[Previous] [Next]

Lesson 3: SNMP Overview

The Simple Network Management Protocol (SNMP) is the defacto standard for managing hardware in medium to large networks. Its popularity is, for the most part, a result of the proliferation of TCP/IP-based networks. Windows 32-bit operating systems include an SNMP service that is used to include computer resources in an SNMP-managed network. SMS extends this management service on Windows NT/2000 client computers by translating operating system events into SNMP traps that are then forwarded to a network management system (NMS).

After this lesson, you will be able to Estimated Completion Time: 40 minutes

Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) resides at the application and presentation layers of the OSI model and is a component of the TCP/IP suite. It was originally developed in the Internet community to monitor and troubleshoot routers and bridges. Some RFCs relating to SNMP include:

RFC Title
1155 Structure and Identification of Management Information for TCP/IP-based Internets
1157 Simple Network Management Protocol
1213 Management Information Base for Network Management of TCP/IP-based internets: MIB II

An SNMP Agent in each managed device (called a host) passes status and configuration information via MIBs to a network management station, as shown in Figure 7-12.

Click to view at full size

Figure 7-12. Monitoring SNMP-managed hardware.

With SNMP, status information can be communicated to a Network Management Station (NMS) from any of the following devices:

Each of these SNMP manageable hosts includes an SNMP management agent. The agent reports hardware status and configuration information to a database called a Management Information Base (MIB). The MIB defines the hardware and software information in the host that should be collected by the SNMP agent. The SNMP agent communicates with the NMS to provide device-monitoring capabilities. Thus, SNMP uses a distributed architecture consisting of management systems, MIBs, and agents.

The NMS initiates three basic commands to collect data, through the agents, from managed hardware:

Windows NT Server is not bundled with an NMS. The most powerful third-party NMSs are designed to run on UNIX or Windows NT/2000 operating systems.

The primary function of an agent is to perform the GET, GET-NEXT, and SET operations requested by a management system. The only operation initiated by an agent is the TRAP command, which allows managed hardware to collect and transmit critical data, such as an alert to the NMS.

SNMP Services in Windows 32-bit Operating Systems

The agent on a Microsoft Windows NT/2000 host is called the SNMP service. Through this service, a Windows NT/2000 host collects hardware and software data, stores it in the MIB, and reports its status to an NMS. In addition, Windows 95/98 hosts contain a simple SNMP agent.

Windows 95/98 SNMP support includes the following:

Windows NT/2000 SNMP support is more extensive than that for Windows 95/98. The service fully complies to MIB II specifications for Internet and LAN Manager data collection. Data collected for the Internet MIB includes configuration and fault analysis information as defined in RFC 1213. The data collected and stored in the LAN Manager MIB includes information such as Windows NT operating system statistics and session information. Proprietary MIBs have been developed for many Microsoft BackOffice components including DHCP and Internet Information Server.

Through the Windows NT SNMP service, an NMS can monitor the following Windows NT/2000 operating systems and services:

There is an SNMP service for LAN Manager server computers.

Details on the Windows NT MIBs

The information a management system requests from an agent is contained in a MIB. A MIB is a set of manageable objects representing various types of information about a network device, such as the number of active sessions or the version of network operating system software running on a host. SNMP management systems and agents share a common understanding of MIB objects.

The Windows NT SNMP service supports Internet MIB II, LAN Manager MIB II, DHCP MIB, IIS MIB, and WINS MIB.

Internet MIB II

Internet MIB II (MIB_II.MIB) is a superset of the previous standard, Internet MIB I. Internet MIB II defines 171 objects essential for either fault or configuration analysis.

LAN Manager MIB II

LAN Manager MIB II (LMMIB2.MIB) defines approximately 90 objects that include such items as statistical, share, session, user, and logon information. Most LAN Manager MIB II objects have read-only access. Read-only access means that an NMS cannot be used to modify the system settings, only monitor them.


Windows NT version 4.0 includes a DHCP MIB that defines objects to monitor Microsoft DHCP server activity. This MIB (Dhcp.mib) is automatically installed when the DHCP Server service is installed. It contains approximately 14 objects for monitoring DHCP, such as the number of DHCP discover requests received, the number of declines, and the number of leased addresses.


The IIS MIB contains objects that provide information about network communications and performance on the IIS Server. The base object IIS MIB (INETSRV.MIB) is composed of several MIBs that branch out from it:

The DHCP server and Internet Information Server MIBs are for monitoring—but not configuring—DHCP Servers.


Windows NT version 4 includes a MIB that defines objects that monitor WINS server activity. This MIB (Wins.mib) is automatically installed when the WINS Server service is installed. It contains approximately 70 objects for configuring and monitoring WINS, such as the number of resolution requests successfully processed, the number of resolution requests that failed, and the date and time of last database replication.

Most of the WINS configuration parameters that are set by editing the Registry may also be set by using SNMP. WINS objects in the MIB defined with read-write access are configured through an NMS.

The Microsoft SNMP Service

The Microsoft SNMP service provides SNMP agent services to any TCP/IP or IPX/SPX host running SNMP management software.

Agent to NMS Communication

The SNMP service handles GET, GET-NEXT, and SET requests for status information from the NMS. Any traps generated by the SNMP agent are forwarded to the NMS. A background service, SNMPTRAP.EXE, is started only when traps are requested.

For security, the SNMP agent must be configured to know what management station or stations to which it should report status information. The SNMP service uses host names, IP addresses, or IPX addresses to identify valid hosts to which it reports information and from which it receives requests.

Support and Features

The Windows NT SNMP service is installed and used on any computer running Windows NT/2000 and TCP/IP. After the SNMP service is installed, objects and their corresponding counters are enabled in Windows NT Performance Monitor. Figure 7-13 shows the Network Interface object in Performance Monitor.

Click to view at full size

Figure 7-13. The Network Interface Object in Performance Monitor.

The following Performance Monitor objects are available after TCP/IP and the SNMP service are installed:

Object This Object Provides
Network Interface Statistics about the network interfaces, typically NICs and RAS adapters, bound to TCP/IP. Multiple instances in the `Instances' box refer to the loopback address (, the network card (if any), the dial-out WAN wrapper for each device bound under RAS, and the dial-in WAN wrapper for each device bound under RAS. The loopback address will always be the first instance, and the remaining instances should match the binding order of the TCP/IP protocol.
IP Data on the IP component of the TCP/IP protocol suite. IP is a connectionless transport protocol that defines the basic unit of data to be transmitted over TCP/IP. It is also involved in routing decisions, addressing, and fragmentation/reassembly of data.
TCP Statistics on the TCP component of the TCP/IP protocol suite. TCP is a connection-oriented, and thus reliable, transport protocol.
UDP Statistics on the UDP component of the TCP/IP protocol suite. UDP provides applications with direct access to a connectionless data delivery service similar to IP.
ICMP Statistics on the Internet Control Message Protocol (ICMP) component of the TCP/IP protocol suite. ICMP uses IP datagrams to send control messages, error conditions, and status information to a host.
IIS Statistics on overall IIS functions.
DHCP Statistics on the DHCP Server service.
FTP Statistics on the FTP Server service.
WINS Statistics on the WINS Server service.
Monitoring of IPX is enabled when TCP/IP, IPX/SPX and the SNMP service are installed. Any NMS able to manage IPX receives Windows NT/2000 computer statistics by means of this protocol.

The Microsoft SNMP Service Components

The Windows NT/2000 implementation of the SNMP service involves a number of dynamic link libraries and programs that respond to an NMS using the GET, GET-NEXT, and SET commands and sends unsolicited messages using the TRAP command. Figure 7-14 and the steps outlined below describe the SNMP communications process.

Click to view at full size

Figure 7-14. Communications to and from the SNMP service.

  1. The (NMS) sends and receives data from Windows NT/2000 computers with the SNMP service installed.
  2. SNMP network communications.
  3. The SNMP service is a Windows Sockets-based, 32-bit implementation which communicates through both TCP/IP and IPX/SPX. TCP/IP SNMP data is sent and received over UDP Port 161 and uses IP to support routing, whereas IPX is used for SNMP communications over the IPX/SPX protocol.

Figure 7-14 shows how the SNMP service components communicate with the NMS without regard to the network path. As 1 and 2 in Figure 7-14 show, all communications must pass through the network layers.
  1. SNMP Management API (MGMTAPI.DLL).
  2. Multiple MIBs are supported through the SNMP agent application programming interface (API). A separate extension agent DLL is used to access each Windows NT/2000 MIB. The extension agent DLLs pass data through the master Windows NT/2000 SNMP agent service (SNMP.EXE) to communicate with the NMS. The SNMP agent service acts as a proxy application, so the NMS doesn't need to be aware of multiple MIBs and agents in the managed computer. Third-party developers can develop MIBs and extension agent DLLs for new hardware and software components and easily integrate the new functionality through the agent API.

  3. Extension agent DLLs.
  4. The additional MIBs and accompanying DLLs for DHCP, WINS, and the Internet Information Server extend SNMP management to these Windows NT/2000 services. The agent programs that implement these additional MIBs are referred to as extension agents. The extension agents store and retrieve data in their respective MIBs. These Windows NT/2000 extension agents are implemented as Windows 32-bit dynamic-link libraries (DLLs):

    When the SNMP service is started, it loads the SNMP extension agent DLLs. The extension agent DLLs are defined in the registry when the corresponding application (DHCP, WINS, or IIS) is installed. The SNMP agent reads the values located under the HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ SERVICES\SNMP\PARAMETERS\EXTENSION AGENTS key.

  5. SNMP trap receiver (SNMPTRAP.EXE).
  6. This service receives and forwards traps through the SNMP Management API. The SNMP Management API forwards these alerts through the master SNMP agent to the NMS.

Installing SNMP Services for Windows NT/2000 Computers

After TCP/IP is installed on a Windows NT version 4.0 computer, the SNMP service is added through the Networks application in the Control Panel, or by right-clicking on the Network Neighborhood icon and choosing the `Properties' option. Figure 7-15 shows the SNMP service installed as a network service on a Windows NT version 4.0 computer.

Figure 7-15. The SNMP service installed in the Services tab of the Network dialog box.

Host Names and IP Addresses

If TCP/IP is the protocol used to communicate with the management console, the computer names or IP addresses of one or more NMSs should be known before SNMP service installation begins. The SNMP agent service uses this information to communicate with the management console. If IPX/SPX will be used to communicate with an IPX/SPX management console, the IPX network number and media access control address of the NMS must be known.

Host Name Resolution

The SNMP service over TCP/IP uses NetBIOS computer name resolution methods to resolve computer names to IP addresses. If a computer name rather than an IP address is used, be sure to add all computer names to IP address mappings of the participating NMSs to the appropriate resolution sources (such as the HOSTS or LMHOSTS file, or WINS). IPX addresses do not require this resolution, since the network number and media access control address of the NIC in the NMS is entered as the trap destination. The format of this address is in 8.12 notation. Figure 7-16 shows an example of this IPX format.

Community Name

Like most SNMP agents, the Windows NT SNMP service uses community names to authenticate messages. The community name on the NMS must match the community name on the SNMP-managed host. An SNMP agent can be a member of multiple communities at the same time, allowing for communications with SNMP managers from various communities. The computer name, IP address, or IPX address of all NMSs in a community that will receive and be allowed to send SNMP commands may be specified when configuring the SNMP service. In Figure 7-16, the Net1 community contains four NMSs that are authorized to manage this computer.

Figure 7-16. A community name configured with four NMSs authorized to perform SNMP management with this managed computer.

Figure 7-16 shows a single community name, Net1, pointing to four NMSs. Three of the management consoles use TCP/IP and one management console uses IPX/SPX. The first two TCP/IP destinations use IP addressing, and the last destination uses a NetBIOS computer name that requires computer name-to-IP address resolution. The IPX/SPX NMS destination showing the network name and media access control (8.12) address format is highlighted and shown in the Security Configuration dialog box.

Log on as a member of the Administrators group to install and configure SNMP. To use the IPX protocol with SNMP, TCP/IP must be installed.

The default community name when the SNMP service is installed is "public." If all community names are removed, the SNMP service on the managed computer authenticates and processes SNMP messages containing any community name.

If SNMP command requests received at the managed host contain a nonmatching community name, the message is rejected. An NMS with a matching community name and address can be sent a trap message about this authentication failure at the managed host. This option is configured through the Traps tab in the Microsoft SNMP Properties dialog box, as shown in Figure 7-17.

Figure 7-17. A valid community name configured with one IP-based NMS as the trap destination.

The SNMP Communications Process

Figure 7-18 expands on Figure 7-14 by showing how packets are processed at a managed host and sent back to an NMS. The steps shown in Figure 7-18 are described next.

Click to view at full size

Figure 7-18. The SNMP communications process.

The following steps outline how the SNMP service responds to management system requests:

  1. An NMS sends a request to an agent using the agent's host name, IP address, or IPX address.
  2. If necessary, the host name is resolved to an IP address. This is only required when a NetBIOS computer name is used to resolve TCP/IP-based communication with a managed host.

    The SNMP packet that is formed at the NMS contains the following information:

    The IP-based Windows sockets request is passed by the application to UDP port 161 on the NMS, and is sent through the network to UDP port 161 on the managed host.

  3. The SNMP agent receives the packet in its buffer.
  4. The community name is verified. If the community name is invalid or the packet is incorrectly formed, it is discarded.

    If the community name is valid, the agent verifies the source host name or IP address. (The agent must be authorized to accept packets from the management system, or the packet will be discarded.)

  5. The request is passed to the appropriate extension agent DLL:
  6. If the request is for This DLL retrieves the requested information
    An Internet MIB II object INETMIB1.DLL (Internet MIB II extension agent)
    A LAN Manager MIB II object LMMIB2.DLL (LAN Manager MIB II extension agent)
    A DHCP object DHCPMIB.DLL (DHCP server extension agent)
    A WINS object WINSMIB.DLL (WINS server extension agent)
    An IIS object IIS.DLL (Internet Information Server extension agent)
  7. The object identifier is mapped to the Management API function, and the API call is made.
  8. The DLL returns the information to the agent.

The SNMP packet is sent back to the SNMP manager with the requested information.

Exercise 42: Installing and Configuring the SNMP Service

In this exercise, you will verify that TCP/IP is installed on Computer 2 and then configure the Windows NT SNMP service to run on Computer 2. Complete this exercise on Computer 2.

  1. Log on to Computer 2 as ADMINISTRATOR with no password. You must complete this step because User1 does not have the right to configure or install services.
  2. From the Control Panel, double-click Network.
  3. The Network dialog box appears.

  4. Select the Protocols tab.
  5. The list of installed network protocols appear. Verify that the TCP/IP Protocol is listed.

  6. If TCP/IP is not installed, install it now.
  7. Switch to a command prompt.
  8. Display the TCP/IP configuration information. Type IPCONFIG /ALL, then press ENTER.
  9. Windows NT IP configuration information appears.
  10. If the DHCP Enabled value is 'Yes,' this indicates your computer received an IP address from a DHCP server.

  11. Exit the command prompt.

In the following steps, you will install the SNMP service on Computer 2, since the SNMP service is needed before the Event to Trap Translator Client Agent can be installed.

  1. Switch to the Network dialog box.
  2. Select the Services tab.
  3. The list of installed network services appears.

  4. Click Add.
  5. In the `Network Service' list, select SNMP service, then click OK.
  6. The Windows NT Setup dialog box appears, prompting for an installation path.

  7. Type the path to your Windows NT Workstation installation CD-ROM or distribution directory, then click Continue.
  8. The Microsoft SNMP Properties dialog box appears.

  9. On the Agent tab, verify that the `Applications' and `End-to-End' checkboxes are selected.

In the following steps, you will configure the SNMP trap destination. The trap destination for the SNMP service must be configured for an NMS to receive traps from this host. In this example, the site server is used as the destination for traps.

  1. In the Microsoft SNMP Properties dialog box, select the Traps tab.
  2. The SNMP trap information appears.

  3. In the 'Community Name field,' type public, then click Add.
  4. Under Trap Destinations, click Add.
  5. The Service Configuration dialog box appears, prompting for an IP Host or IPX Address to add as a trap destination.

    If the IP address of the NMS was acquired via DHCP, it could change. You should therefore use the computer name of the NMS. Typically an NMS is configured with a static IP address, so specifying the IP address is a better choice in most managed networks. For NMS systems using IPX/SPX, IPX/SPX must be installed on the host. The host then uses an 8.12 address format. This format was explained earlier in this Lesson.

  6. In the IP Host or IPX Address box, type SERVER1 and then click Add.
  7. The SNMP trap information appears displaying SERVER1 as the trap destination for the public community. In a production environment, specify the appropriate address for an NMS that should receive traps.

  8. Click OK.
  9. The Network dialog box appears.

  10. Click Close.
  11. A Network Settings Change dialog box appears, prompting you to restart the computer.

  12. Click Yes.

In the following steps you will reapply Service Pack 4, since you added a service from the original Windows NT version 4.0 installation CD-ROM. You can install it through SMS 2.0 now that you know how to advertise packages using SMS 2.0 or you can install it from the SMS Training Supplemental CD-ROM. The following procedure uses the service pack located on the supplemental course CD-ROM. Complete this procedure from Computer 2.

  1. Log on to Computer 2 as ADMINISTRATOR with no password.
  2. Insert the SMS Training Supplemental CD-ROM.
  3. Find the \CHAPT04\EXFILES\EX20 directory.
  4. Run NT4SP4.EXE from this directory and follow the instructions that appear.
  5. After Computer 2 restarts, log on to Computer 2 as User1 with a password of PASSWORD.
  6. The SNMP service is now configured and the service has been updated on Computer 2.

  7. Install the SNMP service on Computer 1 (SERVER1) by repeating Exercise 42 and using the Windows NT Server CD-ROM. Substitute Computer 1 with Computer 2 when you do the exercise. The SNMP service is necessary on Computer 1, since an SNMP trap utility will be used to monitor for traps originating from Computer 2. The SNMP trap utility requires that the SNMP service be running locally.