.
SNMP uses a glossary of network management terms that may be unfamiliar to some readers. The following SNMP network management terminology is used in this chapter.
Management Information Base
A management information base (MIB) is a data file containing the managed-object descriptions and object values. Each host that is to be managed by SNMP must have a MIB that describes the manageable objects on that host.
Basically, a MIB will define the following for every object contained within that MIB:
RFC 1213 defines an industry-standard SNMP MIB referred to as MIB-II. Industry vendors, such as Microsoft, can define additional MIBs that allow unique hardware or software services developed by the vendor to be monitored and managed by SNMP management consoles.
Note Additional MIBs that are supported by Windows NT Server are described in Appendix C, "MIB Object Types for Windows NT."
Each object in a MIB is identified by a universally unique label referred to as an object-identifier (OID). The object name space is implemented as a multi-part, hierarchical, naming scheme. A hierarchical naming scheme can be viewed as an inverted tree with the branches pointing downward. Each point where a new branch is added is referred to as a node. This OID is internationally accepted and allows developers and vendors to create new components and resources and assign a unique OID to each new component or resource.
The OID naming scheme is governed by the Internet Engineering Task Force (IETF). The IETF grants authority for parts of the name space to individual organizations, such as Microsoft. For example, Microsoft has the authority to assign the OIDs that can be derived by branching downward from the node in the MIB name tree that starts at 184.108.40.206.4.1.311.
Figure 11.2 A Managed-object Name Hierarchy
SNMP programs use the OID to identify the objects on each computer that can be managed by using SNMP. For example, when a network administrator requires information about managed-objects from some computer on the network, the SNMP management program sends a message over the network that requests information about the object as identified by the OID. The computer that receives the message can use the OID to retrieve information from the specific object on the computer and send the information back to the SNMP management program.
An agent is an SNMP program that must be installed on each managed computer in an SNMP-managed network. The Windows NT-based SNMP service includes an SNMP agent.
The agent program provides an interface to the MIBs and managed-objects installed on the computer. SNMP management programs send management requests to the computers on the network. The agent program on the computer receives the requests and processes them by retrieving information from the MIBs on the computer. The agent then sends the requested information back to the SNMP manager program that initiated the request.
The Windows NT-based SNMP service is an optional service that is installed after TCP/IP is installed on a Windows NT-based computer. After the SNMP service is installed on a computer, it automatically starts each time the computer is started.
When the agent program is started on a computer, it waits for SNMP requests from a manager program on the network management console (computer). When an agent program receives an SNMP message, it performs the requested get, get-next, and set operations.
The only operation that an agent spontaneously starts is a trap operation to alert the SNMP manager program that the computer has started, stopped, or is experiencing an extraordinary event (such as disk-full) on some managed-object on the computer.
In summary, the agent program performs the following operations:
Note By installation default, the computer software port 161 is used to listen for SNMP messages and port 162 is used listen for SNMP traps. If you need to run multiple SNMP agents, you can change these port settings in the \systemroot\ System32\Drivers\Etc\Service\Service file.
SNMP management programs are referred to as managers. Managers obtain data about network devices and make this information available to a network administrator through textual, graphical, or object-oriented user interfaces. The manager program sends SNMP messages to network hosts. These messages are received by the agent on the host, and initiate the get, get-next, and set operations. The manager program waits (listens) for the SNMP messages from the agent that contain the results of the operation, and displays the information on the SNMP-management console or saves the data in a specified file or database.
As noted earlier, the SNMP service running under Windows NT is an SNMP agent, which is the necessary framework needed for network management. However a separate SNMP manager program is needed to perform management operations.
There are several SNMP manager utilities provided with the Windows NT Server Resource Kit compact disc. Other network management software can be obtained from Microsoft or from third-party vendors.
