High CPU (IIS process) in Exchange 2016 VM server
Dear Experts, I got high CPU issue in an Exchange server (VM). Last time when I can still log in to that host, I saw the high CPU (in IIS process)
After restart IIS or server, problem solved but how can we avoid it in the future?
Many thanks!
After restart IIS or server, problem solved but how can we avoid it in the future?
Many thanks!
ASKER
Hi, when the issue occured, I event could not do a remote access to that server.
I thought the code is default from Microsoft?
I thought the code is default from Microsoft?
Hello,
how many vCPU is assigned to the virtual server and how much memory?
It validates within the operating system that the process consumes a greater amount of processor.
Run a monitor performance inside the server.
I remain attentive to your comments..
how many vCPU is assigned to the virtual server and how much memory?
It validates within the operating system that the process consumes a greater amount of processor.
Run a monitor performance inside the server.
I remain attentive to your comments..
ASKER
Hi, it has 40 core (2 x 20) and 80 GB RAM
Good Morning
80 GB of RAm for a server is much, first because the VM never consumes all the ram that is assigned.
Since the hypervisor assigns RAM to other VMs that require it.
I recommend lowering the amount of RAM to the server as well as the amount of vCPU.
Of equal I recommend to execute before a performance monitor in the operating system to validate how much resources you are consuming and it is very important that you do it.
I remain attentive to your comments...
regards..
80 GB of RAm for a server is much, first because the VM never consumes all the ram that is assigned.
Since the hypervisor assigns RAM to other VMs that require it.
I recommend lowering the amount of RAM to the server as well as the amount of vCPU.
Of equal I recommend to execute before a performance monitor in the operating system to validate how much resources you are consuming and it is very important that you do it.
I remain attentive to your comments...
regards..
ASKER
Is there any chance for this plan?
- Open a port in Mail server
- Attack that server (ie: TCP half sync on that port), so CPU is increased
then leading to a kind of DoS
- Open a port in Mail server
- Attack that server (ie: TCP half sync on that port), so CPU is increased
then leading to a kind of DoS
Some Tips for High CPU issues :
https://blogs.technet.microsoft.com/exchange/2015/04/30/troubleshooting-high-cpu-utilization-issues-in-exchange-2013/
https://blogs.technet.microsoft.com/exchange/2015/04/30/troubleshooting-high-cpu-utilization-issues-in-exchange-2013/
ASKER
Hi, it seems like we was attacked inside LAN via hping3 tool. After some research, I simulated the attack with the same symptoms.
So how can we avoid it in the future?
ps: Not sure the attacker is from our IT team or other Department
So how can we avoid it in the future?
ps: Not sure the attacker is from our IT team or other Department
configure your firewalls , anti-virus ,Policies ...etc to stop scanning tools
ASKER
Also, in the System Event viewer, I saw this one:
.21's name is mail.domainA.com
.31's name is mail.domainB.com
The name "MAIL :0" could not be registered on the interface with IP address 192.168.55.21. The computer with the IP address 192.168.55.31 did not allow the name to be claimed by this computer..21's name is mail.domainA.com
.31's name is mail.domainB.com
Please run the exchange calculator to properly size the server, throwing resources won't fix the issue. Too much means longer startup etc.
Try using wire shark to check the traffic going in and out of the machine.
Also if you have Av installed, make sure the exclusions are set
Try using wire shark to check the traffic going in and out of the machine.
Also if you have Av installed, make sure the exclusions are set
ASKER
Hi, I'm installing Snort on Exchange server, should it be ok ?
Not sure if it can prevent the Ddos or other attacks (ie: DNS spoof, ARP poisoning...)
Not sure if it can prevent the Ddos or other attacks (ie: DNS spoof, ARP poisoning...)
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Identify what AppPool is causing this
Fix your code
In terms of diagnosing what App Pool is causing trouble, you can:
Select the server
Go to IIS > Worker Processes