Monitoring in Windows SBS 2008
Updated: February 16, 2009
Applies To: Windows SBS 2008
By default, Windows SBS 2008 includes two network reports: the Summary Network Report and the Detailed Network Report.
These default network reports include information about the following:
Security. The status of the security components that are running on both your server and all of the client computers in your network.
Updates. The update compliance, the synchronization status, and the current Group Policy settings for both your server and all of the client computers in your network.
Backup. The backup history and results for your server.
Other alerts. The critical alert conditions across the network.
E-mail usage. Incoming and outgoing per-user mail volume and mailbox sizes.
Server event logs. All critical events on the server.
You can customize the services, server event logs, and performance counters that generate alerts by using the Windows SBS Console. For more information about customizing alert notifications, see Configure notification settings.
The following section explains in detail all the items that are monitored (such as, the security components, updates, backups, alerts, e-mail usage, and server event logs) in your Windows SBS 2008 network. The status of the monitored items are displayed in the network reports. Depending on your business needs, reviewing this section can help you determine the items that you want to monitor and display in your network reports.
Monitoring security components
The list view on the Security tab in the Windows SBS Console displays information about the security components that are installed on your server. If there are issues on your network, you can view a summary that lists all of the computers on your network, the installed Windows SBS 2008 software and applications, and the status of the antivirus, anti-spyware, and anti-malware software. If the status of any security component is critical, this information is displayed in the Security section of the Network Report. For more information about managing each security component, see “Managing Network Security in Windows Small Business Server 2008” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141370).
By default, the Security section of the Network Report includes the information about the following:
Security essentials. Displays the names of computers that are reporting at least one security issue, with the status of the anitvirus, antispyware, and firewall software on each computer.
Spam protection for e-mail. Displays the number of e-mail messages rejected, the number of e-mail messages scanned, and the version numbers of the Content Filter, Spam Signature, and IP Reputation services. This data is collected from the time that the Exchange Server services were last restarted. For more information about managing spam protection, see “Managing E-Mail Virus and Spam Protection” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141371).
Virus protection for e-mail. Displays information about Microsoft® Forefront™ Security for Exchange Server licensed engines, and the version numbers for Forefront Security for Exchange Server and the service pack. For more information about managing virus protection for e-mail, see “Managing E-Mail Virus and Spam Protection” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141371).
Server virus and spyware protection. Displays the status of the Microsoft OneCare™ for Real-Time antivirus software, OneCare virus signature, the time of the last tune-up performed on the server, and the time for the next scheduled tune-up.
Server firewall. Displays the status of Windows Firewall and the network location of the server firewall. For information about managing the server firewall, see Managing Firewall protection at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141785).
Note
If you opted to not install Forefront Security for Exchange or Windows Live OneCare for Server, the corresponding information is not displayed in the reports. Also, if you run third-party security solutions on your network that are compatible with Windows SBS 2008, this data is displayed in the Security section of the Network Report.
Monitoring updates
By monitoring the status of the software updates on all the computers within your network, you can help improve the security of your network. Software updates fix vulnerabilities in software, or they introduce additional security features. To help keep your Windows SBS 2008 network more secure, it is recommended that you install the software updates as soon as they become available. In Windows SBS 2008, the status of the software updates are monitored for all the server and client computers within the network, and the results are reported in the network reports, if you opt to have them reported.
By default, the Updates section of the Network Report includes information about the following:
The number of computers that are missing updates.
The number of computers with updates that were not installed successfully.
The status of the Updates Synchronization, which is the time when the last synchronization took place and when the next synchronization is scheduled.
A summary of the update Group Policy settings. By default, the following Group Policy settings are listed:
Server update approval policy: Automatically approve critical, security, and definition updates only.
Client computer update approval policy: Automatically approve service packs, in addition to critical, security, and definition updates.
Server update installation policy: Computers are set to download updates and to notify users that updates are ready to be installed.
Client computer update installation policy: Computers are set to install updates, and then to restart according to this schedule: Every day at 3:00 AM.
For more information about configuring and managing software updates, see “Managing Software Updates in Windows Small Business Server 2008” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141372).