Windows NT-based Implementation of SNMP
The SNMP service running under Windows NT implements SNMP version 1 and provides an SNMP agent that allows remote, centralized SNMP management of:
Note Network Driver Interface Specification (NDIS) 4.0-compliant peripheral devices attached to a Windows NT-based computer are also manageable by using the Windows NT-based SNMP service. If the device is to be managed by using SNMP, the device vendor must provide a device .inf file that can be registered in the Windows NT-based Registry.
The Windows NT-based SNMP agent is implemented as a service and can be installed on Windows NT-based computers that use the TCP/IP and IPX protocols. The TCP/IP protocol must be installed before installing SNMP. For more information about installing SNMP, see TCP/IP Help.
Note You must install TCP/IP to be able to install the SNMP service, even if IPX is installed as the main network protocol.
The SNMP service is implemented as a Windows 32-bit service by using Windows Sockets over both TCP/IP and IPX/SPX. The additional Microsoft MIBs for DHCP, WINS, and the Internet Information Server, extend SNMP management to these Windows NT-based services. The agent programs that implement these additional MIBs are referred to as extension-agents. The extension-agent programs work with the master Windows NT-based agent program. These Windows NT-based extension-agents are implemented as Windows 32-bit dynamic-link libraries (DLLs).
The following diagram shows a simple interaction between an SNMP manager computer and a Windows NT-based computer with an SNMP agent program.
Figure 11.3 SNMP Manager and SNMP Agent Interaction
Windows NT SNMP Files
The following table describes the files that are installed on a Windows NT computer with the SNMP service installed.
MIB Implementation Notes
The Windows NT-based SNMP service includes MIB-II, based on RFC 1213, LAN Manager MIB-II, and Microsoft proprietary MIBs for DHCP, Internet Information Server, and WINS servers. Appendix C, "MIB Object Types for Windows NT," contains information about the Windows NT-based MIBs, and a description of each object in the MIB.
The Windows NT-based SNMP service supports multiple MIBs through an agent application programming interface (API). The separate extension-agent DLL is used to access the Windows NT-based MIBs. When the SNMP service is started, it loads the SNMP extension-agent DLLs. The extension-agent DLLs must be defined in the Registry in order to be loaded.
This use of DLLs in the SNMP service architecture allows new MIBs to be easily added. Microsoft and third-party developers can develop MIBs for new hardware and software components and easily integrate the new functionality by using SNMP.
The MIB name space assigned to Microsoft by the IETF starts at the node labeled 220.127.116.11.4.1.311. Microsoft has the authority to assign objects and OIDs to all objects that are developed below that node.
The following table identifies the Windows NT-based MIBs and top-most object (base object) from which all other objects in the MIB are derived. When the SNMP service is started, each extension-agent sends the OID for the base object in its MIB to the master agent program. This process identifies to the master agent the MIBs and managed objects that are actually installed on the computer.
SNMP Security Implementation Notes
The SNMP security service is referred to as an authentication service. Simply put, a management request contained within an authenticated SNMP message is processed; a message that cannot be authenticated is not processed.
SNMP uses community names to authenticate messages. The community name can be thought of as a password shared by the SNMP management consoles and the SNMP managed hosts. All SNMP messages must contain a community name. The SNMP agent that receives an SNMP message checks (authenticates) the community name with the community name or names with which the SNMP service is configured. If the message contains a known community name, the message is processed. If the message contains a community name that is not configured on the host, the message is rejected and the host (optionally) sends a trap message to an SNMP management console. The trap message alerts the SNMP management console that a message authentication failure occurred at that host.
The default community name when the SNMP service is installed on a Windows NT-based computer is "public." Additional community names can be added or removed by selecting SNMP Service from the Network Services tab.
