Microsoft SNMP Services
By Todd Lammle, with Monica Lammle and James Chellis
Chapter 12 from MCSE: TCP/IP for NT Server 4 Study Guide, published by Sybex, Inc.
In this chapter we're going to look at Simple Network Management Protocol (SNMP). Sound simple? Not really. SNMP is actually a pretty complex protocol, but it is simple to administrate—that's the beauty of it!
We'll start out by explaining the purpose of SNMP and the different operations performed by an SNMP agent and an SNMP manager. Then we'll define Management Information Base (MIB) and show you how to install and configure the Microsoft SNMP service.
On This Page
An SNMP Overview
Microsoft's SNMP Service
Planning and Preparing for Implementation
SNMP Installation and Configuration
How SNMP Works
An SNMP Overview
SNMP (Simple Network Management Protocol) is one very important protocol in the TCP/IP suite. It allows you to monitor and manage a network from a single workstation or several workstations, called SNMP managers. SNMP is actually a family of specifications that provide a means for collecting network management data from the devices residing in a network. It also avails a method for those devices to report any problems they are experiencing to the management station. From an SNMP manager, you can query the network's devices regarding the nature of their functions. Examples of machines you'd want to monitor include:
Computers running Windows NT
Lan Manager servers
Routers and gateways
Minicomputers or mainframe computers
Figure 12.1 shows the network administrator at an SNMP management station making queries to various devices on the internetwork. A router can be queried for the contents of its routing table, or for statistics relating to the amount of traffic it's forwarding. A mainframe computer can be surveyed to determine which ports are listing for requests, or for what connections have been established with clients. A Windows NT computer can also be monitored, and can alert the manager of pertinent events, such as when a particular host is running out of hard disk space. Regardless of the type of device that is queried, the SNMP agent on the device is able to return meaningful, highly useful information to the manager.
Figure 12.1: SNMP Managers and SNMP Agents
Note: SNMP is defined in RFC 1157.
Management Systems and Agents
SNMP uses a distributed architecture consisting of management systems and agents. It works like this: The manager first submits a request to the agent either to obtain or to set the value of a networking variable within the agent's Management Information Base (MIB). The agent satisfies the request according to the community name accompanying the request. A community name can be compared to a password, and will be discussed more thoroughly later in the chapter.
The SNMP protocol is simple in that only five types of commands are defined within it. They are:
GetRequest: The command used by the manager to request information from an agent.
GetNextRequest: Also employed by the manager, this command is used if the information desired is contained within a table or array. The manager can use this command repeatedly until the complete contents of the array have been acquired.
GetResponse: The queried agent uses this command to satisfy a request made by the manager.
SetRequest: The manager uses this command to change the value of a parameter within the agent's MIB.
Trap: A special command the agent uses to inform the manager of a certain event.
Figure 12.2 outlines the primary function of the management system—requesting information from an agent. A management system is any computer running the SNMP management software. This system can initiate the GetRequest, GetNextRequest, and the SetRequest operations.
Figure 12.2: Management systems and agents
An SNMP agent is any computer running SNMP agent software—most often, a server or router. The chief obligation of an SNMP agent is to perform the tasks initiated by the GetRequest, GetNextRequest, and SetRequest commands, as required by a management system. The Microsoft SNMP service is the SNMP agent software. The only operation initiated by an agent is through the trap command, which alerts management systems to an extraordinary event, such as a password violation.
MIB: The Management Information Base
A MIB describes the objects, or entries, that are to be included in the SNMP agent database. For this reason, SNMP agents are sometimes referred to as MIBs. Objects in a MIB must be defined so that developers of the management station software will know which objects are available, the object names, and their related values. This information is included in a MIB specification.
A MIB records and stores information about the host it is running on. An SNMP manager can request and collect information from an agent's MIB, as well as inspect or alter the objects contained therein. For example, from the SNMP manager you can examine the number of sessions that have taken place on a certain remote host. The Microsoft SNMP service supports Internet MIB II, Lan Manager MIB II, DHCP MIB, and WINS MIB. Here's a description of each of these tools.
Internet MIB II: A superset of the previous standard, Internet MIB I. It defines 171 objects essential for either fault or configuration analysis. Internet MIB II is defined in RFC 1213.
