Severe Memory Leak
in [Windows Servers]
|
From: SC Admin on 20 Aug 2005 23:52 Two Computers ------------- OS: Microsoft Windows Server 2003 Service Pack Level: SP1 Memory: 1GB Ever since the last time our domain controllers were restarted, there has been severe memory leaks on both of them causing them to slow down and eventually stop responding. We assumed that the problem was the hotfixes that were recently applied (10 Aug 2005) and we uninstalled them. This fixed it for a while, but it's happening again. The following error was logged over and over in the System Event Log until the server died. Event Source: SRV Event ID: 2019 "The server was unable to allocate from the system nonpaged pool because the pool was empty." We installed poolmon.exe, and took all the necessary steps to configure it. Now that it's installed, it has become obvious that a kernel driver with the tag NtFC is using up a lot of the non-paged pool and not freeing it. The difference keeps getting bigger and bigger until the server dies. For some reason, our version of poolmon does not support the switch that shows to what driver the given tag is mapped. However, judging by examples on the Microsoft website, it's mapped to ntfs.sys - Create.c. What would be recommended to solve this problem? Should we replace ntfs.sys, and if so, with what and how? This problem is causing network outages frequently and I would really love to deal with it as soon as possible. If anyone has any comments or suggestions, I'd love to hear them.
From: SC Admin on 21 Aug 2005 23:10 Well, we completely removed those two DCs and replaced them with new ones. Dirty, but it works, and the network is looking more error-free than ever. We surmised that it may have been caused by one server's "imminent hard disk failure" as diagnosed by "SMART Drive". Perhaps a AD file was corrupted and replicated? Who knows. A semantic analysis did fix an issue on the new DCs so very possibly.
From: SC Admin on 21 Aug 2005 23:47 Well, we definitely solved the problem. It was Symantec Antivirus 10 Corporate Edition, which we installed on the server. After it was installed, the difference went up, NtFC allocating 8 pages every few minutes, releasing 6 at the same time. When AntiVirus was uninstalled, the difference went to 0 and stayed there, thank God. We're not sure what caused this to happen, as AntiVirus was installed for a while; our top two guesses are Group Policy and a recent Microsoft patch. Who knows? So it's a word to the wise. We're not sure if anyone else is having this problem, but if you are: Try uninstalling AntiVirus. It can't hurt if you do it temporarily and if it's the problem... leave it off. >.>
From: Mike Drechsler - SPAM PROTECTED EMAIL on 22 Aug 2005 00:02 SC Admin wrote: > Well, we definitely solved the problem. It was Symantec Antivirus 10 > Corporate Edition, which we installed on the server. After it was > installed, the difference went up, NtFC allocating 8 pages every few > minutes, releasing 6 at the same time. > > When AntiVirus was uninstalled, the difference went to 0 and stayed > there, thank God. We're not sure what caused this to happen, as > AntiVirus was installed for a while; our top two guesses are Group > Policy and a recent Microsoft patch. Who knows? > > So it's a word to the wise. We're not sure if anyone else is having > this problem, but if you are: Try uninstalling AntiVirus. It can't > hurt if you do it temporarily and if it's the problem... leave it off. > >>.> > > There may be a newer release of Antivirus 10 you can download from Symantec. https://fileconnect.symantec.com/licenselogin.jsp?locale=1 There were at least 2 releases of version 10. If you were running the earlier version it may have been fixed. -- WARNING! Email address has been altered for spam resistance. Please remove the -deletethispart-. section before replying directly. Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
From: SC Admin on 25 Aug 2005 10:55
Thanks for the tip! We'll try it (we're resurrecting the old ones because they're server-class machines) and we'll post updates. And note: I'm not recommending no one use Anti-Virus (we have a non-Symantec program running) but this is just what solved our problem. |