Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3078
  • Last Modified:

Memory leak on Win Svr 2003 and DNS.EXE using 15,000 KB of Nonpaged Pool

I have a DC running Windows Server 2003 (which is also running Exchange since we are a small office) - I have a memory leak and Exchange services are failing when I don't reboot once a day or so. Exch BPA reports a Nonpaged pool leak.

DNS.exe is using 15000k of nonpaged pool which is exponentially more than any other service. I have seen other posts where DNS.exe should be using around 5000k - does anyone know how to troubleshoot?


Thanks,
Bobby
0
ob1_
Asked:
ob1_
  • 7
  • 5
  • 3
1 Solution
 
stressless-ITCommented:
what exchange are you using?
on the next reboot do a factory mem test on the ram. maybe a bad chip in there.
how many email accounts you have and what is the exchange database size?
dns.exe is not exchange but it is domain name system turning names into IP addresses. a removal/rebuild of DNS should fix that problem.
0
 
ob1_Author Commented:
exchange DB is about 60 GB - 35 users. we actually had 1 bad chip and replaced it. how would i do the mem test on a Dell - boot to a utilities partition of some kind?
0
 
cyberlopez6Commented:
Are you running the latest Service Pack for both Windows & Exchange?

I would be surprised if it was DNS that was leaking (assuming you're on SP2).  The utility you are using may not report the offending application.

When it comes to non-paged memory, the usual suspect is Anti-Virus so I would start there. I would also update all device drivers. From there i would examine any other 3rd-party apps.  If you still can't figure out which app / driver is causing it by trial-n-error, here are a couple of things you can try.  

1. Check the Handle Counts.  This can be done with various tools, but Task Manager does just fine.  You can add 'Handle Count' to the Process list (View -> Select Columns) and look for any process that's using a very large amount (>5000).  Keep in mind, this does not automatically indicate a problem, but a number of say >100,000 would likely indicate the cause.

2. Check the Pooltag with Poolmon (in Support\Tools on the 2003 server CD). Launch this from a cmd prompt, hit B to sort by bytes descending and P to sort the list by the type (Paged, NonPaged, or Both) and you real-time view of what's going on.  Pay attention to the Tag Name and its Byte Total column to see which process is sucking it up.
  * use poolmon -c  to create a file (localtag.txt) with a list of system pool tags
  * read this to find 3rd party pool tags: http://support.microsoft.com/kb/298102/
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
stressless-ITCommented:
Glad to hear that it was a chip as that is the easiest solution and you are correct. When you boot the server i believe it is F12 and then select utility partition.

Your exchange is getting very large for 35 users. You may want to put mailbox size limits in place. If it gets over 80Gb then it will get flaky. There is a reg hack you can do to increase that to 120 but i do not remember exactly what that is. This limit is remove with exchange 2007.

I have found out that after a patch to open more ephemeral udp ports for DNS the resource usage is greater for DNS.EXE read up here
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.dns&tid=bdae22b8-931d-45e0-919b-0b9e4e6500ee&cat=&lang=&cr=&sloc=&p=1
0
 
ob1_Author Commented:
I read that post about the DNS patch but saw that normal usage after that was 5000k and mine is 15000k. That was just one example I found though so who knows. But if system instability occurs after 100mb of nonpaged pool mem being used then i would think 1 process using 15mb would be an issue. The bad memory chip was replaced before the leak occured - so I don't know if it is another bad chip or not, i will ask Dell how to test them.
Cyberlopez: the tag from poolmon associated with the most nonpaged mem is MmCm "which belongs to the nt!mm driver and Calls made to MmAllocateContiguousMemory" - not sure what that is.
Handle counts are:
System - 8146
dns.exe - 5249
store.exe - 3464

I will try uninstalling Symantec A/V Corp Edition - there are always issues with this crappy software...

Thanks,
Bobby
0
 
stressless-ITCommented:
about 5k handles for dns.exe is right were it should be
0
 
cyberlopez6Commented:
MmAlocateContiguousMemory is for processes that request memory from the pool but don't have pool tags.  It's a catch-all kinda thing.  The idea is to find something that stands out..  i know it's tough to do when you don't know what "Normal" is, but that's the idea.

Handles look good to me too.

A/V is always my first suspect (although I personally like SAV).  Good Luck!
0
 
ob1_Author Commented:
ok - the next ones down in poolmon when i sort by nonp bytes used are "Irp" with 18235520 and "Mdl" with 17132240. I tried using "strings" from a cmd line to research the tags but i must not have this tool installed on my system - do you know what these tags are associated with?
 
thanks,
Bobby
0
 
cyberlopez6Commented:
Did you remove the A/V?  

IRP stands for I/O Request Packets.  This allocation is for drivers.  I've checked 3 servers, and haven't found one over 1,700,000.  MDL stand for Memory Descriptor List and it is also much higher than it should be.  This pool is also allocated by third-party drivers.  Keep in mind, Antivirus has to install a File System driver to intercept file system calls.  I'm still thinking A/V is the likely culprit.

Have you tried disabling non-critical device drivers in Device Manager?  You can use MSCONFIG to turn on non-Microsoft services.

Let's go back to PoolMon.  The size of the Non-Paged pool is in the upper right corner labeled:  
  Pool N: xxxxxx

This number should stabilize with 30 minutes or so of rebooting.  Is it continually climbing?  The limit is around 250mb.

The 'Allocs' and 'Frees' columns should be close in size. This is the number of allocations (not the size) that have been requested and released.  Also look at the number in parenthesis to the right of BYTES.  This is the net change of the Bytes. Are they going steadily up?

0
 
cyberlopez6Commented:
Also, have you tried the Driver Verifier (Start->Run->verifier)

http://support.microsoft.com/kb/244617

This may help you identify a leaky driver.
0
 
ob1_Author Commented:
I just wanted to let you know I have not abandoned this question and will update on Monday - thanks for your help Experts...
0
 
ob1_Author Commented:
I ran verifier but not sure what I am looking for? I've uninstalled Symantec A/V and the server is rebooting tonight so I will post the results tomorrow. I left Symantec Mail Security for MS Exchange installed on the server since that is pretty critical.
Pool N in poolmon does appear to be climbing but I have not checked consistently. Yesterday over about 30 minutes it went from around 104000K to around 105000K.
Allocs and Frees are all similar - #'s in parenthesis are switching back and forth between positive and negative.
Thanks,
Bobby
0
 
ob1_Author Commented:
I uninstalled SAV and rebooted last night but the server would not come back up. There was a problem with the teaming NIC configuration and I had to delete the NIC team, disable the unused NIC's and reconfigure a single adapter.
Between that and uninstalling SAV the server is no longer leaking nonpaged pool memory. I am re-installing SAV tonight and rebooting - then tomorrow I will re-install Symantec System Center and reboot again and hopefully the issue will stay resolved.
 
Thanks,
Bobby
0
 
cyberlopez6Commented:
Check with Symantec to see if the build of SAV you're using is the most current for the version you have.  Antivirus products are infamous for having these types of memory leaks.
0
 
ob1_Author Commented:
Thanks for your help!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now