Monitoring Computers

New in Windows Server 2008 Event Viewer is the Windows Event Collector Service , which allows you to configure a single server as a repository of Event Viewer information for multiple computers. The Event Collector Service creates and manages subscriptions to one or more remote computers; these subscriptions collect events that match the criteria of an event filter that you define. The Event Collector service uses the WS-Management protocolto communicate with remote computers and transfer event log information froman event source to the local event log service. Subscriptions can be Collector initiated the destination computer polls the source computers to pull the relevant information or Source computer initiated each source computer must be configured to pushthe relevant information to the server that has been configured as the repository.

Event Forwarding
With event forwarding, you can send events that match specific criteria to an administrative computer, allowing you to centralize event management. This allows you to view a single log and see the most important events from computers anywhere in your organization, rather than needing to connect to the local event logs on individual computers. With event forwarding,the critical information in the event log becomes much more accessible.

You must start the following services On the Forwarding computer (source) Windows Remote Management (winrmquickconfig) Add the computer account of the collector computer on each of the forwarding computers On the Collecting computer Windows Event Collector (wecutilqc) Create a Windows Firewall exception for the HTTP protocol on the forwarding computer.

You might also need to create a Windows Firewallexception on the collecting computer, depending on the delivery optimization technique youchoose. Only Windows Vista, Windows Server 2008, and Windows Server 2003 R2 can act ascollecting computers. Only Windows XP with Service Pac k 2, Windows Server 2003 with S P 1 or 2, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 can actas forwarding computers. Note: Before computers running Windows XP or Windows Server 2003 can act as forwarding computers,you must install WS -Management 1.1.

Configuring the Forwarding Computer

On each source, we need to enable WinRM (the Windows Remote Management service) at a command prompt with administrative privileges, run winrmquickconfig

Windows displays a message similar to the following WinRM is not set up to allow remote access to this machine for management. The following changes must be made: Create a WinRM listener on HTTP://* to accept WS -Man requests to any IP on this machine. Enable the WinRM firewall exception. Make these changes [y/n]? Type Y, and then press Enter.

Next, you must add the computer account of the collector computer to the local Event Log Readers group on each of the forwarding computers. You can do this manually or automaticallyfrom a script or command prompt by running the following command: netlocalgroup Event Log Readers < computer_name>$@<domain_name> /add For example, to add the computer SERVER1 in the contoso.com domain, you would run the following command: netlocalgroup Event Log Readers server1$@contoso.com /add

Configure the collecting Server

To Windows Vista or Windows Server 2008 to collect events,open a command prompt with administrative privileges. Then, run the following command to configure the Windows Event Collector service: wecutil qc In Windows Server 2008 you can also simply select the Subscriptions node in the console treeof Event Viewer. Event Viewer will prompt you to configure the Windows Event Collector service to start automatically. Start > Administrator Tools > Server Manager > Diagnostics > Event Viewer > Subscriptions

Creating an Event Subscription

In Event Viewer (under the Diagnostics node in Server Manager), right -click Subscriptions, and choose Create Subscription.

In the Subscription Name box, type a name for the subscription. Optionally, type a description. You can create two types of subscriptions: Collector initiated The collecting computer contacts the source computers to retrieve events. Click the Select Computers button. Source computer initiated The forwarding computers contact the collecting computer. Select Source Computer Initiated, and then click Select Computer Groups. Click Add Domain Computers or Add Non -Domain Computers to add either typeof computer. If you add nondomain computers, they need to have a computer certificate installed. Click Add Certificates to add the certification authority (CA) thatissued the certificate to the nondomain computer.

When adding Coll ector initiated computers, its good to know tha t you can test the connectivity

If you click the Test button, you may receive an error message that lets you know the Collector cant talk to the Source. If you have not run the winrmquickconfigcommand on the source computer , the connectivity test will fail.

Now we need to configure the list of Events that we are interested in.

These are the default events available on any 2008 computer, you can write an XML query that you can paste into the XML ta b. You have to choose events to collect using a filter you define where you can choose only to filter out Errors and Warnings, just certain sources, Event ID numbers within certain ranges, keywords etc. Ah, just make sure not to select too much .

Here you can configure how c lients forward events to server i.e. getting the logs over slow WAN-links

Configuring Event Forwarding to Use HTTPS Although standard HTTP transport uses encryption for forwarded events, you can configure event forwarding to use the encrypted HTTPS protocol. In addition to those described in the section entitled Configuring the Forwarding Computer earlier in this chapter, you must:

Configure the computer with a computer certificate. You can do this automatically in Active Directory environments by using an enterprise CA. Create a Windows Firewall exception for TCP port 443. If you have configured Minimize Bandwidth or Minimize Latency Event Delivery Optimization for the subscription, youmust also configure a computer certificate and an HTTPS Windows Firewall exceptionon the collecting computer. Run the following command at a command prompt with administrative privileges: winrmquickconfig transport:https On the collecting computer you must view the Advanced Subscription Settings dialog box for the subscription and set the Protocol box to HTTPS . Additionally, thecollecting computermust trust the CA that issued the computer certificate (which happensautomatically if an enterprise CA issued the certifi cate and both the forwarding computer andthe collecting computer are part of the same Active Directory domain). In the Subscription Properties dialog box click OKto create the subscription. By default, normal event subscriptions check for new events every 15 minutes. You. Here you can right-click to get the Runtime Status and also Retry if it fails. Notice that even you see that green icon here, collecting the logs might fail so make sure to check Runtime Status.

