Welcome, Guest to: Public MPWiki ▼
Welcome to Management Pack Wiki! Your documentation pro for SCOM Management Packs
0 comment(s) Post a comment

Windows Server 2012 Max Concurrent API Monitor Monitor

  • ID:  Microsoft.Windows.Server.2012.MaxConcurrentAPI.Monitor
  • Description:  This monitor alerts when Max Concurrent API condition is reached.
  • Target:  Windows Server 2012 Operating System
  • Enabled:  Yes

Operational States

Name State Description
Max Concurrent API Available Success  
Max Concurrent API Reached Error  

Overridable Parameters

Parameter Name Default Value Description Override
Interval seconds 900 How frequently (in seconds) the value should be sampled.
SyncTime   Synchronization time for the module execution.
Timeout Seconds 300 Expecting time (in seconds) that the module wait to finish the execution.
Threshold Waiters   Limit to consider in calculation.
Threshold Timeouts   Limit to consider in calculation.

Alert Details

Monitor State Message Priority Severity Auto Resolution
Max Concurrent API Reached (Error) Max Concurrent API Reached alert Medium Match Monitor Health Yes

Run As Profiles

Name
Privileged Monitoring Account

Monitor Knowledgebase

Summary

When customers are experiencing Windows Authentication, Exchange, SharePoint + LOB outages due to the low default value for MaxConcurrentAPI, which is a ceiling for the maximum NTLM or Kerberos PAC password validations a server can take care of at a time.

Consider the following scenario:

  • You have one or more forests that have multiple domains.

  • There are combinations of users and resources (such as applications or proxy servers) in different domains.

  • There are lots of NTLM logon requests from remote domain users to a resource server that is running Windows Server 2008 R2.

In this scenario, the NTLM requests time out. For example, Exchange clients do not authenticate to the Exchange server when this issue occurs. Therefore, users cannot access their mailboxes, and Microsoft Outlook seems to stop responding.

Causes

This issue occurs because the NTLM API throttling limit is reached.

Proliferation of devices generating authentication stress is leading to a growing trend of outages in large organizations.

Economy of Scales gained by cloud stresses the windows infrastructure that leverage our Active directory.

BPOS and O365 have already increased this value to 10 and 150 resp. Registry fix has been widely deployed via past CSS case engagements.

Resolutions
  • Raise the MaxConcurrentApi registry value on the server or servers which are seeing the issue. To change the MaxConcurrentApi setting, follow these steps:

    • 1. Click Start, click Run, type regedit, and then click OK.

      2. Locate and then click the following registry subkey:

      3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

      4. On the Edit menu, point to New, and then click DWORD Value.

      5. Type MaxConcurrentApi, and then press Enter.

      6. On the Edit menu, click Modify.

      7. Type the new MaxConcurrentApi setting in decimal, and then click OK.

      8. At a command prompt, type the following command, and then press Enter:

      9. net stop netlogon

      10. Type the following command, and then press Enter:

      11. net start netlogon

    • Verify that the network between the server and its domain controllers (or trusted domain controllers if the condition was seen on a domain controller) is not seeing any latency. Network latency can cause or exacerbate the concern.

    • For applications and services that are using NTLM, just configure them to use Kerberos authentication instead. The methods to do that will be unique to those applications.

    • If Kerberos PAC validation is seen as a symptom, disable Kerberos PAC validation if the service allows this. This should be done on the server that has the Kerberos sourced system event 7’s appearing.

Note: Kerberos PAC validation cannot be disabled for IIS application pools or for some Exchange-related services.

Note: In order to decide what value to set for the MaxConcurrentApi setting in your environment refer to the Knowledge Base article below.

Knowledge Base Article:2688798

External References
This monitor does not contain any external references.

See Also for Windows Server Operating System Management Pack


Downloads for Windows Server Operating System Management Pack

Post a comment