Solved

AD Server CPU Spike 100%

Posted on 2013-01-07
19
2,379 Views
Last Modified: 2013-03-11
During pass year my secondary AD server running on windows 2003 server CPU spike to 100% 2 times once at Oct and another one is on Dec at same time 8.00AM. This AD server also is for authenticate wireless user. Once rebooted it's back to normal. My management request to invetigate the root cause. Perhaps you guys expert out there can advice me how to find the root cause.

What I've done is follow the advice from technet from Microsoft "Troubleshooting High CPU Usage on a Domain Controller" from this link http://technet.microsoft.com/en-us/library/bb727054.aspx and I've checked the process and found svchost.exe PID984 is the one that make the CPU spike to 100%.
0
Comment
Question by:panda5888
  • 8
  • 7
  • 2
  • +1
19 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38753290
How muh memory does it have?
I had similar issue until I uninstalled SQL and a few other services

What do you run on this box?
0
 
LVL 20

Assisted Solution

by:wolfcamel
wolfcamel earned 500 total points
ID: 38753304
next time it happens, go to task manager, find the svchost with the high CPU and matching PID, right click and go to service - this will give you an idea which service is actually going haywire.
svchost is used by a lot of services.

I have seen this on 2003 server if your event logs are very large, but it could be anything.
0
 

Author Comment

by:panda5888
ID: 38753566
Dear trgrassijr55,

the total memory for this server is 4GB and the svchost.exe took 45512k memory
can you share with me what others service realated that you've uninstalled

this is secondary AD server if the primary down and the same time it is authenticate wireless user as well.
FYI this server is running under VM. If the CPU spike all wireless user not able to authenticate and after rebooted it's back to normal.

Dear wolfcamel,

I'm using windows 2003 and there is no option for me to right click and then go to service. Is there any other tools that can do so. Please advise
0
 
LVL 20

Accepted Solution

by:
wolfcamel earned 500 total points
ID: 38753622
from a command prompt...
TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"

this should help you
0
 
LVL 76

Expert Comment

by:arnold
ID: 38753643
You can look at the security eventlog to see the source of the requests. Use processexplorer from sysinternals.com you could see what network traffic the recess is seeing.  From the same site process monitor, you could monitor what resources are being used by the process.

The difficulty is that you have to capture the data as it is occurring.

As another suggestion, what other resources/functions the system provides.
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38754557
Panda

My server too only had 4 GB After uninstalling SQL and Kaspersky Server anti virus

My utilization dropped drastically.

Do you run any anti virus protection on the server.
0
 

Author Comment

by:panda5888
ID: 38757473
Thanks all for your advice, really appreciate it. There is SQL 2005 installed in my server which after compare with my primary ad server there is no SQL install. I will stop SQL service and what I already do at my server site is disable windows automatic update and java update but I'm not sure is enough and can avoid the cpu spike again or not. There is netbackup software installed but the service is not running. My server is using symantec end point protection.

Wolfcamel,

Thanks for the command. Definitely I will run the command when it happen again but I hope no more spike anymore if not sure headache again ;)

arnold,

my log doesn't keep that long and dont give me a chance to check the security event log but difinitely will follow  your advice when it happen again.
0
 
LVL 76

Expert Comment

by:arnold
ID: 38757605
Check SEP scanning log to see whether it is scanning system when spike occurs.
0
 

Author Comment

by:panda5888
ID: 38757653
Thanks arnold,

The SEP scan log and risk log is empty and the system log show the sep service stop at 9.00.45am and startup at 9.08.31am
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 76

Expert Comment

by:arnold
ID: 38757737
Is 8 am when all the people show up at work?
If it is a once a month, there has to be some scheduled task that might be triggering this issue. I.e. sep scan that reports back to the manager system.
0
 

Author Comment

by:panda5888
ID: 38757863
Yes.There is top management meeting during that time and my bos highlight to us one of the user not able to connect to wireless in meeting room because the user not able to authenticate. I also suspect some scheduled task triggering the issue but not sure yet which one. Thanks arnold
0
 
LVL 76

Expert Comment

by:arnold
ID: 38757906
Does the second server the e that has the IAS role for wifi radius based authentication?
Do you nly have a single IAS role setup?  If the svchost th one deals with UDP 1645,1812 ports (processexplorer TCP/IP info about the process)
Depending your wireless router, you might be able to configure two auth/acct servers.
0
 

Author Comment

by:panda5888
ID: 38803792
Today my server spike again and below is some data that i've captured. Attach with the highlighted is the service that make my cpu spike. Can you guys give me some ideas what it is service all about.
ScreenHunter-02-Jan.-22-09.13.jpg
0
 
LVL 76

Expert Comment

by:arnold
ID: 38803858
The avchost you referenced, handles IAS and zero configuration wireless.
The complexity of your rulesdealingwith how access is granted, might explain the issue if all members try to authenticate to wifi at the same time.
0
 

Author Comment

by:panda5888
ID: 38804164
Dear Arnold,

Seems like you are the only one experince with this kind of problem before and thank you so much for your advise.

If the IAS is one of the services make the server spike can you give me some ideas how to overcome this problem. Please help..
0
 
LVL 76

Expert Comment

by:arnold
ID: 38804370
It is difficult to say what is going on, I.e. is the switch/router fires off many radius access-requests that overload the IAS's ability to respond. I.e. the amount of time the router/switch will wait for a response before firing off another. Then how many requests will it fire off before giving up?
Is your router/switch also configured to record accounting data via IAS?
I.e. request, accept, accounting start record.

If you can, test a connection setup while IAS is in debug mode to see how many requests it receives/responds while the switch/router is reporting how many requests/responses it makes/gets.
Once you have a possible cause for the issue, an approach to resolve the conditions leading to the issue could be made. I.e, have a second IAS instance that will handle the accounting packets.
If you have multiple switches/routers, having a second IAS and configuring half to send to the new one may help.
0
 

Author Comment

by:panda5888
ID: 38804430
Unfortunately my routers only support one IAS auth/acct servers. I will try to transfer all auth/acct servers from secondary to primary server and see is the problem still happen or not. Anyway thanks arnold for your wise advise. I will post again the outcome.

Do you have any idea if the other services may cause the cpu spike?
0
 
LVL 76

Expert Comment

by:arnold
ID: 38804474
Can you split routers to use different IAS servers?
Which router do you have? Often the auth servers and acct servers are separately configurable.

One thing to try with minimal changes would be to point the router in the conference room to the other IAS.
0
 

Author Closing Comment

by:panda5888
ID: 38976521
Problem fixed after run full windows patches
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now