Sometimes in a large environment and during an intense logon session window, WMI service on the DC runs out of memory and causes other tasks to be seriously limited. If the setup has a detailed audit policy, the problem with each event log entry would have been passed and passed from the event log service to the WMI provider, and then back through WMI before being delivered at the initiator (CheckPoint). The large number of event log entries per minute can quickly overwhelm the system.
The eventlog service can be thought of as having big boxes containing event logs. Each eventlog box contains smaller boxes of events which contain even smaller boxes containing event details. The eventlog service is designed to handle large shipments of these boxes, and thus can generate a massive amount of events depending on system activity. In order for WMI to provide the events to a client application each of the nested boxes must be opened and the information from the smallest boxes must be repackaged into WMI Win32_NTLogEvent boxes which each pass via RPC from the WMI eventlog provider, to the WMI service, and then to the requesting application. This repackaging isn’t free, and can cost significant CPU and memory overhead. WMI is a middle-man who provides more convenient method of interfacing with the eventlogs, but this middle-man method increase cost such as memory and CPU time.
To immediately stabilize WMI service, you may have two options.
- Use a dedicate "identity collector" and eliminate native AD Query
OR
- Improve AD Query (WMI requests) with longer waiting periods (Query interval)
HOW TO :
On the gateway, run the command "adlogconfig a" from expert mode. Once in there select Option 18, this parameter is in seconds so you can change this to how many seconds you want it set to, default is 1. After making this change you also need to select Option 1 and Option 17. After making those changes you will need to push policy.
In our live case studied, 3 sec was the perfect setting.