Once working, you will find the forwarded event logs. Keep in mind if the logs are huge, the initial collection it might take some time.

Configure Group Policy to enable Windows Remote Management on the Source Computers (clients) Group Policy can be used to enable and configure Windows Remote Management (WinRM or WS-Man) on the Source Computers. WinRM is required by Windows Event Forwarding as WS-Man is the protocol used by WS -Eventing. The following shows the Group Policy branch locations for configuring both WinRM and Event For warding:

Performance Monitor Performance Monitor graphically shows real -time performance data, including processor utilization,network bandwidth usage, and thousands of other statistics. To use Performance Monitor In Server Manager, select Diagnostics\Reliability and Performance \Monitoring Tools \Performance Monitor.

Or Start > All Programs > Administrative Tools > Reliability and Performance

Add counters to the real -time graph by clicking the green plus button on the toolbar. Youcan also display data from other computers on the network.

Hit the OK button, and you should be ready to do monitoring in real -time. Each line on the graph appears in a different color. To make it easier to view a specific line, select a counter and press Ctrl+H. The selected counter appears bold and in black on the graph.

To change the appearance and refresh rate of the chart, right -click Performance Monitor, andthen choose Properties. The five tabs of the Performance Monitor Prop erties dialog box provideaccess to different configuration options: General In the Graph Elements group, adjust the Sample Every box to change how frequentlythe graph updates. Use a longer interval to show a smoother, less jagged graph that is updated less frequently and uses less bandwidth. Adjust the Duration box tochange how much data is displayed in the graph before Performance Monitor beginsoverwriting the graph on the left portion of the chart. A Duration of 3,600 displays onehour of d ata in the graph, and a Duration of 86,400 displays one full day. Source Choose whether to display current activity in real time or show log files that you have saved using a Data Collector Set. If you display a log file, you can use this tab to controlthe time range that is displayed in the Performance Monitor window. DataIn the Counters list select the counter you want to configure. Then adjust theColor, Width, and Style. Increase or decrease the Scale value to change the height of thegraph for a counter. You can also adjust the scale for all counters by clicking the Graphtab and changing the Maximum and Minimum values in the Vertical Scale group.

Graph By default, Performance Monitor begins overwriting graphed data on the leftportion of the chart after the specified duration has been reached. When graphing dataover a long period of time, its typically easier to see the chart scroll from right to left, similarto the way that Task Manager shows data. To do this, in the Scroll Style group, selectScroll.

Although the line chart shows the most information, you can select from the following chart types by clicking the Change Graph Type button on the toolbar or by pressing Ctrl+G: Line. The default setting, this shows values over time as lines on the chart . Histogram bar. This shows a bar graph with the most recent values for each counter displayed. If you have a large number of values and youre primarily interested in the current value (rather than the value of each counter over time), this will be earli er to read than the line chart. Report. This text report lists each current value. Appearance If you keep multiple Performance Monitor windows open simultaneously, you can make it easier to quickly distinguish between the windows by using this tab to change the color of the background or other elements.

Capturing Performance Data Collecting and analyzing performance data is necessary to ensure that your serversand systems are running in optimal condition. It is important that you understandhow your servers are performing during normal conditions to establish baselines. This type of information can be crucial when trying to troubleshoot performance Data Collector Sets Data Collector Sets are groups of components that collect data to be used by theRel iability and Performance Monitor. Data Collector Sets can contain informationfrom performance counters, trace events, and configuration data. You can then viewthis data in the Reliability and Performance Monitor or use it to create reports. Creating Data Collector Sets Data Collector Sets are used to organize collected data for review in Performance Monitor. The collected data can also be leveraged to generate alerts when upper or lower thresholds are reached. Data Collector Sets will generally contain Performance counter information, Event trace data, and system configuration information from registry key values. You can create your own Data Collector Set or leverage preconfigured templates that focus on performance data and / or general system diagnosi s information for corresponding installed applications, or based on server roles deployed on the system.