LAN Manager MIB II for Windows NT: Contains a set of objects specifically designed to support computers running Windows NT. It defines approximately 90 objects that include items such as statistical, share, session, user, and logon information. Most LAN Manager MIB II objects have read-only access because of the insecure nature of SNMP.
DHCP MIB: Windows NT includes a DHCP MIB that defines objects to monitor DHCP server activity. This MIB (DHCPMIB.DLL) is automatically installed when the DHCP server service is installed. It contains approximately 14 objects for monitoring DHCP, such as the number of DHCP discover requests received, the number of declines, and the number of addresses leased out to clients.
WINS MIB: Windows NT includes a WINS MIB that defines objects to monitor WINS server activity. This MIB (WINSMIB.DLL) is automatically installed when the WINS server service is installed. It contains approximately 70 objects for monitoring WINS, such as the number of resolution requests successfully processed, the number of resolution requests that failed, and the date and time of the last database replication.
Microsoft's SNMP Service
In order to take advantage of Microsoft's NT SNMP services, you must have an SNMP manger that can monitor and display SNMP alerts. The Microsoft SNMP service provides SNMP agent services to any TCP/IP host that's running the SNMP management software. Microsoft SNMP service can run on Windows NT, as long as it's also running TCP/IP.
There are two methods that the Microsoft SNMP service management software can employ to collect information about devices. One way is to have devices send alerts to an SNMP manager or to any other manger within the community. Another method is to have the SNMP manager poll devices every few seconds, minutes, or hours.
By adding the public community to the alert list, any management station within the community will receive alerts and be able to make changes to the configuration.
Microsoft's SNMP service can use a HOSTS file, DNS, WINS, or the LMHOSTS file to perform host name-to-IP address translation, and to identify which hosts it will report information to and receive requests from. It also enables counters for monitoring TCP/IP performance using Performance Monitor.
Planning and Preparing for Implementation
If you plan to use the SNMP service with a third-party manager, you'll need to:
Record the IP addresses and host names of participating hosts.
Add host name/IP address mappings to the appropriate name resolution resource.
Identify the third-party management systems and Microsoft SNMP agents.
Host Names and IP Addresses
When installing the SNMP service on an agent, make sure you have the host names or IP addresses of the hosts to which your system will send SNMP traps, as well as those to which your system will respond regarding SNMP requests.
Host Name Resolution
The SNMP service uses normal Windows NT host name resolution methods to resolve host names to IP addresses. If you use host names, be sure to add all host name/IP address mappings of the participating computers to the appropriate resolution sources (such as the HOSTS file, DNS, WINS, or the LMHOSTS file).
Management Systems and Agents
A management system is any computer running the TCP/IP transport and third-party SNMP manager software. The management system requests information from an agent. To use the Microsoft SNMP service, you need at least one management system.
An SNMP agent is a Windows NT-based computer running the Microsoft SNMP service. The agent provides the management system with requested status information and reports any extraordinary events.
Defining SNMP Communities
Before you install SNMP, you'll need to define an SNMP community. A community is a group to which hosts running the SNMP service belong. A community parameter is simply the name of that group by which SNMP communities are identified. The use of a community name provides some security and context for agents receiving requests and initiating traps, and does the same for management systems and their tasks. An SNMP agent won't respond to a request from a management system outside its configured community, but an agent can be a member of multiple communities at the same time. This allows for communications with SNMP managers from different communities. Figure 12.3 illustrates how a community name is used.
Figure 12.3: How an SNMP community is used to group hosts
In Figure 12.3, Host A can receive and send messages to Host Manager B because they are both members of the Public 1 Community. Hosts C through E can receive and send messages to Manager F because all these machines are members of the default public community.
SNMP Installation and Configuration
Okay, now we're going to talk about installing and configuring the SNMP service on a Windows NT computer. If you want to monitor TCP/IP with Performance Monitor, you'll need to install the SNMP service. Also, if you want to monitor a Windows NT-based computer with a third-party application, you'll need to configure the SNMP service.
SNMP Service Security
There is minimal-level security available with SNMP that is inherent in the processes of management and agent systems when initiating and receiving requests and traps. However, don't allow yourself to be lulled into a false sense of security! If your SNMP-managed network is connected to the Internet, or any public internetwork, a firewall should be in place to prevent intrusion from outside SNMP management consoles. When installing SNMP, keep in mind the following security configuration options:
Send Authentication Trap: Used if you want the computer to send a trap for a failed authentication. When the SNMP service receives a management request that does not contain or match the community name, the SNMP service can send a trap to the trap destination.
