Link to home
Start Free TrialLog in
Avatar of Panda 5888
Panda 5888

asked on

AD Server CPU Spike 100%

During pass year my secondary AD server running on windows 2003 server CPU spike to 100% 2 times once at Oct and another one is on Dec at same time 8.00AM. This AD server also is for authenticate wireless user. Once rebooted it's back to normal. My management request to invetigate the root cause. Perhaps you guys expert out there can advice me how to find the root cause.

What I've done is follow the advice from technet from Microsoft "Troubleshooting High CPU Usage on a Domain Controller" from this link http://technet.microsoft.com/en-us/library/bb727054.aspx and I've checked the process and found svchost.exe PID984 is the one that make the CPU spike to 100%.
Avatar of Member_2_6492660_1
Member_2_6492660_1
Flag of United States of America image

How muh memory does it have?
I had similar issue until I uninstalled SQL and a few other services

What do you run on this box?
SOLUTION
Avatar of wolfcamel
wolfcamel
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Panda 5888
Panda 5888

ASKER

Dear trgrassijr55,

the total memory for this server is 4GB and the svchost.exe took 45512k memory
can you share with me what others service realated that you've uninstalled

this is secondary AD server if the primary down and the same time it is authenticate wireless user as well.
FYI this server is running under VM. If the CPU spike all wireless user not able to authenticate and after rebooted it's back to normal.

Dear wolfcamel,

I'm using windows 2003 and there is no option for me to right click and then go to service. Is there any other tools that can do so. Please advise
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arnold
You can look at the security eventlog to see the source of the requests. Use processexplorer from sysinternals.com you could see what network traffic the recess is seeing.  From the same site process monitor, you could monitor what resources are being used by the process.

The difficulty is that you have to capture the data as it is occurring.

As another suggestion, what other resources/functions the system provides.
Panda

My server too only had 4 GB After uninstalling SQL and Kaspersky Server anti virus

My utilization dropped drastically.

Do you run any anti virus protection on the server.
Thanks all for your advice, really appreciate it. There is SQL 2005 installed in my server which after compare with my primary ad server there is no SQL install. I will stop SQL service and what I already do at my server site is disable windows automatic update and java update but I'm not sure is enough and can avoid the cpu spike again or not. There is netbackup software installed but the service is not running. My server is using symantec end point protection.

Wolfcamel,

Thanks for the command. Definitely I will run the command when it happen again but I hope no more spike anymore if not sure headache again ;)

arnold,

my log doesn't keep that long and dont give me a chance to check the security event log but difinitely will follow  your advice when it happen again.
Check SEP scanning log to see whether it is scanning system when spike occurs.
Thanks arnold,

The SEP scan log and risk log is empty and the system log show the sep service stop at 9.00.45am and startup at 9.08.31am
Is 8 am when all the people show up at work?
If it is a once a month, there has to be some scheduled task that might be triggering this issue. I.e. sep scan that reports back to the manager system.
Yes.There is top management meeting during that time and my bos highlight to us one of the user not able to connect to wireless in meeting room because the user not able to authenticate. I also suspect some scheduled task triggering the issue but not sure yet which one. Thanks arnold
Does the second server the e that has the IAS role for wifi radius based authentication?
Do you nly have a single IAS role setup?  If the svchost th one deals with UDP 1645,1812 ports (processexplorer TCP/IP info about the process)
Depending your wireless router, you might be able to configure two auth/acct servers.
Today my server spike again and below is some data that i've captured. Attach with the highlighted is the service that make my cpu spike. Can you guys give me some ideas what it is service all about.
ScreenHunter-02-Jan.-22-09.13.jpg
The avchost you referenced, handles IAS and zero configuration wireless.
The complexity of your rulesdealingwith how access is granted, might explain the issue if all members try to authenticate to wifi at the same time.
Dear Arnold,

Seems like you are the only one experince with this kind of problem before and thank you so much for your advise.

If the IAS is one of the services make the server spike can you give me some ideas how to overcome this problem. Please help..
It is difficult to say what is going on, I.e. is the switch/router fires off many radius access-requests that overload the IAS's ability to respond. I.e. the amount of time the router/switch will wait for a response before firing off another. Then how many requests will it fire off before giving up?
Is your router/switch also configured to record accounting data via IAS?
I.e. request, accept, accounting start record.

If you can, test a connection setup while IAS is in debug mode to see how many requests it receives/responds while the switch/router is reporting how many requests/responses it makes/gets.
Once you have a possible cause for the issue, an approach to resolve the conditions leading to the issue could be made. I.e, have a second IAS instance that will handle the accounting packets.
If you have multiple switches/routers, having a second IAS and configuring half to send to the new one may help.
Unfortunately my routers only support one IAS auth/acct servers. I will try to transfer all auth/acct servers from secondary to primary server and see is the problem still happen or not. Anyway thanks arnold for your wise advise. I will post again the outcome.

Do you have any idea if the other services may cause the cpu spike?
Can you split routers to use different IAS servers?
Which router do you have? Often the auth servers and acct servers are separately configurable.

One thing to try with minimal changes would be to point the router in the conference room to the other IAS.
Problem fixed after run full windows patches