Hello,
We have identified a problem with DFS-Namespace (DFSN), Access Based Enumeration (ABE) and SMB File Service.
Currently we have two Windows Server 2008 R2 servers providing the domain-based DFSN in functional level Windows Server 2008 R2 with activated ABE.
The DFSN servers have the most current hotfixes for DFSN and SMB installed, according to http://support.microsoft.com/kb/968429/en-us and http://support.microsoft.com/kb/2473205/en-us
We have only one AD-site and don't use DFS-Replication.
Servers have 2 Intel X5550 4 Core CPUs and 32 GB Ram.
Network is a LAN.
Our DFSN looks like this:
\\contoso.com\home
Contains 10.000 Links
Drive mapping on clients to subfolder \\contoso.com\home\username
\\contoso.com\group
Contains 2500 Links
Drive mapping on clients directly to \\contoso.com\group
On \\contoso.com\group we serve different folders for teams, projects and other groups with different access permissions based on AD groups.
We have to use ABE, so that users see only accessible Links (folders)
We encounter sometimes multiple times a day enterprise-wide performance problems for 30 seconds when accessing our Namespaces.
After six weeks of researching and analyzing we were able to identify the exact problem.
Administrators create a new DFS-Link in our Namespace \\contoso.com\group with correct permissions using the following command line:
dfsutil.exe link \\contoso.com\group\project123 \\fileserver1\share\project123
dfsutil.exe property sd grant \\contoso.com\group\project123 CONTOSO\group-project123:RX protect replace
This is done a few times a day.
There is no possibility to create the folder and set the permissions in one step.
DFSN process on our DFSN-servers create the new link and the corresponding folder in C:\DFSRoots.
At this time, we have for example 2000+ clients having an active session to the root of the namespace \\contoso.com\group.
Active session means a Windows Explorer opened to the mapped drive or to any subfolder.
The file server process (Lanmanserver) sends a change notification (SMB-Protocol) to each client with an active session \\contoso.com\group.
All the clients which were getting the notification now start to refresh the folder listing of \\contoso.com\group
This was identified by an network trace on our DFSN-servers and different clients.
Due to ABE the servers have to compute the folder listing for each request.
DFS-Service on the servers doen't respond for propably 30 seconds to any additional requests. CPU usage increases significantly over this period and went back to normal afterwards. On our hardware from about 5% to 50%.
Users can't access all DFS-Namespaces during this time and applications using data from DFS-Namespace stop responding.
Side effect: Windows reports on clients a slow-link detection for \\contoso.com\home, which can be offline available for users (described here for WAN-connections: http://blogs.technet.com/b/askds/archive/2011/12/14/slow-link-with-windows-7-and-dfs-namespaces.aspx)
Problem doesn't occure when creating a link in \\contoso.com\home, because users have only a mapping to subfolders.
Currently, the problem doesn't occure also for \\contoso.com\app, because users usually don't use Windows Explorer accessing this mapping.
Disabling ABE reduces the DFSN freeze time, but doesn't solve the problem.
Problem also occurs with Windows Server 2012 R2 as DFSN-server.
There is a registry key available for clients to avoid the reponse to the change notification (NoRemoteChangeNotify, see http://support.microsoft.com/kb/812669/en-us)
This might fix the problem with DFSN, but results in other problems for the users. For example, they have to press F5 for refreshing every remote directory on change.
Is there a possibility to disable the SMB change notification on server side ?
TIA and regards,
Ralf Gaudes