Using Predefined Data Collector Sets

Active Directory Diagnostics Present only on domain controllers, this Data Collector Set logs kernel trace data, Active Directory trace data, performance counters, and Active Directory registry configuration. LAN Diagnostics Logs network performance counters, network configuration data,and important diagnostics tracing. Use this Data Collector Set when troubleshootingcomplex network problems, such as network time -outs, poor network performance, orvirtual private network (VPN) connectivity problems. System Performance Logs processor, disk, memory, and network performance counters and kernel tracing. Use this Data Collector Set when troubleshooting a slow computer or intermittent performance problems. System Diagnostics Logs all the information included in the System Performance Data Collector Set, plus detailed system information. Use this Data Collector Set when troubleshootingreliability problems such as problematic har dware, driver failures, or Stop errors (also known as blue screens).

To create a Data Collector Set from Performance Monitor you would either right click at the Performance Monitor in the tree view and select New, then choose Data Collector Set. This will start the Create New Data Collector Set Wizard , but you can also sele ct that action from the Action menu option. This will allow you to have the customer Data Collector Set that will contain all of the live data collectors / counter selected in the current Performance Monitor view. To use a Data Collector Set, right -click it, and then choose Start. The System Performance and System Diagnostics Data Collector Sets stop after a minute, the Active Directory Diagnostics Data Collector Set stops automatically after five minutes, and the LAN Diagnostics and Wireless Diagnostics D ata Collector Sets run until you stop them. If you are troubleshootinga network problem, you should attempt to reproduce the problem after starting the DataCollector Set. To manually stop a Data Collector Set, right -click it, and then click Stop.

Creating a User Defined Data Collector from templates Open the Reliability and Performance Monitor in Server Managerby selecting Start > Administrative Tools > Server Manager. Expand the Diagnostics > Reliability and Performance > DataCollector Sets nodes Right-click the User Defined node under Data Collector Sets . Then choose New > Data Collector Set .

Give the new data c ollector set a descriptive name select the option to Create from a template, then click Next.

When the wizard prompts for which template to use

Specify the folder where the logg ed data will be saved

The default location of %systemdrive%\PerfLogs\ will contain the saved data collected by the Data Collector Set but you can change the location if you want to store the Data Collector Set elsewhere and this can be done by entering in the path or by browsing to a location.

Finally, you can choose to run the Data Collector Set as a certainaccount. Go ahead and leave the RunAssetting at default. Choose the Save and Close option. Then click the Finish button. Once complete, the new data collector set will appear under theUser Defined node. We now need toconfigure the baselineto collect the data we wish toreview. If you right-click the new collector set and choose Properties you will see that it contains all of the necessary Performance Monitor objects and counters required to perform an in depth performance analysis

Here you can also change parameters such as the log format (binary log format is recommend, however) and sa mple interval. You can also change file parameters such as the log file name, the file name format, and the logging mode (overwrite, append, or circular).

In the Performance Counter Properties window, click the Add button. This will open the Performance Counter Selection window.

To start collecting data, right -click the data collector set and choose Start. Once the capture has started, you can right -click and select Stop to stop the capture.

You can also schedule data collection by right -clicking the data collector set and choosing Properties, clicking the Scheduletab, and then clicking Add.

This will allow you to collect data when you are not logged on to the server You can also specify a stop condition that will cease data collection based on any number of different parameters including duration and size of the log file.

Creating your own User Defined Data Collector Setmanually OpenData Collector Sets right click User Defined > New > Data Collector Set. This step can also be performed by Right clicking on empty space in the right hand panel of the User Defined window.

Give the new data collector set a descriptive name select the option to Createmanually (Advanced) then click Next. Ensure that Performance Counter is checked under the Create Data Logs section > Next. On the following window select Add... to add a new performance counter. In the Available Counters section, expand the Thread counter section and select Counter = % Processor Time Counter = ID Process Counter = ID Thread In the Instances of selected object section, click the dropdown at the bottom <All Instances> and select Search.

Select all the object process instances in the list using CTRL+click, the select Add. This will populate the list on the right. Click OK to close the window and return to the previous screen. Select Next and provide the storage location for the file > Finish. This should return the newly created Performance monitor displayed on the right. Enable the monitor by double clicking, or right click > Start. Saving the Data Save the .blg file and start Perfmon using Start>Run..>typeperfmon Click View Log File

On the Source tab, select the Log Files radio button > Add... and Input the location of the saved .blg file. In most cases, it's helpful to narrow down the time at the bottom if a time frame is available when the issue occurred.

To save the collector set you just defined as a template, right click on it from the navigation pane and choose Save Template from the pop-up menu, as shown. The template will be saved as an XML file.

How to View Saved Performance Data in a Report After using a Data Collector Set to gather information and then stopping the Data Collector Set, you can view a summary by right -clicking the Data Collect or Set and then choosing Latest Report.

The report will take some time to generate. During the wait, you will be presented with the screen shown.