Monitoring for server backup
Monitoring server backup helps you to determine if the backup is running as configured. For more information about configuring server backup, see “Backing Up and Restoring Data on Windows Small Business Server 2008” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=141373).
By default, the Backup section of the Network Report includes information about the following:
The time when the last backup of the server was performed.
The time when the next backup of the server is scheduled.
Monitoring network alerts
In Windows SBS 2008, alerts are generated and reported in the Other Alerts section of the Network Report, if the following is true:
The network service that you set to generate an alert stops running.
The performance counter that you set to generate an alert exceeds its associated threshold.
The event is detected within the event logs for the server running Windows SBS 2008.
This section lists the network services, performance counters, and the event logs for the server running Windows SBS 2008 that are displayed in the Summary Network Report and the Detailed Network Report.
Network Services Alerts
By default, Windows SBS 2008 monitors network services that are set to start automatically, and then it generates an alert if the service stops. These services are critical to the functioning of your network. The following services are monitored:
| Service Display Name | Service Name |
|---|---|
Active Directory Certificate Services |
CertSvc |
Active Directory Domain Services |
NTDS |
Application Experience |
AeLookupSvc |
Application Host Helper Service |
AppHostSvc |
Background Intelligent Transfer Service |
BITS |
Base Filtering Engine |
BFE |
COM+ Event System |
EventSystem |
Cryptographic Services |
CryptSvc |
DCOM Server Process Launcher |
DcomLaunch |
Desktop Window Manager Session Manager |
UxSms |
DFS Namespace |
Dfs |
DHCP Client |
Dhcp |
Diagnostic Policy Service |
DPS |
Distributed Transaction Coordinator |
MSDTC |
DNS Client |
Dnscache |
DNS Server |
DNS |
File Replication Service |
NtFrs |
File Server Resource Manager |
SrmSvc |
Group Policy Client |
Gpsvc |
IIS Admin Service |
IISAdmin |
IKE and AuthIP IPsec Keying Modules |
IKEEXT |
Intersite Messaging |
IsmServ |
IP Helper |
Iphlpsvc |
IPsec Policy Agent |
PolicyAgent |
Kerberos Key Distribution Center |
Kdc |
KtmRm for Distributed Transaction Coordinator |
KtmRm |
Microsoft Exchange Active Directory Topology Service |
BITS |
Microsoft Exchange Anti-spam Update |
MSExchangeAntispamUpdate |
Microsoft Exchange File Distribution |
MSExchangeFDS |
Microsoft Exchange Information Store |
MSExchangeIS |
Microsoft Exchange Mail Submission |
MSExchangeMailSubmission |
Microsoft Exchange Mailbox Assistants |
MSExchangeMailboxAssistants |
Microsoft Exchange Replication Service |
MSExchangeRepl |
Microsoft Exchange Search Indexer |
MSExchangeSearch |
Microsoft Exchange Service Host |
MSExchangeServiceHost |
Microsoft Exchange System Attendant |
MSExchangeSA |
Microsoft Exchange Transport |
MSExchangeTransport |
Microsoft Exchange Transport Log Search |
MSExchangeTransportLogSearch |
Netlogon |
Netlogon |
Network List Service |
Netprofm |
Network Location Awareness |
NlaSvc |
Network Policy Server |
IAS |
Network Store Interface Service |
Nsi |
OneCare AntiSpyware and AntiVirus |
OneCareMP |
Plug and Play |
PlugPlay |
Print Spooler |
Spooler |
Remote Procedure Call (RPC) |
RpcSs |
Remote Registry |
RemoteRegistry |
Secondary Logon |
Seclogon |
Security Accounts Manager |
SamSs |
Server |
LanmanServer |
Server Infrastructure License Service |
Silsvc |
Shell Hardware Detection |
ShellHWDetection |
Software Licensing |
Slsvc |
SQL Server (SBSMONITORING) |
MSSQL$SBSMONITORING |
SQL Server FullText Search (SBSMONITORING) |
msftesql$SBSMONITORING |
SSDP Discovery |
SSDPSRV |
System Event Notification Service |
SENS |
Task Scheduler |
Schedule |
TCP/IP NetBIOS Helper |
Lmhosts |
Terminal Services |
TermService |
Terminal Services Gateway |
TSGateway |
Update Services |
WsusService |
UPnP Device Host |
Upnphost |
User Profile Service |
ProfSvc |
Windows Error Reporting Service |
WerSvc |
Windows Event Log |
EventLog |
Windows Firewall |
MpsSvc |
Windows Internal Database (MICROSOFT##SSEE) |
MSSQL$MICROSOFT##SSEE |
Windows Live OneCare |
Wins |
Windows Live OneCare Health Monitor |
OcHealthMon |
Windows Management Instrumentation |
Winmgmt |
Windows Remote Management (WS-Management) |
WinRM |
Windows SharePoint Services Timer |
SPTimerV3 |
Windows SharePoint Services Tracing |
SPTrace |
Windows SharePoint Services VSS Writer |
SPWriter |
Windows Time |
W32Time |
Windows Update |
Wuauserv |
Workstation |
LanmanWorkstation |
World Wide Web Publishing Service |
W3SVC |
You can customize the network services that generate alerts by using the Windows SBS Console. For more information about customizing alert notifications, see Configure notification settings.