Accepted Community Names: This specifies community names from which the computer will accept requests. A host must belong to a community that appears in this list for the SNMP service to accept requests from that host. Typically, all hosts belong to the community-named public.
Accept SNMP Packets from Any Host: By default, this option is checked. Accepts packets from everybody.
Only Accept SNMP Packets from These Hosts: If checked, the computer should only accept packets from hosts that have specific IP or IPX addresses, plus the host name that's in the associated box.
Installing and Configuring the SNMP Service
From the Control Panel, double-click Network.
From the Network Settings dialog box, click Add.
Click the Services tab and then click Add. The Select Network Services dialog box appears.
Click SNMP Service and then click OK.
Type the path to the distribution files.
After the appropriate files are copied to the computer, the SNMP Service Configuration dialog box appears. Configure the following parameters:
Send Trap with Community Names: The community name to which traps are sent. A management system must belong to the designated community to receive traps. The default community name for all hosts is Public.
The Trap Destination: The trap destination consists of names or IP addresses of hosts to which you want the SNMP service to send traps. If you use a host name, make sure it can be resolved so the SNMP service can map it to the IP address.
SNMP Agent Services
A Simple Network Management Protocol agent is a database of information about a device, and/or its environment, which is installed on the device designated for management or monitoring. Data contained in the agent database depends on the specific function of the devices that are to be monitored. The agent in the managed device doesn't volunteer information, because doing so would take away from its primary function. The only exception to this rule is that an agent will send an alarm to the management station if a critical threshold is crossed. Microsoft SNMP agent services give a Windows NT-based computer the ability to provide an SNMP management system with the information on activity that occurs at different layers of the Internet Protocol suite.
Assuming that TCP/IP and SNMP have already been installed, click SNMP Properties to access a menu, which is broken down into three parts: Agent, Traps, and Security. The SNMP configuration that you'd enter is the same information that you would enter under Windows NT 3.5x.
To configure the SNMP Agent, select the Agent tab on the Microsoft SNMP Properties page. Under Service, select the type of service to report. Select all boxes that indicate network capabilities provided by your NT computer. SNMP must have this information to manage the enabled services. Notice that Applications, Internet, and End-to-End are default services.
The SNMP agent generates trap messages that are then sent to an SNMP management console—the trap destination. Trap destinations are identified by a computer name, IP address, or IPX address of the "host of hosts" on the network to which you want the trap messages sent. The trap destination must be a host that is running an SNMP manager program. To configure the trap destination on a Windows NT 4.0 computer, use the Traps tab in the Microsoft SNMP Properties page to enter the host name, IP address, or the IPX address of the computer(s) running an SNMP manager program.
Community names provide a rudimentary security scheme for the SNMP service. You can add and delete community names by using the Security tab on the Microsoft SNMP Properties page. You can also filter the type of packets that the computer will accept. You must configure the SNMP service with at least one community name. The default name is Public.
Configuring the SNMP Agent
In the Microsoft SNMP Properties dialog box, click the Agent tab.
Fill in the Contact and Location Information on the Agent page.
Choose the Service types, or accept the defaults.
Choose the Traps tab.
Add a new Community Name if needed; Public is the default.
Add the Trap Destination host or hosts.
Choose the Security tab.
Add any new names under Accepted Community Names, then choose Add.
Restart the computer.
How to Spot SNMP Service Errors
After SNMP is installed, you can then view SNMP errors from the Event Viewer system log. The Event Viewer will record all events occurring with the system components of SNMP—even failure of the SNMP service to start. The Event Viewer is the first place you should look to identify any possible problems relevant to the SNMP service.
The SNMPUTIL Utility
The SNMPUTIL.EXE utility is available only in the Windows NT 4.0 Resource Kit. This utility verifies whether the SNMP service has been correctly configured to communicate with SNMP management stations. SNMPUTIL makes the same SNMP calls as an SNMP management station, as shown in the following example:
snmputil command agent community object_identifier_(OID)
The valid commands are:
Get the value of the requested object identifier
Get the value of the next object following the specified object identifier
Step (walk) through the MIB branch specified by the object identifier
If you wanted to determine the number of DHCP server addresses leased by a DHCP server named MAXamillion in the public community, you would issue the following command:
snmputil getnext MAXamillion Public .126.96.36.199.4.1.3188.8.131.52.1.1.1
The command will respond with the OID and counter value for the object ID in question, which is the number of IP leases that are issued.
