I created a monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) targeted to audit Windows File Shares. Then, there are 2 possible scenarios:
- During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected automatic audit configuration and this led to significant performance loss.
- During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected manual audit configuration. Everything was fine until I configured audit settings manually—this led to significant performance loss.
- Target File Servers performance degradation. The DFCR.exe process compulsively consumes resources of the target file shares. This issue usually occurs when staging log is overfull.
- Replication time for file changes is unexpectedly long—up to 3 days (if staging log is full).
Why did loss of performance occur?
Significant performance loss after manual or automatic audit settings configuration may be caused by DFS Replication enabled on your target servers.
Netwrix offers the following steps to discover the nature of performance loss:
- Check if you have Windows File Shares with enabled DFS replication.
|You use Windows Server or other GUI OS||You use non-GUI OS or replication groups are hidden in the Server Manager|
Dfscmd /view <target_server>/full
Dfscmd /view \domain.localdfs /fullOR
Dfscmd /view \serverdfs /full
If you see two or more child links under each target server, there is DFS replication in your IT infrastructure. In this example, there is DFS replication between share1 and share2.
If not, you do not have file shares with DFS replication, so this article is not applicable to your environment.
If you have DFS replication enabled between several shares in your IT infrastructure, your audit settings will be extended to all linked folders and no matter how you configured audit: automatically or manually. This inevitably leads to significant performance loss.
- You determined that DFS replication persists. Keep in mind the following recommendations and consequences related to audit settings configuration on your Windows File Shares with enabled DFS replication.
- For a single virtual machine or small deployments, you can configure audit setting both automatically and manually.
- For high production deployments, configure audit carefully. Audit configuration (manual or automatic) causes multiple changes and DFS cannot replicate them instantly. Please wait while replication service processes new changes. Usually replication within large environments takes up to several days, depending on number of changes on the replicated file shares.
Consider the following Netwrix recommendations:
- Preferred audit configuration method is manual—Configure audit on the target file shares linked to your DFS namespace one by one. In this case, you avoid audit setting replication and loss of performance.
- If you want to configure audit automatically—Netwrix recommends doing it outside business hours to prevent additional load on your file servers. Consider your needs and capabilities prior to configure audit. Replication time directly depends on number of objects (≈ 50-60 object per second).
- Configure audit both in automatic and manual modes.
|Automatic mode||Manual mode|
Note: If the initial data collection will end before DFS file shares are replicated, the Activity Summary may contain a warning that the audit settings are not fully configured.
Note: Mind that loss of performance will persist anyway—the product must wait for DFS replication to complete to complete the Data Collection. Rest assured, that the audit data won’t be lost.
When configuring DFS auditing please refer to the “Using Distributed Files Systems with Netwrix Auditor” Knowledge Base article.