Performance Counter Alerts
By default, an alert is generated when any server or client computer in the network has low disk space, which is less than 10% available across all volumes.
Server Event Log Alerts
Windows SBS 2008 monitors a specific set of events across the event logs. If any of the following events are detected, an alert is generated and displayed in the Other Alerts section of the reports.
By default, you receive e-mail notifications for the following server event logs:
An FSMO role is out of compliance and cannot be corrected automatically
A router port is open
An application is blocked by the Windows Firewall
An error occurred in the Active Directory Domain Services
An external forest trust is not permitted and cannot be fixed automatically
Cannot detect Internet Connection
Domain Controller licensing error
Domain Name Status Alert
Domain provider authentication error
Domain provider connection error
External DHCP server found
Forefront Security for Exchange Server Engine Updates (Event ID 7004)
Forefront Security for Exchange Server Engine Updates (Event ID 7007)
Forefront Security License—Expired (Event ID 7030)
Forest trust licensing error
FSMO roles licensing error
Leaf certificate expiring
Licensing error for the additional server check
Licensing error for the additional server number check
Network router not found
OneCare Event 10010
OneCare Free Trial Expiration
OneCare Grace Period
OneCare Paid Subscription Expiration
Root certificate expiring
The additional server does not comply with the license policy
The domain controller does not comply with the license policy
The domain is deleted from the forest trust list
The external check for licensing has failed
The FSMO role does not comply with the license policy
The licensing component cannot load the server policies onto this server
The Licensing Enforcement service cannot load the external checks for licensing
The number of additional servers does not comply with the license policy
The numbers of user accounts and computers in the domain might exceed the maximum allowed
The server did not pass the external checks for licensing
The server has a trust with an external forest that is not permitted
The server must shut down, your environment does not comply with the licensing policy
You can customize the server event logs that generate alerts by using the Windows SBS Console. For more information about customizing server event log notifications, see Configure notification settings.
Monitoring E-Mail Usage and Mailbox Sizes
Windows SBS 2008 retrieves and stores all the e-mail messages for your organization and sets default quotas on the size of Exchange Server mailboxes for individual users, which saves disk space on the server. Monitoring e-mail usage and mailbox sizes helps you know how many mails are sent and received within your network and whether user accounts are reaching their mailbox quota limits.
In Windows SBS 2008, e-mail usage and mailbox size for each network user account is reported in the E-Mail Usage and Mailbox Sizes section of the Network Report. The data is collected for the past 24 hours, from the time when the report was run. For each user account, the following information is reported:
Total number of e-mail messages sent.
Total number of e-mail messages received.
Mailbox size (in MB).
Mailbox quota (in MB).
Monitoring Server Event Logs
Server Event log files contain important information about the hardware, software, and system problems that occur on the server running Windows SBS 2008. The information is recorded as chronological messages in the log. You can use these messages to monitor and troubleshoot the server running Windows SBS 2008. In Windows SBS 2008, all the critical events that are listed in the Server Event logs are reported in the Server Event Logs section of the Network Report. If you have third-party applications that are running on the server, critical events that are reported for these applications are also displayed in the network reports.