Reliability Monitor
Reliability Monitor tracks a computers stability. Reliability Monitor provides a quick view of how stability the system has been. In addition, it tracks events that will help you identify what causes reductions in reliability. By recording not only failures (including memory, hard disk, application, and operating system failures), but also key events regarding the configuration of your system (including the installation of new applications and operating system updates), you can see a timeline of changes in both the system and reliability. The reliability monitor also allows you to identify how to get your system back to optimal reliability when the behavior of the system is not behaving as expected. Computers that have no new software installationsor failures are considered stable and can achieve the maximum system stability indexof 10. The more installations and failures that occur on a computer, the lower the system stabilityindex drops toward a minimum value of 0. Reliability Monitor is useful for diagnosing intermittent and long -term problems. For example, if you were to install an application that caused the operating system to fail once a week, it would be very difficult to correlate the failures with the application installation. With Reliability Monitor you can quickly browse both failures and the applicationinstallations over time. If recurring failures begin shortly after an application installation, thetwo might be related. To open Reliability Monitor Start > Run... >type perfmon.msc or select the Diagnostics\Reliability and Performance\Monitoring Tools\Reliability Monitor node in Server Manager. The chart at the top of Reliability Monitor shows one data point for each day. The rows belowthe chart show icons for successful and unsuccessful software installations, application failures,hardware failures, Windows failures, and other miscellaneous failures. Click a day toview the days details in the System Stability Report below the chart.

The Reliability Monitor displays data gathered by the Reliability Analysis Componen t (RAC), which is implemented using RACAgent.exe. RACAgent.exe runs once an hour using a hiddenscheduled task. To collect the reliability monitor data, you need to configure the Task scheduler service to start automatically. ReliabilityMonitor uses data provided by the RACAgent scheduled task Network Monitor Troubleshooting complex problems requires gaining insight into the inner workings of an application. When you are troubleshooting network problems, one of the best ways to gain insight is to capture and analyze the network communications using a protocol analyzer. Microsoft provides Network Monitor, a powerful protocol analyzer, as a free dow nload from theMicrosoft Download Center at http://www.microsoft.com/downloads . Its important for administrators to keep tabs on network traffic thats flowing acrossthe network. Monitoring the network has allowed administrators to have a better understanding of how the bandwidth on their networks is being utilized. NetworkMonitor from Microsoft is such a tool. It is a protocol analyzer that allows administrators to capture network traffic, and then view and analyze it. The installation process adds the Network Monitor D river to each network adapter.

The top left has two buttons that enable the cre ation or the viewing of a capture file. Enable Conversations (disabled by default) will try to provide the user with filters based on network conversation between two hosts for a specific purpose (a DNS query). On the bottom left the user can choose which network interface will be used for capturing the data and whether the NIC will be used in p -mode (promiscuous mode) or not (capturing only traffic destined to it or coming from it and broadcasts). TabsNM3 allows the user to initiate several captures and view them simultaneously by using tabs. Parsers tabProvides a glimpse to the inner workings of NMS3. Each protocol that is "identified" by NM3,Thus displayed with the correct fields, is defined by a par ser. If a specific protocol has no parser it's information will be displayed by NM3 as raw data.

Capturing Network Data After you start Network Monitor, to capture network traffic in the Start Page tab, find the Select Networks pane, select the network adapters that you want to monitor. After selecting the network adapters in the Select Networks pane, you can configure different options by selecting the network adapter and then clicking the Properties button.

For wired network connections, y ou can enable P -Mode (promiscuous-mode) to captureframes sent to computers other than your own (which will not work in environmentswith Layer 2 switches). For wireless network connections, you can switch to MonitorMode, which functions similar to P-Mode for wireless connections. In the Capture Network Traffic pane, select the Enable Conversations check box. Thenclick Create a New Capture Tab. Network Monitor creates and selects a new capture tab. On the toolbar, click the Start Capture button (a green play icon). Network Monitor begins to capture network traffic and displays it in the Frame Summary pane.

If you are troubleshooting a network problem, you should re -create the problem while Network Monitor is capturing data. To stop capturing data, click the Stop Capture button on the toolbar (a blue stop icon). Network Monitor can capture only traffic that the network adapter receives. Most modern networks connect wired computers to a Layer 2 switch, which sends only computer traffic that the compu ter needs to receive: broadcasts and messages unicast to the computers Media Access Control (MAC) address. Therefore, even if you have P-Mode enabled, Network Monitor will not be able to capture unicast communications sent between other computers. Many Layer 2 switches can be configured with a monitoring port . The switch forwards all communicationsto the monitoring port. If you need to use Network Monitor to capture communicationsbetween two other hosts and your network uses a Layer 2 switch, you will need toenable the monitoring port and connect the computer running Network Monitor to that port. By clicking the Tools menu and then choosing Options. The Capture tab of the Options dialog box, allows you to configure settings related to the temporary captur e file.

