Home
  •  

Performance Measuring: NACKs/sec.

Performance_Measuring__NACKs_sec._1_Rule (Rule)

Knowledge Base article:

Management Pack
Summary

This counter measures the number of DHCP Negative Acknowledgment (DHCPNAK) messages sent per second by the DHCP 2000 Server to clients. A DHCP Negative Acknowledgment message is sent by a DHCP 2000 Server to a client to indicate that the IP address that the client requested is not correct for the local IP network served by the DHCP 2000 Server.

Typically, this counter indicates when a client computer is moved to a new location. It can also indicate that the client’s lease with the server has expired. However, a very high increase in the value of this counter might indicate misconfiguration of the DHCP 2000 Server or an issue with DHCP clients. An extremely high number of DHCPNAK messages can indicate an attack on the DHCP 2000 Server.

 
Causes

Misconfiguration of the DHCP 2000 Server (such as that caused by a deactivated scope), an attack on the DHCP 2000 Server, or a DHCP client networking issue (such as Client A trying to request an address that is leased to Client B) can trigger this alert.

However, a high value might be a normal occurrence, such as when the alert is triggered by a large number of laptops or other mobile devices moving between subnets.

 
Resolutions

Check the values of the ACKs/sec counter and the Requests/sec counter. The number of ACKs/sec plus the number of NACKs/sec should be about equal to the number of Requests/sec plus the number of Informs/sec.

  • ACKS/sec is the number of DHCP Acknowledgment (DHCPAck) messages sent per second by the DHCP 2000 Server to clients.
  • Requests/sec is the number of DHCP Request (DHCPRequest) messages received per second by the DHCP 2000 Server from clients to request or renew the lease of client IP addresses.
  • Informs/sec is the number of DHCP Inform (DHCPInform) messages received per second by the DHCP 2000 Server, which uses DHCPInform messages to query the directory service for the enterprise root and to perform dynamic updates for clients.

To resolve a high value for this alert:

  • Check the DHCP 2000 Server configuration. For example, ensure that a scope is not mistakenly deactivated.
  • Investigate whether users are moving a large number of laptops or other mobile devices between subnets. If this occurs frequently, consider raising the threshold level.
  • If the counter records an extremely high number of DHCP Negative Acknowledgment messages, contact a network administrator responsible for security about investigating whether an attack is being made on the DHCP 2000 Server. If an attack occurs, work with the network security team to stop the attack.
 
© 2000-2004 Microsoft Corporation, all rights reserved.

Element properties:

TargetMicrosoft.Windows.Server.DHCP.Microsoft_Windows_2000_DHCP_Servers_Installation
CategoryPerformanceCollection
EnabledTrue
Instance NameDHCP Server
Counter NameNacks/sec
Frequency900
Alert GenerateFalse
RemotableTrue
CommentMom2005ID='{10E990D0-1ADD-4D5E-91F0-2CF2B0D449F9}';MOM2005ComputerGroupID={37B5AB26-6DE0-11D3-945C-0090275A5879}

Member Modules:

ID Module Type TypeId RunAs 
_00A93B87_2EE6_43C6_8D37_AE20679C3C6E_ DataSource System.Mom.BackwardCompatibility.Performance.FilteredDataProvider Default
CollectPerfData WriteAction Microsoft.SystemCenter.CollectPerformanceData Default
CollectPerfDataWarehouse WriteAction Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData Default
GenerateAlert WriteAction System.Mom.BackwardCompatibility.AlertResponse Default

Source Code:

<Rule ID="Performance_Measuring__NACKs_sec._1_Rule" Target="Microsoft.Windows.Server.DHCP.Microsoft_Windows_2000_DHCP_Servers_Installation" Enabled="true" ConfirmDelivery="false" Comment="Mom2005ID='{10E990D0-1ADD-4D5E-91F0-2CF2B0D449F9}';MOM2005ComputerGroupID={37B5AB26-6DE0-11D3-945C-0090275A5879}">

  <Category>PerformanceCollection</Category>

  <DataSources>

    <DataSource ID="_00A93B87_2EE6_43C6_8D37_AE20679C3C6E_" Comment="{00A93B87-2EE6-43C6-8D37-AE20679C3C6E}" TypeID="MomBackwardCompatibility!System.Mom.BackwardCompatibility.Performance.FilteredDataProvider">

      <ComputerName>$Target/Host/Property[Type="WindowsLibrary!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <CounterName>Nacks/sec</CounterName>

      <ObjectName>DHCP Server</ObjectName>

      <Frequency>900</Frequency>

      <Expression/>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="MomBackwardCompatibility!System.Mom.BackwardCompatibility.AlertResponse">

      <AlertGeneration>

        <GenerateAlert>false</GenerateAlert>

      </AlertGeneration>

      <InvokerType>1</InvokerType>

    </WriteAction>

    <WriteAction ID="CollectPerfData" TypeID="SystemCenterLibrary!Microsoft.SystemCenter.CollectPerformanceData"/>

    <WriteAction ID="CollectPerfDataWarehouse" TypeID="DataWarehouseLibrary!Microsoft.SystemCenter.DataWarehouse.PublishPerformanceData"/>

  </WriteActions>

</Rule>