none
Performance problems with DFSN, ABE and SMB RRS feed

  • Question

  • Hello,


    We have identified a problem with DFS-Namespace (DFSN), Access Based Enumeration (ABE) and SMB File Service.

    Currently we have two Windows Server 2008 R2 servers providing the domain-based DFSN in functional level Windows Server 2008 R2 with activated ABE.
    The DFSN servers have the most current hotfixes for DFSN and SMB installed, according to http://support.microsoft.com/kb/968429/en-us and http://support.microsoft.com/kb/2473205/en-us
    We have only one AD-site and don't use DFS-Replication.
    Servers have 2 Intel X5550 4 Core CPUs and 32 GB Ram.
    Network is a LAN.

    Our DFSN looks like this:
    \\contoso.com\home
        Contains 10.000 Links
        Drive mapping on clients to subfolder \\contoso.com\home\username

    \\contoso.com\group
        Contains 2500 Links
        Drive mapping on clients directly to \\contoso.com\group

    On \\contoso.com\group we serve different folders for teams, projects and other groups with different access permissions based on AD groups.
    We have to use ABE, so that users see only accessible Links (folders)

    We encounter sometimes multiple times a day enterprise-wide performance problems for 30 seconds when accessing our Namespaces.

    After six weeks of researching and analyzing we were able to identify the exact problem.

    Administrators create a new DFS-Link in our Namespace \\contoso.com\group with correct permissions using the following command line:

    dfsutil.exe link \\contoso.com\group\project123 \\fileserver1\share\project123
    dfsutil.exe property sd grant \\contoso.com\group\project123 CONTOSO\group-project123:RX protect replace

    This is done a few times a day.

    There is no possibility to create the folder and set the permissions in one step.

    DFSN process on our DFSN-servers create the new link and the corresponding folder in C:\DFSRoots.

    At this time, we have for example 2000+ clients having an active session to the root of the namespace \\contoso.com\group.
    Active session means a Windows Explorer opened to the mapped drive or to any subfolder.

    The file server process (Lanmanserver) sends a change notification (SMB-Protocol) to each client with an active session \\contoso.com\group.

    All the clients which were getting the notification now start to refresh the folder listing of \\contoso.com\group

    This was identified by an network trace on our DFSN-servers and different clients.

    Due to ABE the servers have to compute the folder listing for each request.

    DFS-Service on the servers doen't respond for propably 30 seconds to any additional requests. CPU usage increases significantly over this period and went back to normal afterwards. On our hardware from about 5% to 50%.

    Users can't access all DFS-Namespaces during this time and applications using data from DFS-Namespace stop responding.

    Side effect: Windows reports on clients a slow-link detection for \\contoso.com\home, which can be offline available for users (described here for WAN-connections: http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx)

    Problem doesn't occure when creating a link in \\contoso.com\home, because users have only a mapping to subfolders.

    Currently, the problem doesn't occure also for \\contoso.com\app, because users usually don't use Windows Explorer accessing this mapping.

    Disabling ABE reduces the DFSN freeze time, but doesn't solve the problem.

    Problem also occurs with Windows Server 2012 R2 as DFSN-server.

    There is a registry key available for clients to avoid the reponse to the change notification (NoRemoteChangeNotify, see http://support.microsoft.com/kb/812669/en-us)

    This might fix the problem with DFSN, but results in other problems for the users. For example, they have to press F5 for refreshing every remote directory on change.

    Is there a possibility to disable the SMB change notification on server side ?

    TIA and regards,

    Ralf Gaudes

    Friday, December 20, 2013 10:35 AM

All replies

  • Hi,

    Thanks for posting in Microsoft Technet Forums.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards.

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, December 23, 2013 6:23 AM
    Moderator
  • Hi,

    According the description and requirement, please view the link as below:

    An update is available in Windows to turn off directory notification SMB requests

    http://support.microsoft.com/kb/812669/en-us

    Meanwhile, please show me the netmon traces.

    Thank you.

    Best Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, December 24, 2013 2:13 AM
  • Hi,

    I have not heard from you for some days. please drop me a note let me know how is going on your side.

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, December 26, 2013 3:14 AM
  • Hi Steven,

    sorry, I'm out of office for holidays at the moment.

    As mentioned above, the hotfix disables the refreshing on the client side completely:

    There is a registry key available for clients to avoid the reponse to the change notification (NoRemoteChangeNotify, see http://support.microsoft.com/kb/812669/en-us)

    This might fix the problem with DFSN, but results in other problems for the users. For example, they have to press F5 for refreshing every remote directory on change.

    Currently we've done the traces with wireshark, is this also OK for you ? I can post them when back in office next week.

    TIA and regards,

    Ralf

    Friday, December 27, 2013 9:41 AM
  • Hi Steven,

    I've just made traces for you. Is it possible to send them by mail due to confidential information inside ?

    TIA and regards, Ralf

    Thursday, January 2, 2014 10:22 AM
  • Hi Ralf,

    Thanks for your effort. Would you please provide a space for uploading the traces, then I could download it safely due to the confidential information inside.

    Best Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, January 7, 2014 9:41 AM