If your network uses hubs (a technology that predates Layer 2 switches but which is still commonlyin use), any computer can receive any other computers communications if P Mode isenabled. Therefore, if your computer is connected to a hub and o ne of the computers you aremonitoring is connected to the same hub, you do not need to enable a monitoring port. Thisis also an important security concern: any user with a protocol analyzer, such as NetworkMonitor, can capture communications between other computers. For this reason its especiallyimportant to use encryption, such as that provided by IPsec . Analyzing Network Data After creating a capture, you can analyze the network data using the same capture tab. Browsethe captured data in the Frame Summary pane and select any frame to view the data.

The Frame Details pane summarizes the data in the frame and the Hex Details pane shows the raw data.

Filtering Network Data

A busy server can transfer hundreds of frames a second, making it difficult to isolate the specificframes you need to analyze. To narrow down the data, you can use a capture filter (whichfilters frames before they are captured) or a display filter (which filters frames after they arecaptured).

You must create capture filters before capturing data. If you want to filter data from an existingcapture, create a display filter. To create a filter using standard filters, in the Capture Filter orDisplay Filter pane click the Load Filter button. Then c hoose Standard Filters and choose oneof the built -in filters. Finally, click the Apply button. The most useful filters include. BaseNetworkTShoot Shows only frames that might be related to low -level network problems, including ICMP, ARP, and TCP resets. U se this filter if you are experiencing general network problems and you want to try and identify the specific host causing the problems. Broadcasts and No-Broadcasts Broadcasts shows only broadcast frames. No -Broadcasts removes all broadcast frames. DNS Shows only DNS traffic. NameResolutionShows all name resolution traffic, includi ng DNS, NetBIOS and ARP requests. HttpWebpageSearch Shows requests for specific Web pages. This is useful for determining which computers on a network are requesting a specifi c page, particularly if the page you are searching for is a malformed path that might be involved in an attack against a Web server (and thus might not be stored in the log files). MyIPv4Address and MyIPv6Address Shows only requests sent to or from the cur rent computer. IPv4Address, IPv4DestinationAddress, IPv4SourceAddress, IPv4SourceAndDestination Shows only requests sent to or from specific IPv4 addresses. IPv6Address, IPv6DestinationAddress, IPv6SourceAddress Shows only requests sent to or from specific IPv6 addresses. IPv4SubNet Shows only requests sent to or from a specific subnet.

Filter Operators You can create more complex filters by combining multiple standard filters using binary operators. Separating two filters with the && operator requires fr ames to match both filters. Separating two filters with the || operator shows frames that match either filter. Useparentheses ()to group multiple parameters. Prefix a parameter with !tocapture traffic that does not match the parameter. For example, the filter !(tcp.port == 3389) captures all traffic except Remote Desktop traffic (which uses TCP port 3389), which is usefulwhen logging on to a computer remotely to capture traffic. You can also use the operators AND and OR instead of && and ||. For example, if you were to capture traffic on a DNS server, the following filter would show allDNS traffic from the host at 192.168.10.123: DNS && IPv4.SourceAddress == 192.168.10.123 A filter to capture all Web requests for either the page named Page1.htm or Page2.htm: contains(Http.Request.URI,"Page1.htm") || contains(Http.Request.URI,"Page2.htm")

In this example we are filtering all TCP packets using port 8080 where the destination IP address is 192.168.0.3. Although you can manually write your filter the Network Monitor 3 interface already have some pre -defined filters to use for common situations. You can apply this pre-defined filter using the Load Filter button, besides the save button in the display filter window.

In this example the protocol DNS has the supported data fields that are displayed on this dropdown window. You can select one based on what you want to filter on. Before apply the filter using the Apply Filter button you also can verify if the command and syntax that you wrote are correct, to do this you just need to click on the Verify Filter button. This option will validate if the filter is correct or not and it will underline the operator or function that was not correct written.

NMCap
NMCap is a tool that is installed when you install Network Monitor 3.x. This is a command line based tool NMCap is a tool that runs from the command line and allows you to set all kinds of options to control when it starts, when it stops, how it stops, what i t captures, where it captures, in all kinds of variations. This allows you to script it so that when you want somebody to get a trace; you get exactly what you want. NMCap is Low profile If you want to take a trace without affecting the server performance, use NMCap with no filters. Configurable A host of options to allow you to start/stop traces with full control. Scriptable Since it's just a command line utility, you c an use it in your batch files.

Statement Definitions NMCap: The application used to provide command line statements. It is a lighter weight application, takes fewer resources, and is more flexible. /Network: Selects one or more space delimited network adapters to capture from. Adapters may be specified using their index, partial name with wild *, or quoted friendly name. (If you are uncertain of the Network adapters name you want to trace from you can find it using the NMCap /displayNetwork command) /Capture: Saves frames that pass the frame filter to the specified capture files. Think of this as the start command for Network Monitor. /File: The command after this switch will be what you are wanting to name the trace file. By following up this command with a : and a size, you will set the size in which each file will grow to be prior to stopping and starting the next file. Each new file will be noted by an incrementing number notation.

