none
SCOM generates constant Windows DNS 2016 - Server Query Overload alerts

    Question

  • My SCOM server is generating constant Windows DNS 2016 - Server Query Overload alerts.

    In order to find the cause I first want to understand the error. Unfortunately the error description from microsoft is not very clear.

    This monitor evaluates the delta value between number received queries in specified interval of Windows Server 2016 DNS Server. If the delta value is greater than Warning threshold but less or equal than Critical threshold the monitor changes state to Warning and generate an alert with Warning severity. If the delta value greater than Critical threshold the monitor changes state to Critical and generates an alert with Critical severity.

    First Value:    61334317
    Last Value:    61358706
    Delta Value:    24389

    Current value of queries per last interval is 75134

    The interval is 300 seconds.

    What I don't understand is that the delta value is 24389 yet the query value is 75134. How do I need to interpret this?


    Stijn

    Wednesday, May 16, 2018 12:21 PM

All replies

  • Hi,

    Please refer to the link below:

    Windows DNS Server 2016 Detect Server Query Overload

    https://systemcenter.wiki/?GetElement=Microsoft.Windows.DNSServer.2016.Monitor.DetectServerQueryOverload&Type=UnitMonitor&ManagementPack=Microsoft.Windows.DNSServer.2016


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 18, 2018 9:58 AM
    Moderator
  • Hi,

    Have you any overrides for this? As I see the warning threshold is 30,000. Please check Overrides Summary for this.

    Looking forward to know your findings :)

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Friday, May 18, 2018 10:44 AM
  • Hello, unfortunately that artikel does nit answer my question. In fact that artikel is the root of my question as it does not state how the delta value relates to the treshold. As shown in my example the delta value does not even come close to the treshold and yet it is triggered. That document is just not clear.

    Stijn

    Monday, June 04, 2018 6:02 PM
  • I don't have any overrides as that is not relevant. I want to know how the delta value relates to the query value. The delta value clearly differs from the query value yet from MS explanation it is the delta value that is compared to the treshold. According to their explanation the treshold should not have been triggered. And I don't know where this query value comes from, it is not mentioned in the artikel.

    Stijn

    Monday, June 04, 2018 6:06 PM
  • Hey, I have the same issue and I haven't been able to find anything else about this online anywhere...I'm not sure if its a real problem or not. It only happens for me on my primary DNS server...Have you been able to figure this one out?
    Wednesday, June 06, 2018 2:19 PM
  • No, I have yet to figure it out. I have done DNS debugging and found nothing out of the ordinary. The only thing I know is that it started after installing the latest updates earlier this year, so it can even be a bug. Like you said, it is unclear wether this is a problem or not. The available information is sketchy at best and I don't like just implementing overrides without knowing the cause. If I were to just implement an override every time a monitor acts up without knowing why, the whole usefulness of SCOM would be put in question. The main thing I would like to know is where this value comes from: "current value of queries since last interval" One thing I know for sure is that it is not the delta value of which they speak in the official documentation. (Of course there is always the posiblity I just don't understand their explanation as I don't find it clear) And, like you I only have it on my primary DNS server, none of the secondary or of the DNS servers in abroad offices show this behaviour.

    Stijn


    • Edited by Stijn SES Saturday, June 09, 2018 7:15 AM
    Saturday, June 09, 2018 7:13 AM
  • Yeah I agree, I don't like to override without the "why". Yeah the documentation on the alert is not very useful. I can tell the Delta value is the different between the First and Last samples of the two samples the monitor takes. I am not sure where the logic a delta of more than 30,000 or 50,000 would constitute a problem on a busy DNS server when just comparing between two samples. You could have an very high value of TotalQueries  and it would never flag as long as the delta stayed low, but as soon as load decreases the delta would increase and then trigger an alarm....I don't really understand how this monitor is measuring "overload".  Also the alert description states the current value of queries is X is wrong, it should say the delta between the last two queries is X...
    • Edited by bcehr Thursday, June 14, 2018 8:04 PM
    Thursday, June 14, 2018 8:03 PM