Mapping Events in NTFRS Service Logs to Threads in Performance Monitor (224554)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q224554

SUMMARY

The File Replication service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL (LAN Manager Replication) service in Microsoft Windows NT versions 3.x and 4.0. Windows 2000 domain controllers and servers use FRS to replicate system policies and login scripts for Windows 2000 and down-level clients.

FRS can also replicate content between Windows 2000 servers hosting the same fault-tolerant Distributed File System (DFS) roots or child node replicas.

FRS creates detailed service logs in the %SystemRoot%\Debug folder that can be useful when troubleshooting or optimizing the NTFRS service. This article describes how to match FRS threads in the service logs to those in Performance Monitor.

MORE INFORMATION

The FRS logs (NtFrs_0005 through NtFrs_0001) contain detailed information about the operation of FRS.

Performance Monitor and System Monitor provide detailed performance monitoring of Windows 2000 components, including the Current Thread Priority and Percent Processor Utilization for each of the NTFRS threads.

Because both the service logs and Performance Monitor record thread IDs for FRS, it is possible to correlate events and threads in performance logs with those in the service logs, and vice-versa.

Mapping Threads in Performance Monitor and Service Logs

By default, FRS creates five service logs in the %SystemRoot%\Debug folder. Log files have the following format:

Name of function + thread ID + line # in code + debug log severity + time + message

For multi-threaded services, Performance Monitor and SYSMON record each instance of the thread, which in turn can be resolved to a thread ID. Thread IDs of interest in SYSMON can be resolved to threads in the service logs, and vice-versa.

Example

  1. Performance Monitor shows that processor utilization (Processor: Percent Processor Time)on a Windows 2000 domain controller has increased from 10 percent average utilization to 50 percent processor utilization.
  2. Processor utilization for all processes (Process: Percent Processor Time) are observed. NTFRS is one of the dominant processes.
  3. To find the thread(s) or event(s) responsible for the increased processor utilization, observe the percent processor time (Thread: Percent Processor Time) and thread priority (Thread: Priority Current) for all instances of NTFRS. Record the instance ID(s) for the dominant process(es).
  4. Add the ID Thread counter for the dominant instances observed above to obtain the thread ID.
  5. Search the same time period in the NTFRS service logs for the target computer to resolve to a specific thread or event. Processor-intensive tasks include outbound log or change order processing.
Modification Type:MajorLast Reviewed:11/13/2003
Keywords:kbhowto KB224554
©2003 Microsoft Corporation. All rights reserved.