Example So let's take a step back and give you the most simple of examples. The following captures on all network adapters and does no filtering. NMCap /network * /capture /file test.cap Now let's take the above command and add a filter to it. I now want to get rid of any traffic on port 3389, since I know my Termina l Server session rides on that port and I don't want to see any of that traffic in my trace. NMCap /network * /capture "!(tcp.port == 3389)" /file test.cap

Exam Questions Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of a Windows Server2008 server called DC1 that works as a do main controller. Tocheck the security ofthe corporate network, you decided to performa security auditof a DC1 and installed the Micro soft Network Monitor 3.0 on it. You decided to capture all the LDAP traffic that comes to and goes fromthe server between21:00and 07:00 the next day and saveit to the C: \LDAPData.cap file. Toaccomplish this task, you created a sch eduled task and added a new 'Start a programaction'to the task. Which of the following options would you choose to add the application na me and the appli cation arguments to the newaction? A.Add netmon.exe as the application na meand provide the /networks */capture LDAP /fileC:\LDAPData.cap /stopwhen /ti meafter 10hours as argu ments. B.Addnmconfig.exe as the application na meand provide the /networks * /capture &LDAP /fileC:\LDAPData.cap /stopwhen /ti meafter 10hours as argu ments. C.Add nmcap.exe as the application na me and provide the /networks * /capture LDAP /fileC:\LDAPData.cap /stopwhen /timeafter 10hours as argu ments. D.Add nmcap.exe as the application na me and provide the /networks * /capture !LDAP /fileC:\LDAPData.cap /stopwhen /ti meafter 10hours as argu ments.

Answer C Explanation: The"/network", defines which network in terface we are capturing on. In this case, we say "*" for all interfaces.The next parameters "/capture /file %1" tells NMCap what to filter out. In this case it tells to filter LDAP to C:\LDAPData.cap. Thelast part of NMCap, the "/stopwhen" di rective, that allows it to determine when NMCap should stop capturing. So we pass it a"/fra me" parameter which tells it to stop the capturing after 10 hours and exit NMCap.

Question Youare an enterprise administrator for Certkiller. The company consists of a head office and a Branch office. The cor poratenetwork of the company consists of a single Active Directory domain. All the servers in the do main run Windows Server 2008. TheBranch office consists of th ree servers calledCertkiller Server1, CertkillerServer2, and Certkiller Server3. All the three servers run a Server Core installationof WindowsServer 2008. TomonitorCertkillerSev er2 and Certkiller Server3 fromCertkiller server1, you decided to configure the Event Logs subscription on Certkiller Server1. However, you discovered that you cannot create a subsc ription on Certkiller Server1 to collect events fromCertkill er Server2 and Certkiller Server3. Whichof the following options would youchoose to configure a subscription on CertkillerServer1?(Choose two.Each cor rect answer presents part of the solution.) A.Run the wecutilcs subscription.xml command on Certkill er Server1. B.Create an event collector subscription configuration file called subscription.x ml on Certkiller Server1. C.Use Event Viewer on Certkiller Serv er1 tocreate a customview and export the custom view to subscription.x ml file. D.Run the wevtutilimsubscripti on.xml command on Certkiller Server1.

Answer A, B Explanation: Toconfigure a subscription on Certkiller Server1, you need to first create an event coll ector subscription configuration file and Name the filesubscription.xml. You need to then run the wecutilcssubscription.xml command on Certkill er Server1. Thiscommand enables you to create and manage subscriptions to events that are forwarded fromremote computers, which support WS-Management protocol. wecutilcs subscri ption.xml command will create a subscription to forward events froma Windows Vista Application event log of a re motecomputer at Certkiller .com to the ForwardedEvents log.

Question Youare an enterprise a dministrator for Certkiller . The corporate networkof the company consists of a Windows Server2008 server called DC1 that works as a do main controller. Tocheck the security ofthe corporate network, you decided to performa security audit of a DC1 and installed the Microsoft Network Monitor 3.0 on it. While capturing data on the server, you find that o nly some of the captured fra mes display host mnemonic names in the Source and the Destination col umns while all other frames display IP addresses. Whichof the following options would youchoose to display mn emonic host names instead of IP addresses for all the fra mes? A.Apply the aliases to the captureafter populating the Aliases table. B. Apply the filter to the capture bycreating a new display filter. C.Apply the filter to the capture bycreating a new capture filter. D.Enable the Enable Conversations option inthe Network Monitor application and then recapture the data to a new file. E.None of the above Answer A Explanation: Todisplay mnemonic host names instead of IPaddresses for all the fra mes, you need to populatethe Aliases table and apply the aliases to the capture. Aliases table display mnemonic host names. Soin cases where you 'd like to see the real IP address and a resolved na me exists, turning off the aliases doesn 't show you the real IP address.

