"

Why did loss of performance occur when configuring audit settings for Windows File Servers?

Last review: Dec 12, 2017
https://kb.netwrix.com/590
Copy Article URL Copied

I created a monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) targeted to audit Windows File Shares. Then, there are 2 possible scenarios:

  1. During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected automatic audit configuration and this led to significant performance loss.
  2. During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected manual audit configuration. Everything was fine until I configured audit settings manually—this led to significant  performance loss.

For example:

  • Target File Servers performance degradation. The DFCR.exe process compulsively consumes resources of the target file shares. This issue usually occurs when staging log is overfull.
  • Replication time for file changes is unexpectedly long—up to 3 days (if staging log is full).

Why did loss of performance occur?


Significant performance loss after manual or automatic audit settings configuration may be caused by DFS Replication enabled on your target servers.
Netwrix offers the following steps to discover the nature of performance loss:

  1. Check if you have Windows File Shares with enabled DFS replication.
You use Windows Server or other GUI OS You use non-GUI OS or replication groups are hidden in the Server Manager
  1. Start Server Manager and check whether you have the “DFS Management” role. To do it, navigate to Roles –> File and Storage Services (File Services if you use Windows Server 2008 R2) –> DFS Replication.
  2. Read on if you have the role. If not, you do not have file shares with DFS replication, so this article is not applicable to your environment.
  1. Run the dfscmd.exe via Command prompt:
Dfscmd /view <target_server>/full
For example: 
Dfscmd /view \domain.localdfs /fullOR

Dfscmd /view \serverdfs /full

  1. Review response—The list of DFS links and shared folder replicated for each link. For example: 
\domain.localdfs
                \serverNSdfs
\domain.localdfslink
                 \server1share1
                 \server2share2

If you see two or more child links under each target server, there is DFS replication in your IT infrastructure. In this example, there is DFS replication between share1 and share2.
If not, you do not have file shares with DFS replication, so this article is not applicable to your environment.

If you have DFS replication enabled between several shares in your IT infrastructure, your audit settings will be extended to all linked folders and no matter how you configured audit: automatically or manually. This inevitably leads to significant performance loss.

  1. You determined that DFS replication persists. Keep in mind the following recommendations and consequences related to audit settings configuration on your Windows File Shares with enabled DFS replication.
Note: Refer the Netwrix Auditor Hardware Requirement section https://helpcenter.netwrix.com/Installation/Requirements/Requirements_Hardware.html for comprehensive and accurate requirements to install the product in different environments.
  • For a single virtual machine or small deployments, you can configure audit setting both automatically and manually.
  • For high production deployments, configure audit carefully. Audit configuration (manual or automatic) causes multiple changes and DFS cannot replicate them instantly. Please wait while replication service processes new changes. Usually replication within large environments takes up to several days, depending on number of changes on the replicated file shares.

Consider the following Netwrix recommendations:

  • Preferred audit configuration method is manual—Configure audit on the target file shares linked to your DFS namespace one by one. In this case, you avoid audit setting replication and loss of performance.
  • If you want to configure audit automatically—Netwrix recommends doing it outside business hours to prevent additional load on your file servers. Consider your needs and capabilities prior to configure audit. Replication time directly depends on number of objects (≈ 50-60 object per second).
  1. Configure audit both in automatic and manual modes.
Automatic mode Manual mode
  1. In Netwrix Auditor, navigate to Monitoring Plans (Managed Objects in Netwrix Auditor 8.5 and below) –> Add Plan.
  2. In the New Monitoring Plan (Managed Object in Netwrix Auditor 8.5 and below) window, make sure that the “Adjust audit settings automatically” option is selected.
  3. Follow the prompts in the New Monitoring Plan window.
  4. Add DFS file shares for auditing.
  5. Wait for the initial data collection and SACL replication complete.

Note: If the initial data collection will end before DFS file shares are replicated, the Activity Summary may contain a warning that the audit settings are not fully configured.

  1. Disable automatic audit configuration before the initial data collection. To do it, navigate to Monitoring Plans (Managed Objects in Netwrix Auditor 8.5 and below) –> Add Plan.
  2. In the New Monitoring Plan (Managed Object in Netwrix Auditor 8.5 and below) window, make sure that the “Adjust audit settings automatically” option is unselected.
  3. Follow the prompts in the New Monitoring Plan window.
  4. Add DFS file shares for auditing.

Note: Mind that loss of performance will persist anyway—the product must wait for DFS replication to complete to complete the Data Collection. Rest assured, that the audit data won’t be lost.
When configuring DFS auditing please refer to the “Using Distributed Files Systems with Netwrix Auditor” Knowledge Base article.

Go Up