AFP and CPU Saturation

[calisurf]

I am witnessing two problems and I am not sure if they are connected to one another. I am running a pretty standard setup:

1- 10.2.6 Server (Parent)
3- 10.2.6 Servers (Child) RAID 5 Towers connected wide Ultra SCSI (Users Home directories reside on these towers)
300 10.2.6 Clients (2000 User Accts)
100MB to the desktop

Each students home directory (20mb) is mounted remotely and the client is managed with WGM. Students are using mostly Safari and Office and we are seeing very sporadic log-in times. (20s-5min) When and if the students get connected to the server, I am seeing the CPU on the child servers pegged at about 60-85%. Checking processes I can see that it is strictly AFP that is utilitizing the CPU. Again, the only applications being used are Safari and MS Office. Should I pushing the Safari cache to the local HD?

As you can imagine, our iBook carts that are connecting via Airport take even longer to log-in.

One last thing, I do have DNS configured.

[johnkharrison]

I am in the same boat. I have a four server setup- one parent/directory server and three child servers. all servers are maxed out with RAM and are dual processor models (1.4GHZ parent, 800MHZ child, 2X533MHZ child) The parent server is getting heavy CPU usage from AFP with around 130 users. The other servers have about 45 users logged in at one time with acceptable levels on the CPU. I have group folders and users distributed pretty evenly according to the processing power of each server. The entire netinfo directory has about 1000 users total for a school with about 650 “real” users.

Ironically, the dual 533 servers are mounting shares and homes as well as fully logging in up to a minute faster than the 800 and the 1.4 GHZ servers are with their repective users. I am having a very tough time with networked home folders and automounts through wireless. We have a mixed Airport Extreme and Cisco Aironet 350 Series WEP network channeled accordingly and named with the same SSID. When walking around the school with a local user login on a client iBook- the signal strength is more than adequate and machines are retaining DHCP IP addresses wherever they roam. However; logging in through wireless as a networked user is nightmarish. Authentication is unacceptably slow- taking up to 4 minutes per log in. In some instances, MCX prefs are binding, but group shares and home folders are not always mounting. My “new” improved setup is twice as slow as OS 9.22 with Foolproof Control Server. My 1.4GHZ DP G4 parent server stopped authenticating last Tuesday afternoon and needed a restart. Logs indicated no serious error…?!@

This is not what I was expecting. How would we cache Safari to the local HD on a networked user? for Office? It is too late now to reimage the school….

[calisurf]

I am assuming that these setups are working at other locations because there is no way that Apple could be selling this in good faith. I am also seeing the sporadic mounting of home directories and extremely long log-in times.

I am not sure how to fix the Office and Safari caching issues under MCX? I am working on some possible scripts to do this and I will let you know if I find anything.

[johnkharrison]

According to my PC IT guy counterpart, we have reverse and forward DNS in our school. However, I didn’t set it up and it is running on an older Win NT 4.5 Servers. I am no NT or DNS expert, but from what I can tell it is doing what it should be. The NT server is assigning client machines DNS names- as well as the servers. Is there anything in particular I can check to verify that it is in fact configured and functioning correctly?I can look on the NT server and make setting changes if necessary.

I do not have DNS running from the OS X servers because I did not want to conflict with the NT DNS setup.

In addition to the wireless “slowdown”- I’m not seeing the login problems through 100baseT wired connections on desktop machines so much. The dual533 servers are still slightly faster on logins, globally speaking.

[johnkharrison]

We have advanced logins.. Password server.

[calisurf]

I have one internal DNS server that does do forward and reverse lookups for the servers. The clients also use the same box.

I am using basic passwords.

[calisurf]

dig -x ipaddressofclient –> 23msec

I checked all servers for both forward and reverse DNS. Everything was working as it should.

I am statically binding clients to the server with IP.

My parent machine at peak shows a 15% CPU usage. My child servers are having major problems with CPU usage. (30 students connected, 80-95% CPU Usage, top commands show AFP process as being the culprit.)

I am just a consultant for this district and yesterday I went digging around and found some interesting network configurations. For example, I found one 100mb connection split via a 3Com Hub, so that 32 MacOS X clients could have connectivity. Might this be a problem? or part of the slowdown?

[Anonymous]

thanks. i have isolated one problem with the wireless connectivity today. i had 20 ibooks set up in a classroom with ridiculous network login times- sometimes 6 minutes+ half of the machines were connecting to one cisco 350 aironet channeled on 3, the other half were connecting to an airport extreme in one room over, channel 6. same hidden SSID and 128-bit encryption key. just out of curiousity, i unplugged the cisco antenna. i restarted the iBooks to get a fresh connection and BOOM- they are flying. logins in less than a minute. i swapped the aironet with another. same configuration. on restart, same problem. so for now the aironets are unplugged. is there some science we could be missing with the config? is cisco’s 802.11b standard really the standard? in other parts of the school where there are only cisco aironets- the problem doesn’t exist. so there is some kind of conflict between airport extreme and cisco aironet protocols perhaps?

the clients are all binding with the netinfo parent with a static IP.

i will dig tomorrow to make sure the DNS is reverse/forward. thanks for the tip.

[Anonymous]

The load on the wireless network is medium. We have 120+ iBooks, 5 Powerbooks and 11 PC laptops. We have 12 Apple Airport Extremes and 5 Cisco 350 Aironets. All Cisco/Apple antennas are on 100baseT connections directly to the central switches, where fiber connects them to our ISP. Each access point is channeled at least 3 channels apart from one another. Where the Aironets and Airports are close in proximity, I have interference robustness turned on. All are on a multicast rate of 2mbps. Same SSID and WEP key.

The school is a medium sized elementary school. 24 classrooms, three floors, with solid masonry and brick construction. That has posed some issues that we’ve alleviated by moving access points around to centralized locations. With local logins to client machines, network connections fly. Networked logins are the problem.

[johnkharrison]

hmmm…
dig indicates:

;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; 69.1.12.10.in-addr.arpa, type = ANY, class = IN

;; AUTHORITY SECTION:
10.in-addr.arpa. 1W IN SOA prisoner.iana.org. hostmaster.root-servers.org. (
2002040800 ; serial
30M ; refresh
15M ; retry
1W ; expiry
1W ) ; minimum

;; Total query time: 438 msec

[johnkharrison]

So I can run DNS off my OS X parent server and it won’t conflict with the existing DNS in our domain? I’m willing to try it. Any recommendations for the configuration?

[Anonymous]

So the lack of reverse records could be slowing down the client machines that much?

[calisurf]

Some of our client machines do not have reverse records and I believed that could be the problem. When I asked our network people here is the response I received:

“These clients are supposed to be NATTED and on DHCP, and they should not have a reverse DNS entry in DNS. If you need to have a PTR for the router address(i.e., NATTED address for the client), we can add the PTR record.”

Would any of this affect the performance of our client machines?

Thanks for any help or suggestions.

[Anonymous]

Joel, what you are saying is that I should request that the clients have a reverse DNS entry even though the network folks are saying they don’t need them?

[calisurf]

Now, the network folks are claiming that the router does have a PTR record. But when I issue a dig command from a client I recieve the following back which I thought showed proved my point of no reverse records.

Thoughts?

; <<>> DiG 8.3 <<>> -x
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; 133.12.18.172.in-addr.arpa, type = ANY, class = IN

;; AUTHORITY SECTION:
18.172.in-addr.arpa. 3H IN SOA prisoner.iana.org. hostmaster.root-servers.org. (
2002040800 ; serial
30M ; refresh
15M ; retry
1W ; expiry
1W ) ; minimum

;; Total query time: 227 msec

[Author]

Posts