Question Thecorporate network of Certkiller con sists of a Windows Server 2008 single Active Directory domain that contains two d omain controllers named Certkiller 4 and Certkiller 5. All servers in thedomain run Windows Server 2008. Youwanted to configure Event forwarding and subscription inthe do main server. To accomplish this task you created a default su bscription on Certkiller 4 for Certkiller 5. Whichof the following event logs would you s elect, to review the system events for Certkiller5? A.Forwarded Events log on Certkiller 5. B. Forwarded Events log on Certkiller 4. C. Systemlog on Certkiller 4. D.Application log on Certkiller 5. E. None of the above

Answer B

Explanation: Toreview the systemevents for Certkiller 5, you need to view theForwarded Events log on Certkiller 4, which is configuredto centrally manage events. TheEvent Collector service can automatically forward event logs to other remote systems, running Windows Vista or Windows Server 2008 ona configurable schedule. Event logs can also be remotely viewed fromother computers or multiple event logs can be centrally logged and monitored agentl essly and managed froma single co mputer.

Question Youare an En terprise administrator for Certkiller.com. Thecompany consists of a single Active Directory domain where allthe servers on the corporate network run Windows Server 2008. Oneof the web servers called Cert killer Server1 hosts shared docu ments. You have rece ntly installed a few applicationson the ser ver. However, after these installations, users report extremely slowresponse ti mes when they try to open the shared docu ments on Server1. Todiagnose the problem, you u sed real time monitoring on the server and found that the processor is operating at 100 percent of capacity. Which of the following options wo uld you choose to gather additional data to diagn ose the cause of the problem?

A.Create a counter log totrack pr ocessor usage in the Perfor mance console. B.Open and review the application log for Perfor mance events in the Event Viewer. C. Use the Resource View to see the perce ntage ofprocessor capacity usedby each applicationinWindowsReliability and Performance Monitor. D.Create analert that will be trig geredwhen processor usa ge exceeds 80 percent for more than five minutes on Certkiller Server1 in Windows Reliability and Perfor mance Monitor.

Answer C Explanation Togather additional data to diagno se thecause of the problem,you need touse the Resource View in Windows Reliability and P erformance Monitor to see the percentage of processor capacity used by each application. TheResource View window of Windows Reliability and Perfor mance Monitor provides areal-time graphical overview of CPU, di sk, network, and memory usage. By expanding each of these monitored ele ments, systemadministrators can identi fy which processes are using which resources. In previous versions of Windows, this real -time process-specific data was only available in li mited form in Task Manager

Question Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of servers that runWindows Server 2008 in an Active Directory do main. Tofind out the security lapse i n the corporate network, you decided to build a list of all DNS requests that are initiated by a network server called CRM Certkiller 1. To performthis, you installed the Microsoft Network Monitor 3.0 application on CRMCertkiller 1 and configured the s erver to performa security audit. Youcaptured all local traffic on CRM Certkiller 1 for 24hours and saved the capture file as data.cap. You however re alized that the size ofdata.capfile is more than

1GB,so you decided to create a file na med CRM1DNSdata.cap fromthe existing capture file that contains only DNS -related data. Which of the following options would you choose to accomplish this task? A.Apply the display filter !DNS and save the displayed frames as CRM1DNSdata.cap file B.Apply the capture filter DNS and save the displayed frames as a CRM1DNSdata.cap file C.Add a new alias na med DNS to the aliases table and save the file as CRM1DNSdata.cap D.Run the nmcap.exe /inputcapturedata .cap /capture DNS /file CRM1DNSdata.cap command. Answer D Explanation: NMCapalso allows you to acce pt a capture fileas input. This can be use ful for cleansing your traces before you use the m. Or you couldalso parse tra ffic by different ports or by IP addresses. Thebelow given com mand allows you to create a file named CRM1DNSdata.cap to store only the DNS-related data after filtering it fromdata.cap file, which is a capture file. Thecommand nmcap.exe /inputcapturedata .cap /capture DNS /file CRM1DNSdata.cap file.