If you remove all the community names, including the default name, Public, the SNMP service on that Windows NT-based computer will authenticate and process SNMP messages containing any community name. This may or may not be desirable, but is expected behavior, as described in RFC 1157:
An SNMP message originated by an SNMP application entity that in fact belongs to the SNMP community named by the community component of said message is called an authentic SNMP message. The set of rules by which an SNMP message is identified as an authentic SNMP message for a particular SNMP community is called an authentication scheme. An implementation of a function that identifies authentic SNMP messages according to one or more authentication schemes is called an authentication service.Clearly, effective management of administrative relationships among SNMP application entities requires authentication services that (by the use of encryption or other techniques) are able to identify authentic SNMP messages with a high degree of certainty. Some SNMP implementations may wish to support only a trivial authentication service that identifies all SNMP messages as authentic SNMP messages.
When there are no community names identified, the SNMP service implements the behavior as described in the preceding selection from RFC 1157.
Planning for SNMP Installation
Before installing the SNMP service, an administrator must identify the following information:
You configure the SNMP agent by selecting the Agent tab on the Microsoft SNMP Properties page. By default, the optional agent configuration options are checked, as illustrated in the following figure. You only need to add the name of the person to contact, such as the network administrator, and the location of the contact.
Figure 11.4 Configuring the SNMP Agent
Community names provide a rudimentary security scheme for the SNMP service. You can add and delete community names by using the Security tab on the Microsoft SNMP Properties page. You can also filter the type of packets that the computer will accept. The following figure shows the Security tab.
Figure 11.5 Configuring SNMP Security
You must configure the SNMP service with at least one community name. The installation default is the Public community name. You can delete or change the default community name and add multiple community names.
There is no relationship between community names and domain or workgroup names. Community names serve as a shared password for groups of hosts on the network and should be selected and changed as you would any other password. Members of a community (hosts that share the same community name) are typically grouped by their physical proximity.
When the SNMP agent receives an SNMP request that does not contain the correct community name or that came from an unknown host, the SNMP agent can send a trap to one or more trap destinations (SNMP manager programs). The trap message indicates that the request failed authentication.
In the following example, there are two communities — Terraflora and Public.
Figure 11.6 SNMP Community Names
Only the agents and managers that are configured with the same community name can communicate with each other.
The community names that are configured by using the Security tab are used when configuring Trap Destinations.
The SNMP agent generates trap messages, which are sent to an SNMP management console, the trap destination. Trap messages can be generated for changes such as host system startup, shutdown, or password violation. Trap destinations can be configured by a user, but the occurrences which generate a trap message are internally defined by the SNMP agent.
Trap destinations are identified by a computer name, IP address, or IPX address of the host or hosts on the network to which you want the trap messages sent. The trap destination must be a host that is running an SNMP manager program.
You configure the trap destination on a Windows NT-based computer by using the Traps tab on the Microsoft SNMP Properties page to enter the host name, IP address, or IPX address of the computer or computers running an SNMP manager program. The following figure shows the Traps tab of the Microsoft SNMP Properties page.
Figure 11.7 Configuring SNMP Traps
When the SNMP service is installed, a network administrator can:
The following table describes SNMP-related utilities and files provided on the Resource Kit compact disc.
For information on how to use any of the Windows NT-based Resource Kit utilities, see Resource Kit Tools Help.
Starting and Stopping the SNMP Service
After the SNMP service has been installed, it automatically starts when the computer is started and so you will usually not need to start the SNMP service. However, if you stop SNMP, you must then restart it because it does not automatically restart. Stopping a service cancels any network connections the service is using.
You can start and stop the SNMP service at the command prompt by typing the commands net start snmp and net stop snmp. You can also point to Control Panel and double-click the Services icon, then select SNMP and click the Start or Stop service buttons.
You must stop and restart the SNMP service to add new extension-agent DLLs and MIBs.
Note The syntax for the net start snmp and net stop snmp commands has changed in Windows NT 4.0. SNMP error logging parameters are not supported and have been replaced by improved SNMP error handling in the Windows NT Event Log. The syntax for these commands is:
net start snmp
net stop snmp
Using SNMP to Manage DHCP, WINS, and Internet Information Servers
If you have installed the DHCP server, Internet Information Server, or WINS server software on a Windows NT-based computer on the network, you can monitor the DHCP, Internet Information Server, or WINS services by using an SNMP manager program.
