Why did loss of performance occur when configuring audit settings for Windows File Servers?

This article applies to Netwrix Auditor 8.0 and above and describes issues related to loss of performance that occurs when configuring audit settings for Windows File Servers with enabled DFS replication.
Email It to Me Print this Page
Question I created a monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) targeted to audit Windows File Shares. Then, there are 2 possible scenarios:
  1. During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected automatic audit configuration and this led to significant performance loss.
  2. During monitoring plan (Managed Object in Netwrix Auditor 8.5 and below) creation, I selected manual audit configuration. Everything was fine until I configured audit settings manually—this led to significant  performance loss.
For example:
  • Target File Servers performance degradation. The DFCR.exe process compulsively consumes resources of the target file shares. This issue usually occurs when staging log is overfull. 
  • Replication time for file changes is unexpectedly long—up to 3 days (if staging log is full). 

Why did loss of performance occur?
 
Answer Significant performance loss after manual or automatic audit settings configuration may be caused by DFS Replication enabled on your target servers. 
Netwrix offers the following steps to discover the nature of performance loss:
  1. Check if you have Windows File Shares with enabled DFS replication.
You use Windows Server or other GUI OSYou use non-GUI OS or replication groups are hidden in the Server Manager
  1. Start Server Manager and check whether you have the "DFS Management" role. To do it, navigate to Roles --> File and Storage Services (File Services if you use Windows Server 2008 R2) --> DFS Replication.
  2. Read on if you have the role. If not, you do not have file shares with DFS replication, so this article is not applicable to your environment.
  1. Run the dfscmd.exe via Command prompt:
Dfscmd /view <target_server>/full
For example: 
Dfscmd /view \\domain.local\dfs /full

OR

Dfscmd /view \\server\dfs /full
  1. Review response—The list of DFS links and shared folder replicated for each link. For example: 
\\domain.local\dfs
                \\serverNS\dfs
\\domain.local\dfs\link
                 \\server1\share1
                 \\server2\share2

If you see two or more child links under each target server, there is DFS replication in your IT infrastructure. In this example, there is DFS replication between share1 and share2.
If not, you do not have file shares with DFS replication, so this article is not applicable to your environment.
If you have DFS replication enabled between several shares in your IT infrastructure, your audit settings will be extended to all linked folders and no matter how you configured audit: automatically or manually. This inevitably leads to significant performance loss.
  1. You determined that DFS replication persists. Keep in mind the following recommendations and consequences related to audit settings configuration on your Windows File Shares with enabled DFS replication.
Note: Refer the Netwrix Auditor Hardware Requirement section https://helpcenter.netwrix.com/Installation/Requirements/Requirements_Hardware.html for comprehensive and accurate requirements to install the product in different environments.
  • For a single virtual machine or small deployments, you can configure audit setting both automatically and manually.
  • For high production deployments, configure audit carefully. Audit configuration (manual or automatic) causes multiple changes and DFS cannot replicate them instantly. Please wait while replication service processes new changes. Usually replication within large environments takes up to several days, depending on number of changes on the replicated file shares.
Consider the following Netwrix recommendations:
  • Preferred audit configuration method is manual—Configure audit on the target file shares linked to your DFS namespace one by one. In this case, you avoid audit setting replication and loss of performance.
  • If you want to configure audit automatically—Netwrix recommends doing it outside business hours to prevent additional load on your file servers. Consider your needs and capabilities prior to configure audit. Replication time directly depends on number of objects (≈ 50-60 object per second).
  1. Configure audit both in automatic and manual modes.
Automatic modeManual mode
  1. In Netwrix Auditor, navigate to Monitoring Plans (Managed Objects in Netwrix Auditor 8.5 and below) --> Add Plan.
  2. In the New Monitoring Plan (Managed Object in Netwrix Auditor 8.5 and below) window, make sure that the "Adjust audit settings automatically" option is selected.
  3. Follow the prompts in the New Monitoring Plan window.
  4. Add DFS file shares for auditing.
  5. Wait for the initial data collection and SACL replication complete. 
Note: If the initial data collection will end before DFS file shares are replicated, the Activity Summary may contain a warning that the audit settings are not fully configured.
  1. Disable automatic audit configuration before the initial data collection. To do it, navigate to Monitoring Plans (Managed Objects in Netwrix Auditor 8.5 and below) --> Add Plan.
  2. In the New Monitoring Plan (Managed Object in Netwrix Auditor 8.5 and below) window, make sure that the "Adjust audit settings automatically" option is unselected.
  3. Follow the prompts in the New Monitoring Plan window.
  4. Add DFS file shares for auditing.
Note: Mind that loss of performance will persist anyway—the product must wait for DFS replication completes to show changes. You may rest assured, your audit data will be preserved.
When audit settings were configured, refer to the following Netwrix Auditor knowledge base article: https://www.netwrix.com/kb/1267 for instructions on how to configure Netwrix Auditor to audit Distributed File Systems.
 
Was this information helpful?