?
Solved

Memory leak on Win Svr 2003 and DNS.EXE using 15,000 KB of Nonpaged Pool

Posted on 2010-01-11
15
Medium Priority
?
3,047 Views
Last Modified: 2012-06-27
I have a DC running Windows Server 2003 (which is also running Exchange since we are a small office) - I have a memory leak and Exchange services are failing when I don't reboot once a day or so. Exch BPA reports a Nonpaged pool leak.

DNS.exe is using 15000k of nonpaged pool which is exponentially more than any other service. I have seen other posts where DNS.exe should be using around 5000k - does anyone know how to troubleshoot?


Thanks,
Bobby
0
Comment
Question by:ob1_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 4

Expert Comment

by:stressless-IT
ID: 26286002
what exchange are you using?
on the next reboot do a factory mem test on the ram. maybe a bad chip in there.
how many email accounts you have and what is the exchange database size?
dns.exe is not exchange but it is domain name system turning names into IP addresses. a removal/rebuild of DNS should fix that problem.
0
 
LVL 6

Author Comment

by:ob1_
ID: 26289056
exchange DB is about 60 GB - 35 users. we actually had 1 bad chip and replaced it. how would i do the mem test on a Dell - boot to a utilities partition of some kind?
0
 
LVL 8

Expert Comment

by:cyberlopez6
ID: 26297317
Are you running the latest Service Pack for both Windows & Exchange?

I would be surprised if it was DNS that was leaking (assuming you're on SP2).  The utility you are using may not report the offending application.

When it comes to non-paged memory, the usual suspect is Anti-Virus so I would start there. I would also update all device drivers. From there i would examine any other 3rd-party apps.  If you still can't figure out which app / driver is causing it by trial-n-error, here are a couple of things you can try.  

1. Check the Handle Counts.  This can be done with various tools, but Task Manager does just fine.  You can add 'Handle Count' to the Process list (View -> Select Columns) and look for any process that's using a very large amount (>5000).  Keep in mind, this does not automatically indicate a problem, but a number of say >100,000 would likely indicate the cause.

2. Check the Pooltag with Poolmon (in Support\Tools on the 2003 server CD). Launch this from a cmd prompt, hit B to sort by bytes descending and P to sort the list by the type (Paged, NonPaged, or Both) and you real-time view of what's going on.  Pay attention to the Tag Name and its Byte Total column to see which process is sucking it up.
  * use poolmon -c  to create a file (localtag.txt) with a list of system pool tags
  * read this to find 3rd party pool tags: http://support.microsoft.com/kb/298102/
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 4

Expert Comment

by:stressless-IT
ID: 26304884
Glad to hear that it was a chip as that is the easiest solution and you are correct. When you boot the server i believe it is F12 and then select utility partition.

Your exchange is getting very large for 35 users. You may want to put mailbox size limits in place. If it gets over 80Gb then it will get flaky. There is a reg hack you can do to increase that to 120 but i do not remember exactly what that is. This limit is remove with exchange 2007.

I have found out that after a patch to open more ephemeral udp ports for DNS the resource usage is greater for DNS.EXE read up here
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.server.dns&tid=bdae22b8-931d-45e0-919b-0b9e4e6500ee&cat=&lang=&cr=&sloc=&p=1
0
 
LVL 6

Author Comment

by:ob1_
ID: 26305270
I read that post about the DNS patch but saw that normal usage after that was 5000k and mine is 15000k. That was just one example I found though so who knows. But if system instability occurs after 100mb of nonpaged pool mem being used then i would think 1 process using 15mb would be an issue. The bad memory chip was replaced before the leak occured - so I don't know if it is another bad chip or not, i will ask Dell how to test them.
Cyberlopez: the tag from poolmon associated with the most nonpaged mem is MmCm "which belongs to the nt!mm driver and Calls made to MmAllocateContiguousMemory" - not sure what that is.
Handle counts are:
System - 8146
dns.exe - 5249
store.exe - 3464

I will try uninstalling Symantec A/V Corp Edition - there are always issues with this crappy software...

