• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2505
  • Last Modified:

AD Server CPU Spike 100%

During pass year my secondary AD server running on windows 2003 server CPU spike to 100% 2 times once at Oct and another one is on Dec at same time 8.00AM. This AD server also is for authenticate wireless user. Once rebooted it's back to normal. My management request to invetigate the root cause. Perhaps you guys expert out there can advice me how to find the root cause.

What I've done is follow the advice from technet from Microsoft "Troubleshooting High CPU Usage on a Domain Controller" from this link http://technet.microsoft.com/en-us/library/bb727054.aspx and I've checked the process and found svchost.exe PID984 is the one that make the CPU spike to 100%.
0
Panda 5888
Asked:
Panda 5888
  • 8
  • 7
  • 2
  • +1
2 Solutions
 
Thomas GrassiSystems AdministratorCommented:
How muh memory does it have?
I had similar issue until I uninstalled SQL and a few other services

What do you run on this box?
0
 
wolfcamelCommented:
next time it happens, go to task manager, find the svchost with the high CPU and matching PID, right click and go to service - this will give you an idea which service is actually going haywire.
svchost is used by a lot of services.

I have seen this on 2003 server if your event logs are very large, but it could be anything.
0
 
Panda 5888EngineerAuthor Commented:
Dear trgrassijr55,

the total memory for this server is 4GB and the svchost.exe took 45512k memory
can you share with me what others service realated that you've uninstalled

this is secondary AD server if the primary down and the same time it is authenticate wireless user as well.
FYI this server is running under VM. If the CPU spike all wireless user not able to authenticate and after rebooted it's back to normal.

Dear wolfcamel,

I'm using windows 2003 and there is no option for me to right click and then go to service. Is there any other tools that can do so. Please advise
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
wolfcamelCommented:
from a command prompt...
TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"

this should help you
0
 
arnoldCommented:
You can look at the security eventlog to see the source of the requests. Use processexplorer from sysinternals.com you could see what network traffic the recess is seeing.  From the same site process monitor, you could monitor what resources are being used by the process.

The difficulty is that you have to capture the data as it is occurring.

As another suggestion, what other resources/functions the system provides.
0
 
Thomas GrassiSystems AdministratorCommented:
Panda

My server too only had 4 GB After uninstalling SQL and Kaspersky Server anti virus

My utilization dropped drastically.

Do you run any anti virus protection on the server.
0
 
Panda 5888EngineerAuthor Commented:
Thanks all for your advice, really appreciate it. There is SQL 2005 installed in my server which after compare with my primary ad server there is no SQL install. I will stop SQL service and what I already do at my server site is disable windows automatic update and java update but I'm not sure is enough and can avoid the cpu spike again or not. There is netbackup software installed but the service is not running. My server is using symantec end point protection.

Wolfcamel,

Thanks for the command. Definitely I will run the command when it happen again but I hope no more spike anymore if not sure headache again ;)

arnold,

my log doesn't keep that long and dont give me a chance to check the security event log but difinitely will follow  your advice when it happen again.
0
 
arnoldCommented:
Check SEP scanning log to see whether it is scanning system when spike occurs.
0
 
Panda 5888EngineerAuthor Commented:
Thanks arnold,

The SEP scan log and risk log is empty and the system log show the sep service stop at 9.00.45am and startup at 9.08.31am
0
 
arnoldCommented:
Is 8 am when all the people show up at work?
If it is a once a month, there has to be some scheduled task that might be triggering this issue. I.e. sep scan that reports back to the manager system.
0
 
Panda 5888EngineerAuthor Commented:
Yes.There is top management meeting during that time and my bos highlight to us one of the user not able to connect to wireless in meeting room because the user not able to authenticate. I also suspect some scheduled task triggering the issue but not sure yet which one. Thanks arnold
0
 
arnoldCommented:
Does the second server the e that has the IAS role for wifi radius based authentication?
Do you nly have a single IAS role setup?  If the svchost th one deals with UDP 1645,1812 ports (processexplorer TCP/IP info about the process)
Depending your wireless router, you might be able to configure two auth/acct servers.
0
 
Panda 5888EngineerAuthor Commented:
Today my server spike again and below is some data that i've captured. Attach with the highlighted is the service that make my cpu spike. Can you guys give me some ideas what it is service all about.
ScreenHunter-02-Jan.-22-09.13.jpg
0
 
arnoldCommented:
The avchost you referenced, handles IAS and zero configuration wireless.
The complexity of your rulesdealingwith how access is granted, might explain the issue if all members try to authenticate to wifi at the same time.
0
 
Panda 5888EngineerAuthor Commented:
Dear Arnold,

Seems like you are the only one experince with this kind of problem before and thank you so much for your advise.

If the IAS is one of the services make the server spike can you give me some ideas how to overcome this problem. Please help..
0
 
arnoldCommented:
It is difficult to say what is going on, I.e. is the switch/router fires off many radius access-requests that overload the IAS's ability to respond. I.e. the amount of time the router/switch will wait for a response before firing off another. Then how many requests will it fire off before giving up?
Is your router/switch also configured to record accounting data via IAS?
I.e. request, accept, accounting start record.

If you can, test a connection setup while IAS is in debug mode to see how many requests it receives/responds while the switch/router is reporting how many requests/responses it makes/gets.
Once you have a possible cause for the issue, an approach to resolve the conditions leading to the issue could be made. I.e, have a second IAS instance that will handle the accounting packets.
If you have multiple switches/routers, having a second IAS and configuring half to send to the new one may help.
0
 
Panda 5888EngineerAuthor Commented:
Unfortunately my routers only support one IAS auth/acct servers. I will try to transfer all auth/acct servers from secondary to primary server and see is the problem still happen or not. Anyway thanks arnold for your wise advise. I will post again the outcome.

Do you have any idea if the other services may cause the cpu spike?
0
 
arnoldCommented:
Can you split routers to use different IAS servers?
Which router do you have? Often the auth servers and acct servers are separately configurable.

One thing to try with minimal changes would be to point the router in the conference room to the other IAS.
0
 
Panda 5888EngineerAuthor Commented:
Problem fixed after run full windows patches
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 8
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now