Hello
Thank you for posting in Microsoft Community forum!
Experiencing 100% CPU utilization on Windows Server 2022 domain controllers after a migration, particularly when dealing with Windows event logs, can be challenging to diagnose. However, here are several steps you can take to investigate and potentially resolve this issue:
Check Security Event Log Size:
Ensure that the Security event log size is appropriately configured. If it's too small, it can fill up quickly and cause high CPU utilization when events are overwritten. Adjust the log size as needed to handle the volume of security events generated in your environment.
Review Event Log Policies:
Review the event log policies to ensure that the maximum log size and retention settings align with your organization's requirements. You can configure these settings using the Group Policy Editor.
Check for Event Log Overload:
Analyze the types and volume of security events being generated. If there's an unusually high number of events, it could be due to an issue with your network, security policies, or applications generating excessive events. Investigate and address the root cause of these events.
Event Forwarding:
Consider configuring Event Forwarding to centralize event log data from multiple domain controllers to a dedicated server for log collection and analysis. This can help reduce the local load on domain controllers.
Check for Software Conflicts:
Examine the installed software on the domain controllers for any applications or services that might be causing high CPU utilization or generating excessive security events. Consider temporarily disabling or uninstalling suspect software to isolate the issue.
Update or Reconfigure Monitoring Tools:
If you're using monitoring or security tools that heavily rely on event log data, ensure they are updated to be compatible with Windows Server 2022. Sometimes, older versions of monitoring software can cause resource issues.
Network Inspection:
Since you mentioned the use of Palo Alto firewalls and agentless user-ID, work closely with your network team to review the firewall's configuration, especially any settings related to WinRM over HTTP. Incorrect or aggressive firewall settings could potentially flood the server with traffic, leading to high CPU usage.
Performance Monitoring:
Use Windows Performance Monitor (Perfmon) to monitor CPU and memory usage over time. Identify any patterns or spikes that correlate with the high CPU utilization and narrow down potential causes.
Hardware Resources:
Ensure that the hardware resources (CPU, RAM, disk space) allocated to your Windows Server 2022 domain controllers are sufficient for the workload. Consider scaling up the hardware if necessary.
Windows Updates and Drivers:
Ensure that your servers have the latest Windows updates, including updates related to performance and reliability. Also, make sure that device drivers are up to date.
Antivirus and Security Software:
Check if any antivirus or security software on the domain controllers is causing high CPU utilization. Sometimes, real-time scanning or behavioral analysis features can be resource-intensive.
Log Retention Policies:
Implement log retention policies that help manage the volume of security events and prevent logs from filling up too quickly.
Best Regards,
Wesley Li