Question Computer/Server Mac Address IP Address CertkillerDC1 00-0A-5E-1C-7F-67 169.254.15.84 CertkillerSalesComp 00-17-31-D5-5E-FF 192.168.2.1 Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of servers that runWindows Server 2008 in an Active Dire ctory domain. Aserver named Certkiller DC1 has the DHCP s erver role installed on it. You have rece ntly been informed that a desktop computer named CertkillerSalesComp is unable to obtain an IPconfiguration fromthe Certkiller DC1 server. Tofind out the prob lemyou installed the Microsoft Network Monitor 3.0 application on Certkiller DC1, enabled P -mode in the Network Monitor application configuration and decided to captureonly the DHCP server -relatedtraffic originating fromCertkiller DC1 and going to Certkill erSalesComp. Thenetworkinterface c onfiguration for thetwo computers is shown in the exhibit. Which of the following options would you choose to build a fil ter in the Network Monitor application to capture the DHCP traffic between Certkiller DC1 and CertkillerSalesComp? A.IPv4. Address == 169.254.15.84 && DHCP B. IPv4 address == 192.168.2.1 && DHCP C.Ethernet Address == 0x000A5E1C7F67 && DHCP D. Ethernet Address == 0x001731D55EFF && DHCP

Answer A Explanation: Tobuild a filter in the Network application to capture the DHCP traffic between CertkillerDC1 and CertkillerSales Comp, you need to use IPv4.Address == 169.254.15.84 &&DHCP. Todefine a filter, you need to specify IPv4, period, SourceAddress t hen theequal mark (twice) and the IP address (source). In order to finetune a specific filter, you can combine several conditions in a spec ific filter using the AND (&&) and OR (||) logical

operators. In this qu estion you need to find the traffic originating from169.254.15.84that is DHCP related. The refore you would use 169.254.15.84 && DHCP.

Question Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of servers that runWindows Server 2008 in an Active Directory do main. Thedomain consists oftwo servers named Certkiller Server1 and Certkiller Serv er2. You need to configure event subscript ion on the servers so that events from CertkillerServer2 can be c ollected and transferredto Certkiller Server1. You configure the required subscriptionsby selectingthe nor mal option for the event delivery opti mization setting and using the HTTP protocol. However,you noticed that none of the sub scriptions work. Which of the following three options would you choose to ensure t hat the servers support event collectors? (Each co rrect answer presents part ofthe sol ution) A.Run the wecutil qccommand on Certkiller Server1 B.Run the wecutil qccommand on Certkiller Server2 C.Run the winrmquickconfig com mand on Certkiller Server1 D.Run the winrmquickconfig com mand on Certkiller Server2 E.Add the Certkiller Server2 account to the administratorsgroup on Certkiller Server1 F.Add the Certkiller Server1 account to the administratorsgroup on Certkiller Server2

Answer A, D and F Explanation: Tocollect events fromCertkiller Server2 andtr ansfer themto Certkiller Server1, you need to first run the wecutilqc com mand on Certkiller Server1. This com mand enables you to create and manage subscriptions to eventsthat are forwarded fromr emote computers. Thenyou need to run the winrmquickconfigcom mand on Certkiller Server2. WinRMis required by Windows Event Forwarding as WS-Man is the protocol used by WS-Eventing.Group Policy can be used to enable and configure Windows Remote Management (WinRM or WS-Man) on the SourceCo mputers.WithWinRM,Group Policy can be used to configure Source Co mputers (Clients) to forward events to a coll ector (orset ofcollectors). Finally,you need to add the C ertkiller Server1 account to the ad ministrators group on Certkiller Server2 so that acc ess rights can be granted to the collect or systemon f the forwarding computer.

Question Youare an enterprise a dministrator for Certkiller. The corporate networkof the company consists of 100 servers that run Windows Server 2008 in an Active Directory do main. Youhave recently installed Windows Server 2008 on a new server and na med it Certkiller Server1. You installed Web Server (IIS) role on it. The Certkiller Server1 has no Reliability Monitor data currently, and the systemstability share has never been updated. Which of the following options would you choose to configure the Certkiller Server1 to collectt he reliability monitor data? A.On the Certkiller Server1, run the perf mon.exe /sys command. B.On the Certkiller Server1Configure the T ask scheduler service tostartautomatically. C.On the Certkiller Server1, configure the Remote Registry service to start automatically.

D. On the Certkiller Server1, configure the Sec ondary Loginservice to startautomatically. E.None of the above. Answer B

Explanation: Toconfigure the Certkiller Ser ver1 to collect the reliability monitor data, you need to configure the Task scheduler service to start automatically. ReliabilityMonitor uses data provided by the RACAgent scheduled task, a pre -defined task that runs by default on a new ins tallation of Windows Vista. The seamless integration between the Task Scheduler useri nterface and the Event Viewer allows an event -triggered task to be created with just five clicks. Inaddition to events, the Task Schedulerin Windows Vista / Server 2008 supports a nu mber of other new types of triggers, inclu dingtriggersthatlaunch tasks at machine idle, startup,or logon. Because you need TaskScheduler to collect reliability monitor data, you need to you need to configure the T ask scheduler service to start auto matically.

Question You would like your Windows 2008 server to send an e -mail to your mobile device when a specific event occurs? Which tools can you use to configure this? (choose all that apply.) A. B. C. D. Services Task Scheduler Reliability and Performance Monitor Event Viewer

Answer B, C In event viewer, you can attach a task to a log.