Thanks,
Bobby
0
 
LVL 4

Expert Comment

by:stressless-IT
ID: 26305329
about 5k handles for dns.exe is right were it should be
0
 
LVL 8

Expert Comment

by:cyberlopez6
ID: 26305413
MmAlocateContiguousMemory is for processes that request memory from the pool but don't have pool tags.  It's a catch-all kinda thing.  The idea is to find something that stands out..  i know it's tough to do when you don't know what "Normal" is, but that's the idea.

Handles look good to me too.

A/V is always my first suspect (although I personally like SAV).  Good Luck!
0
 
LVL 6

Author Comment

by:ob1_
ID: 26306171
ok - the next ones down in poolmon when i sort by nonp bytes used are "Irp" with 18235520 and "Mdl" with 17132240. I tried using "strings" from a cmd line to research the tags but i must not have this tool installed on my system - do you know what these tags are associated with?
 
thanks,
Bobby
0
 
LVL 8

Expert Comment

by:cyberlopez6
ID: 26307210
Did you remove the A/V?  

IRP stands for I/O Request Packets.  This allocation is for drivers.  I've checked 3 servers, and haven't found one over 1,700,000.  MDL stand for Memory Descriptor List and it is also much higher than it should be.  This pool is also allocated by third-party drivers.  Keep in mind, Antivirus has to install a File System driver to intercept file system calls.  I'm still thinking A/V is the likely culprit.

Have you tried disabling non-critical device drivers in Device Manager?  You can use MSCONFIG to turn on non-Microsoft services.

Let's go back to PoolMon.  The size of the Non-Paged pool is in the upper right corner labeled:  
  Pool N: xxxxxx

This number should stabilize with 30 minutes or so of rebooting.  Is it continually climbing?  The limit is around 250mb.

The 'Allocs' and 'Frees' columns should be close in size. This is the number of allocations (not the size) that have been requested and released.  Also look at the number in parenthesis to the right of BYTES.  This is the net change of the Bytes. Are they going steadily up?

0
 
LVL 8

Expert Comment

by:cyberlopez6
ID: 26307428
Also, have you tried the Driver Verifier (Start->Run->verifier)

http://support.microsoft.com/kb/244617

This may help you identify a leaky driver.
0
 
LVL 6

Author Comment

by:ob1_
ID: 26324320
I just wanted to let you know I have not abandoned this question and will update on Monday - thanks for your help Experts...
0
 
LVL 6

Author Comment

by:ob1_
ID: 26354015
I ran verifier but not sure what I am looking for? I've uninstalled Symantec A/V and the server is rebooting tonight so I will post the results tomorrow. I left Symantec Mail Security for MS Exchange installed on the server since that is pretty critical.
Pool N in poolmon does appear to be climbing but I have not checked consistently. Yesterday over about 30 minutes it went from around 104000K to around 105000K.
Allocs and Frees are all similar - #'s in parenthesis are switching back and forth between positive and negative.
Thanks,
Bobby
0
 
LVL 6

Author Comment

by:ob1_
ID: 26365706
I uninstalled SAV and rebooted last night but the server would not come back up. There was a problem with the teaming NIC configuration and I had to delete the NIC team, disable the unused NIC's and reconfigure a single adapter.
Between that and uninstalling SAV the server is no longer leaking nonpaged pool memory. I am re-installing SAV tonight and rebooting - then tomorrow I will re-install Symantec System Center and reboot again and hopefully the issue will stay resolved.
 
Thanks,
Bobby
0
 
LVL 8

Accepted Solution

by:
cyberlopez6 earned 2000 total points
ID: 26366669
Check with Symantec to see if the build of SAV you're using is the most current for the version you have.  Antivirus products are infamous for having these types of memory leaks.
0
 
LVL 6

Author Closing Comment

by:ob1_
ID: 31675558
Thanks for your help!
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question