The Windows NT-based DHCP server objects and Internet Information Server server objects can be monitored, but not configured, using SNMP.
WINS server objects can be configured and monitored by using SNMP. All but a few of the WINS configuration parameters that can be set by editing the Registry can also be set by using SNMP. For information about which WINS parameters can be set by using SNMP, refer to the description of the WINS MIB in Appendix C, "MIB Object Types for Windows NT." WINS objects that are defined with Access read-write can be configured by using SNMP.
Using Performance Monitor Counters with SNMP
All Performance Monitor counters installed on a computer can be viewed by using SNMP. To do this, use the Perf2MIB utility provided on the Windows NT Server Resource Kit compact disc to create a new MIB file which enumerates the counters in which you are interested. For additional information on how to use the Perf2mib.exe utility, see Resource Kit Tools Help.
This section discusses problems that you might encounter using SNMP, and what to do to resolve them.
Using the Event Viewer to Find SNMP Errors
SNMP error handling has been improved in Windows NT Server and Windows NT Workstation version 4.0. Manual configuration of SNMP error-logging parameters has been replaced by improved error handling that is integrated with the Event Viewer. Use the Event Viewer if you suspect a problem with the SNMP Service.
Note Refer to the Windows NT Server Resource Guide for detailed information about using the Event Viewer.
To use Event Viewer
The following figure illustrates an SNMP event display in the Event Viewer.
Figure 11.8 SNMP Event Message
Modifying SNMP Parameters in the Registry
SNMP parameters and information about the SNMP extension-agent DLLs are contained in the Registry. You can view or change this information by using the Registry Editor (Regedt32.exe).
To start the Registry Editor
Windows NT-based SNMP parameters are contained in the Registry in the following key:
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \SNMP \Parameters
The following table describes the SNMP parameters contained in the Registry.
Timeout on WINS Server Queries
When querying a WINS server, it might be necessary to increase the SNMP timeout period on the SNMP management system. If some WINS queries work and others time out, increase the timeout period.
No Counters Appear in Performance Monitor
You must install the SNMP service to see any of the TCP/IP, Internet Control Message Protocol (ICMP), Network Interface, or UDP performance counters in Performance Monitor. When the SNMP service is installed, the following TCP/IP-related counters are added to Performance Monitor:
SNMP is not automatically installed when you install TCP/IP. See TCP/IP Help for information about installing and configuring SNMP on your local computer.
For more information about Performance Monitor and counters, refer to the Windows NT Server Resource Guide.
Note When the IPX protocol is used as the main network protocol, the TCP/IP objects that can be monitored by using SNMP are null.
Error Using an IPX Address as a Trap Destination
If you enter an IPX address as a trap destination when installing the SNMP service, the following error message may appear when you restart your computer:
This problem occurs if the IPX address has been entered incorrectly, using a comma or hyphen to separate a network number and a MAC address. For example, an SNMP manager program such as HP OpenView may normally accept an address such as this: 00008022,0002C0-F7AABD. However, the Windows NT-based SNMP agent does not recognize an address using a comma or hyphen between the network number and MAC address.
The address used for a trap destination must use the "8.12" format for the network number and Media Access Control (MAC) address.
To correct this problem, enter the IPX address for the trap destination in the 8.12 format. For example, the following format is valid:
where xxxxxxxx is the network number and yyyyyyyyyyyy is the MAC address.
The following books contain more information about SNMP.
Network Management: A Practical Perspective by Allan Leinwand and Karen Fang
The following Requests for Comments (RFCs) are published by the Internet Engineering Task Force (IETF) and other working groups. The RFCs that define SNMP are listed in the following table.
RFCs can be obtained via FTP from: