Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)

Performance Logs and Alerts expands the monitoring capabilities of System Monitor to include features for logging counter and trace data and for generating performance alerts. Using the capabilities of Performance Logs and Alerts has a number of advantages. Logged counter data information can be exported to spreadsheets or databases for analysis and report generation. The data can be stored in three formats: comma-separated format, tab-separated format, or in a binary log-file format that can be used for logging instances that may have started after the log had already begun collecting data or for circular logging. In circular logging, new data is continuously logged into a single file, with the new data overwriting the old data.

Performance logging runs as a service. As a result, a user doesn't have to be logged on to the monitored computer for data collection to occur. You can manage multiple logging sessions from a single console window and view data as it is collected as well as after collection has stopped. Automatic log generation enables you to define parameters such as filename, file size, and start and stop time. An alert can be set on a counter to cause a specific action to occur, such as starting a specified program, sending a notification message, or starting a log when the value of a selected counter falls below or exceeds a specified setting.

Counter Logs

A counter log collects data at a predefined interval. Counter logs are helpful for recording data about system services activities and hardware usage from the local machine or a remote machine. You can log data manually on demand or schedule logging to start and stop automatically. The system can also perform continuous logging, depending on the file size and duration limits you set. The logged data can be viewed through the System Monitor display or exported to spreadsheets or databases.

You can view the counters configured in the counter log dynamically through System Monitor by saving log settings such as counters as an HTML page. The resulting page hosts the System Monitor control through an ActiveX control that provides the interface for the monitoring user.

Trace Logs

Rather than measure samples at a predefined interval, as counter logs do, a trace log monitors data continuously and waits for specific events, such as page faults, to occur. That data is then recorded into a trace log file. To interpret the trace log output, you need a parsing tool.

NOTE

Creating Counter and Trace Logs

To create a counter log or a trace log, perform the following steps:

1. Open System Monitor, and double-click Performance Logs And Alerts.
2. Choose Counter Logs to create a counter log, or choose Trace Logs to create a trace log.
3. Right-click in a blank area of the details pane and choose New Log Settings. In the Name text box, enter the name of the counter or trace log you are creating and click OK. A Properties window for configuring the counter or trace log you are creating is displayed.
4. Configure the counter or trace log to monitor your local or remote machine by choosing the proper counters for the resources to be monitored, selecting log file properties, and choosing the desired scheduling options. Any logs that already exist will be listed in the details pane. A red icon indicates a log that is not running or that has been stopped; a green icon indicates a log that is running.

The sample data interval for counter logs is set on the General tab of the Properties window for the log. For guidelines on setting time intervals, see "Determining How Often to Monitor" later in this chapter.

Adding Counters to Counter Logs

Counters are added on the General tab of a log's Properties window (Figure 32-11). When you create a counter log file, the Properties window is displayed automatically. If you need to add counters later, you can display the Properties window by right-clicking the name of the log file, choosing Properties from the shortcut menu, clicking the Add button on the General tab, and then choosing the desired counters. The procedure for selecting counters is identical to that described earlier in the section "Selecting Counters."

Figure 32-11. The General tab of a log's Properties window.

Saving Log and Alert File Settings

To save the settings for a log or alert file, right-click the name of the log or alert file in the details pane, and then choose Save Settings As from the shortcut menu. Enter the name you want to give to the log or alert file, and save it as an .HTM file. You can use the saved settings for a new log or alert by right-clicking in the details pane, choosing New Log Settings From, and then selecting the .HTM file containing the settings you want to reuse.

Selecting System and Nonsystem Providers for Trace Logs

Events in trace logs are monitored not by counters but by providers. You can choose to log events by system or nonsystem providers. The default system provider, the Windows Kernel Trace Provider, monitors threads, processes, disk input/output, network TCP/IP, page faults, and file details. The system provider uses the most overhead to monitor events. Only one trace log at a time can be run using the system provider. If you attempt to run more than one, you will receive an error message.

System and nonsystem providers are chosen on the General tab of the log's Properties window (Figure 32-12). To see this window, right-click the name of the trace log file and choose Properties from the shortcut menu. On the General tab, either select the Events Logged By System Provider option and then choose the events you want to monitor, or select the Nonsystem Providers option and then add the nonsystem providers of your choice by clicking the Add button.

Figure 32-12. Specifying events logged by the system provider.

It is important to remember that trace logging of page fault and file details generates a huge amount of data. Microsoft recommends that you limit trace logging using these fault options to a maximum of two hours; otherwise you may run out of disk space on your machine.

Choosing nonsystem providers to monitor the system incurs less overhead. With nonsystem providers, you can select the data providers of your choice. You cannot run concurrent multiple trace logs using the same nonsystem provider, but you can do so using different nonsystem providers. The nonsystem providers available in Windows 2000 are Active Directory: Kerberos, Active Directory: Net Logon, Active Directory: SAM, Local System Authority (LSA), and Windows NT Active Directory Service.

Setting File Parameters for Counter and Trace Logs

To set file parameters for counter and trace logs, follow these steps:

1. Double-click Performance Logs And Alerts in System Monitor.
2. Click Counter Logs to set file parameters for counter logs, or click Trace Logs to set file parameters for trace logs.
3. Double-click the name of the log for which you want to set the file parameters. A window displaying the properties of the log appears.
4. Click the Log Files tab, and set the desired parameters for the log file. (The available parameters are described in the next section.)

Understanding the Log File Parameters

The Log Files tab of the Properties window for a counter or trace log (Figures 3213 and 32-14) allows you to set a number of file parameters. You can specify a folder other than the default chosen by Windows 2000 in the Location box. The default location is the PerfLogs folder at the root directory. You are also given the option of ending the filename with a set of sequential numbers or a date to keep track of multiple log files. This is helpful for log files that are automatically generated with the same filename.

Figure 32-13. The Log Files tab of a counter log's Properties window.

Figure 32-14. The Log Files tab of a trace log's Properties window.

A file size option is available with which you can either allow the log file to become as large as disk quotas or the operating system will permit or limit the size to a specific number of kilobytes. Limit the size of a log file if you want to use one of the circular logging options. In conjunction with limiting the size of a log file, you can use the When The Log File Is Full option on the Schedule tab to run a command if you want a particular action to occur when the log file reaches its limit. You can choose from among four file types for a counter log:

• Text File - CSV This format is used to export data to a spreadsheet program. The data is stored as a comma-delimited log file that uses the file extension .CSV.
• Text File - TSV This format can also be used to export data to a spreadsheet program. The data is stored as a tab-delimited log file that uses the file extension .TSV.
• Binary File This format is used for intermittent instances (instances that stop and start after the log has been started). The data is stored as a sequential, binary-format log file that uses the file extension .BLG.
• Binary Circular File This format is used to record data continuously to the same log file, where the new records overwrite the previous ones. The data is stored in binary format as a circular file that uses the file extension .BLG.

Trace logs can be either of two file types:

• Circular Trace File This format is used to record data continuously to the same log file, where the new records overwrite the previous ones. The data is stored in a circular file that uses the file extension .ETL.
• Sequential Trace File This format is used to collect data until a user-defined limit is reached. Once the limit is reached, the current file is closed and a new one is started. The data is stored as a sequential file that uses the file extension .ETL.

The default file type for counter logs is Binary File (with the extension .BLG), and the default file type for trace logs is Sequential Trace File (with the extension .ETL).

Using Alerts

An alert notification is sent to the user by means of the Messenger service when a predefined counter value reaches, falls below, or rises above a defined threshold. The Messenger service must be running for alert notifications to be sent to the user.

Creating an Alert

To create an alert, follow these steps:

1. Open System Monitor, and double-click Performance Logs And Alerts.
2. Click Alerts.
3. Right-click in a blank area of the details pane, and choose New Alert Settings. In the Name text box, enter the name of the alert you are creating, and click the OK button. A Properties window for configuring the alert you are creating appears (Figure 32-15).

Figure 32-15. The Properties window for an alert.

4. Configure the alert by specifying whether to monitor the local machine or a remote machine, choosing one or more counters, setting threshold values for the counters, selecting an action to perform when an alert is triggered, and choosing the desired scheduling options. These settings are described in the next section. Any alerts that already exist will be listed in the details pane. A red icon indicates an alert that is not running or has been stopped; a green icon indicates an alert that is running.

Configuring an Alert

For information on specifying a computer to monitor and on selecting counters for the alert, see the section "Selecting Counters" earlier in this chapter.

You must choose threshold values for each counter on which you set an alert. This is done on the General tab of the Properties window for the alert. When you create an alert, the Properties window is displayed automatically. If you need to add counters at a later date, you can access the Properties window by right-clicking the name of the alert file, choosing Properties from the shortcut menu, and clicking the Add button on the General tab.

You set thresholds to trigger an alert when the value of the counter falls either above or below a certain baseline for your organization. To establish a baseline, you must determine the level of system performance that is acceptable when your system is experiencing a typical workload and running all required services. You do this by reviewing logged data graphed by System Monitor or by exporting the data and generating reports for analysis.

On the Action tab of the Properties window, you can specify actions that should occur when a threshold is exceeded. You have four options available:

• Log An Entry In The Application Event Log Causes the alert to log an entry that is visible to you in Event Viewer.
• Send A Network Message To Triggers the Messenger service to send an alert message to a specified computer.
• Start Performance Data Log Runs an existing counter log.
• Run This Program Specifies a command file and command-line arguments to run when an alert occurs.

Permissions for Counter Logs, Trace Logs, and Alerts

To create or modify a log or alert, you must have Full Control permission for the registry entry KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\LogQueries. Administrators are usually assigned this permission by default, and they can grant this permission to users in Regedt32.exe through the Security menu.

To run the Performance Logs and Alerts service, you must have permissions to configure or start services on the system. Administrators are usually assigned this permission by default, and they can grant this permission to users in the Group Policy snap-in. Furthermore, to log data for a remote computer, the Performance Logs and Alerts service is required to run under an account that has access to that remote system. The service runs in the background once a log or alert is configured and running.

REAL WORLD  Tuning and Testing Strategies

• Increase the paging file to the physical memory size plus 100 MB.
• Turn off any screen-saver programs.
• Shut down services that are not relevant or essential to monitoring the system.

Keep the following best practices in mind when preparing to tune your system:

• Set up Performance Logs and Alerts to monitor and report data on counters at a regular interval, such as every 10 to 15 minutes. It's a good practice to retain your logs for an extended period of time. You can store the data in a database and use it for trend analysis, performance assessment, and capacity planning.
• Make only one change at a time. Bottlenecks can be the fault of several components. Don't confuse the issue by making too many changes at once because that can make it impossible to assess the impact each change has on the system.
• Keep a record of each change you make, and repeat the monitoring process after every change. This practice is important because tuning changes can affect other resources and such records will help you to determine the effect of each change and whether additional changes are necessary.
• Do a comparison of programs that run over the network against those that run locally. This will tell you whether network components might be playing a part in performance problems.
• Pay attention to event logs; certain performance problems generate output that you can view in Event Viewer.
• Under certain conditions, the performance tools will increase overhead. If you find that this is a problem, you can reduce it as follows:

• Be selective in the objects and counters you monitor. The more you choose, the higher the overhead.
• Don't run System Monitor in graph view. This view incurs the highest overhead.
• Specify sampling intervals of 3 seconds or more; anything less than 3 seconds is too frequent.
• Run Performance Logs and Alerts instead of using a System Monitor graph.
• Reduce the amount of disk space used by log files by extending the update interval and logging to a disk other than the one being monitored. Frequent logging places a greater demand on disk input and output.
• When logging data through Performance Logs and Alerts, you should exclude times that include start-up events. Start-up events tend to skew overall performance results because they show temporarily high values.
• When you save the performance tools settings to a file after you have completed the configuration, save the file under a name other than Perfmon.msc. Otherwise, you are permanently changing the configuration of the performance tools on the computer.

Selecting a Monitoring Method

If you need to observe a system event as it's happening, use a graph in System Monitor. Graphs are helpful for real-time short-term monitoring of a remote or local computer. Choose an update interval that best captures the data for the type of activity you are observing. Performance logs are better suited for long-term monitoring and record keeping. You can export logged data and use it to generate reports, and you can also view the information as graphs or histograms using System Monitor. Logging in this manner is also more practical when you need to monitor several computers at once.

Determining How Often to Monitor

For routine logging of data logs, start out by setting the value in the Sample Data Every box to every 15 minutes. To find this option, display the Properties window of the specific counter log. You can adjust this interval to fit the type of data you are monitoring. If you have a slow memory leak, for example, you will want to use a longer time interval. Another consideration is the overall length of time that you monitor a system. If you are monitoring for less than 4 hours, a 15-minute interval is acceptable. If you are monitoring a system for 8 hours or more, don't set a time interval that is shorter than 5 minutes (300 seconds). Monitoring at a frequent rate will cause the system to generate a lot of data, producing large log files. It will also increase the overhead tremendously.

Monitoring Memory Usage

If you are experiencing performance problems, the first step in examining the problem is usually to monitor memory usage because memory usage is the most important factor in system performance. If you find that your system is paging frequently, you may have a memory shortage on your machine. Some paging is good because it helps to expand memory somewhat, but too much paging is a drain on system performance.

NOTE

Before you start to monitor memory usage, you should perform a few checks. For example, verify that your system has the recommended amount of memory for running the operating system as well as other applications and services. If you don't know what the memory requirements are for a process, you can discover its working set within System Monitor, shut the process down, and observe the effect on paging activity. The amount of memory that is freed when you terminate a process is the amount of memory the process was using.

NOTE

Excessive paging can result when Windows 2000 Setup configures your system with settings that optimize file sharing. In some cases, this can increase paging significantly because it causes the system to maintain a large system-cache working set. If you are not using the server for file sharing, you can reduce the amount of paging on your server by turning off the file-sharing settings. To do so, follow these steps:

1. On the Start menu, point to Settings and then choose Network And Dial-Up Connections.
2. Right-click Local Area Connection and choose Properties from the shortcut menu.
3. In the Components Checked Are Used By This Connection box, highlight File And Printer Sharing For Microsoft Networks and click the Properties button.
4. In the Server Optimization area, the Maximize Data Throughput For File Sharing option is selected by default. Select Maximize Data Throughput For Network Applications instead (Figure 32-16). This action will reduce paging activity on your system.

Figure 32-16. The File And Printer Sharing For Microsoft Networks Properties window.

Recommended Counters

Monitor memory counters for a low-memory condition. This section lists the minimum recommended counters for monitoring the server's memory component. To check for possible memory leaks or bottlenecks, monitor these counters:

• Memory\ Pages/Sec Displays the number of pages written to or read from disk in order to resolve hard page faults. A hard page fault occurs when a process requires code or data that must be retrieved from disk rather than from its working set or elsewhere in physical memory. If this value is above 20, you need to research paging activity and make adjustments as necessary. A high value for this counter may be more indicative of a paging problem than a memory problem.
• Memory\ Committed Bytes Displays the amount of committed bytes of virtual memory on your system and is an instantaneous counter. Monitor this counter, along with Memory\ Available Bytes, over a period of time if you suspect a memory leak.
• Memory\ Pool Nonpaged Bytes Displays the number of bytes allocated to the nonpaged pool for objects that cannot be written to disk but must instead remain in physical memory as long as they are allocated. If this value is high, you will need additional memory on your system. Use this counter in conjunction with Memory\ Pool Nonpaged Allocs if you suspect that a kernel-mode process is the cause of a memory leak.
• Memory\ Pool Nonpaged Allocs Shows the number of calls to allocated space in the nonpaged pool. Use this counter in conjunction with Memory\ Pool Nonpaged Bytes to determine whether you have a memory leak.
• Server\ Bytes Total/Sec Monitors the number of bytes the machine has received from and sent to the network. The value is indicative of how busy the server is. You will need to add memory if you have a sustained, dramatic increase in this value.
• Server\ Pool Paged Bytes Monitors the number of bytes of pageable computer memory currently in use by the system. You can use this information to determine values for the MaxPagedMemoryUsage entry in the Windows 2000 registry.
• Server\ Pool Nonpaged Bytes Monitors the number of bytes of nonpageable computer memory in use by the system. You can use this information to determine the values for the MaxNonpagedMemoryUsage entry in the Windows 2000 registry.

To monitor for a low memory condition, use these counters:

• Memory\ Available Bytes Windows 2000 uses free bytes to satisfy the memory requirements of programs. When free byes fall into short supply, the shortage is replenished by taking memory from the working sets of less active programs. Subsequently, you will notice an increase in the working set value for one program and a steady decrease in the values of other programs. The result is an increase in paging that causes performance to suffer. To resolve this problem, you will need to add memory to the machine.
• Memory\ Cache Bytes Monitors the number of bytes being used by the file system cache. Use this counter in conjunction with Memory\ Available Bytes. If the value for Memory\ Cache Bytes rises above 4 MB, you may need to add more memory to the machine.
• Physical Disk\ % Disk Time and Physical Disk\ Avg. Disk Queue Length These counters can indicate a memory shortage when used in conjunction with Memory\ Page Read/Sec. If an increase in queue length is not accompanied by a decrease in the Memory\ Page Read/Sec value, a shortage does exist.

To check for excessive paging, monitor these counters:

• Paging File\ % Usage (all instances) Paging files are shared by every process and are used to store pages of memory on your system. If you suspect that paging is to blame for your bottleneck, it is helpful to review this value, along with Memory\ Available Bytes and Memory\ Pages/Sec. The acceptable threshold for this value is 99 percent. Enlarge Pagefile.sys if the value increases to 100 percent.
• Paging File\ % Usage Peak If the value for this counter approaches the maximum paging file setting, the size of Pagefile.sys needs to be increased.
• Physical Disk\ Avg. Disk Sec/Transfer and Memory\ Pages/Sec The Physical Disk\Avg. Disk Sec/Transfer counter displays the average disk transfer in seconds. The Memory\ Pages/Sec counter displays the number of pages written to or read from the disk when a process requires information that is no longer in its working set and must be retrieved from disk. To help determine whether your system is paging excessively, multiply the values of these two counters. If the result exceeds 0.1, paging is taking up more than 10 percent of disk access time. If this condition persists over a long period of time, you will need additional memory.

Tuning and Upgrading Tips for the Memory Component

If you are experiencing problems with memory, check the following possibilities:

• Paging file Make sure that the paging file is the correct size, and create multiple paging files to reduce excessive paging. You can also split the paging file between multiple disks of similar speeds to increase access time.

CAUTION

• Physical memory Increase the physical memory above the minimum that is required.
• Memory settings Verify that memory settings are configured properly.
• Memory-intensive programs Run programs that are memory hogs when your system workload is lightest or on your highest-performing computers.

Monitoring Processor Activity

When monitoring processor usage, you need to consider the role of the computer and the work being done on it. High processor values could mean either that your machine is handling the workload in a very efficient manner or that it is struggling to keep up.

When a bottleneck occurs because a process's threads need more processor cycles than are available, long processor queues build up, causing the system response to suffer. The two common causes of processor bottleneck are an excess demand placed on the processor by CPU-bound programs and excess interrupts generated by drivers or subsystem components, such as disk or network components.

Minimum Recommended Counters

The following list shows the minimum recommended counters you should use to monitor the server's processor component for possible bottlenecks:

• System\ Processor Queue Length (all instances) Two or more items in the queue indicate a bottleneck. Because this is an instantaneous counter, the only way to get an accurate analysis is to observe this value over several intervals.
• Server Work Queues\ Queue Length A queue length of greater than four over a sustained period of time indicates possible processor congestion.
• Processor\ Interrupts/Sec You can use this counter to determine whether interrupt activity is causing a bottleneck. If you find a dramatic increase in this counter value without a corresponding increase in system activity, a hardware problem is likely. To resolve this problem, you need to find the network adapter or other device that is causing the interrupts. Refer to the manufacturer's specifications for the acceptable processor threshold.
• Processor\ % Interrupt Time This counter displays the percentage of time the processor spends receiving and servicing hardware interrupts during the sample interval. This value gives you an indirect indication of the activities of devices that generate interrupts, such as disk drives, network adapters, and other peripheral devices. These devices interrupt the processor when they require attention or complete a task. Look for a dramatic increase in the value without a corresponding increase in system activity.

To monitor possible usage problems, use these counters:

• Processor\ % Processor Time (all instances) Use this counter to discover a process that is using more than 85 percent of processor time. You may need to install an additional processor or upgrade to a faster one.
• Processor\ % User Time Monitors the percentage of nonidle processor time that is spent in user mode. A high rate may indicate a need to upgrade or install additional processors. Use this counter in conjunction with Processor\ % Processor Time (all instances).
• Processor\ % Privileged Time Monitors the percentage of nonidle processor time designated for hardware-manipulating drivers and operating system components. A high rate might be attributed to a large number of interrupts being generated by a device that is failing. Use this counter in conjunction with Process\ % Processor Time (all instances).

Tuning and Upgrading Tips for the Processor Component

You can try the following solutions to resolve problems you are experiencing with the processor:

• Upgrade the processor Upgrade to a faster processor, replace a failing one, or add another processor to the machine, especially if you are running multithreaded programs.
• Adjust the workload of the system Distribute programs more efficiently among servers, or schedule programs to run at off-peak hours.
• Manage processor affinity on multiprocessor computers Managing the processor affinity with respect to interrupts and process threads can improve performance because it reduces the number of processor cache flushes during thread movement from one processor to another.

NOTE

Monitoring Disk Activity

Monitoring disk usage helps you to balance the load of your network servers. When you are monitoring disk performance, log the performance data to another disk or computer to prevent it from skewing the data for the disk you are testing.

NOTE

Minimum Recommended Counters

The following list shows the minimum recommended counters you should use to monitor the server's disk performance for possible bottlenecks:

• Physical Disk\ Current Disk Queue Length (all instances) Monitors the number of system requests that are waiting for disk access. This number should remain steady at no more than 1.5 to 2 times the number of spindles that make up the physical disk. Most disks have one spindle. The exception is redundant array of independent disks (RAID) devices, which usually have more than one spindle. You will need to observe this value over several intervals because it is an instantaneous counter.
• Physical Disk\ % Disk Time Indicates how busy your server's disk drives are by displaying the percentage of time that a drive is active. If the value of this counter rises to more than 90 percent or if you are using a RAID device, check the Physical Disk\ Current Disk Queue Length counter to see how many disk requests are queued for disk access. RAID devices can cause the Physical Disk\ % Disk Time value to exceed 100 percent and thus give an incorrect reading.
• Physical Disk\ Avg. Disk Sec\Transfer Monitors the amount of time a disk takes to fulfill a request. A high value may indicate that the disk controller is continually trying to access the disk as a result of failures. For most systems, a value of 0.3 seconds or higher indicates a high average disk transfer time.

To monitor possible usage problems, use these counters:

• Physical Disk\ Avg. Disk Bytes/Transfer Monitors the average number of bytes that are transferred from or to a disk during read or write operations. A value less than 20 KB indicates that an application is accessing the disk drive inefficiently.
• Physical Disk\ Disk Reads/Sec and Disk Writes/Sec These counters can help you balance the workload of your network servers. Make sure that the specified transfer rate for your disk doesn't exceed the manufacturer's recommended specifications.

Tuning and Upgrading Tips for Disk Activity

If you are experiencing problems with disk performance, try the following solutions:

• Install the latest driver software for your host adapters to improve the efficiency of disk access.
• Install additional disks, or upgrade your hard disk to a faster disk. Update the bus and the disk controller at the same time.
• On servers, create striped volumes on several physical disks to increase throughput.
• Distribute applications among your servers to help balance the workload.
• Optimize disk space by running Disk Defragmenter.
• Isolate tasks that use disk I/O heavily to separate disk controllers or physical disks in order to help balance the server's workload.

Monitoring Network Activity

Monitoring the network consists of observing the use of server resources and measuring overall network traffic. Although you can do both with Performance Monitor, Network Monitor, discussed later in this chapter, gives you a more in-depth analysis of traffic.

Start monitoring your system by tracking the minimum recommended counters. Observe the resource usage on your system. Use the counters that correspond to the various layers of your network's configuration in order to concentrate on network-related resource usage. Abnormal network counter values are usually an indication of problems with a server's processor, memory, or hard disks. We recommend that you monitor network counters in conjunction with Memory\ Pages/Sec, Processor\ % Processor Time, and Physical Disk\ % Disk Time. For example, if Memory\ Pages/Sec increases dramatically, accompanied by a decrease in Memory\ Bytes Total/Sec handled by the server, the system is most likely running short of physical memory for network operations.

Minimum Recommended Counters

The following list shows the minimum recommended counters you should use to monitor the network's performance for possible bottlenecks:

• Server\ Pool Paged Peak Indicates the amount of physical memory and the maximum paging file size. The acceptable threshold is the amount of physical RAM.

To monitor possible usage problems, use these counters:

• Server\ Bytes Total/Sec Indicates the number of bytes the server has sent to and received from the network. This value is helpful in providing an indication of how busy the server is. It may be necessary for you to segment the network if the sum of the Bytes Total/Sec for all servers is close to equaling the maximum transfer rate of your network.
• Server\ Work Item Shortages Indicates the number of times no work items are available to service incoming requests. Consider tuning InitWorkItems or MaxWorkItems in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer if the value of this counter reaches or exceeds the threshold of 3.

Tuning and Upgrading Tips for Network Activity

Try the following solutions if you are experiencing problems with network performance:

• To significantly increase performance, unbind infrequently used network adapters and upgrade each network adapter to a high-performance one.
• When you configure your network, make sure that the systems shared by the same group of people are on the same subnet.
• Install multiple network adapters to increase file-sharing throughput.
• Set the order in which the workstation and NetBIOS software bind to each protocol when you are using more than one protocol. Average connection time decreases when the protocol that is used most frequently is set to be first in the binding list.