How SNMP Works
Figure 12.4 illustrates how SNMP works and responds to a third-party management system request:
Figure 12.4: How SNMP works
A third-party SNMP management system running on Host 1 requests the number of active sessions from a Microsoft SNMP agent. The SNMP management system uses the host name to send the request. The request is passed by the application to socket (UDP port) 161. The host name is resolved by using the HOSTS file, DNS, WINS, B-node broadcast, or LMHOSTS.
An SNMP message that contains the GetRequest command is formed to discover the number of active sessions with the community name of public.
The Host 2 Microsoft SNMP agent receives the message and verifies the community name, as well as if the message has been corrupted in any way. If the community name is wrong, or the message got corrupted somewhere along the way, it's discarded. If the message is valid and the community name is correct, then the host verifies the IP address to make sure the address is authorized to accept messages from the management station.
An SNMP message stating that eight sessions are active is then sent back to the SNMP manager.
SNMP permits the monitoring and managing of a network from a single workstation or several workstations, called SNMP managers. It's a family of specifications that provide a means for collecting network management data from the devices residing in a network. With an SNMP manager, you can query the network's devices regarding the nature of their functions.
A MIB describes the objects, or entries, that are to be included in the SNMP agent database. SNMP agents are sometimes referred to as MIBs. An SNMP manager can request and collect information from an agent's MIB. It can also inspect or alter the objects contained in it. The Microsoft SNMP service supports Internet MIB II, LAN Manager MIB II, DHCP MIB, and WINS MIB.
The security available with SNMP is minimal. If your SNMP-managed network is connected to the Internet, or any public internetwork, a firewall should be in place to prevent intrusion from outside SNMP management consoles.
The NT TCP/IP test will cover a couple of SNMP objectives. Be sure and understand Security (or lack of), how to send and receive traps, and how SNMP works with Performance Monitor. The questions below will help you get an understanding.
You have an NT server with the SNMP service loaded, and you want to prevent this server from being managed by unauthorized SNMP management stations? What should you do?
Disable the Guest account on the server.
Configure the server to accept SNMP packets from specified hosts only.
Assign Permissions for the MIB file to the INTERACTIVE special group only.
On the server, define a password for the SNMP community name.
You're working at your NT Server. You want the SNMP service on your NT Server computer to send trap messages to an SNMP management station. Which information must you supply when you configure the SNMP service?
The IP address of the SNMP management station
The subnet mask assigned to the SNMP management station
A community name defined on the SNMP management station
The administrator's user account and password for the SNMP management station
You're working at your UNIX Server. You want to view TCP/IP protocol statistics for a Windows NT Server. Both computers are on the same subnet. What should you use?
UNIX: Protocol analyzer SERVER: Network Monitor agent
UNIX: SNMP management software SERVER: The SNMP service
UNIX: Performance Monitor SERVER: The SNMP Service
UNIX: NETSTAT.EXE SERVER: Network Monitor Agent
From your NT workstation, you want to use Performance Monitor to collect statistics for all TCP/IP traffic on the NT Server computers. What should you do?
Configure each server as a DHCP client.
Configure each server to use WINS.
Install the SNMP service on each server.
Run the NETSTAT utility on each server.
Run the NBTSTAT utility on each server.
You want to add SNMP to your NT workstation, but you don't want just anybody getting in and changing your MIBs. What security option should you put in place to stop SNMP packets from being tweaked by unwanted visitors?
Your company's network manager has set up your NT workstation to respond to SNMP requests coming from an SNMP management system. While doing so, she told you all about the sort of stuff the management system will be requesting. What are the operations she told you will be requested by the SNMP management system?
About the Authors
Todd Lammle is a Microsoft Certified Trainer (MCT) with over fifteen years of experience with LANs and WANs. He is president of GlobalNet Systems, a network integration firm in Colorado.
Monica Lammle is a Microsoft Certified Product Specialist (MCPS) in TCP/IP.
James Chellis, a Microsoft Certified Professional (MCP), is president of EdgeTek Computer Education, a national network training company and Microsoft Solution Provider.
Copyright © 1997 by Sybex, Inc.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only.
International rights = English only.