100% CPU Utilization on our new built Windows 2022 server enterprise domain controllers.

Anonymous
2023-09-26T14:51:34+00:00

We recently migrated out 4 domain controllers from server 2012 to 2022, The domain controllers have DNS and DHCP role as well. Migration is successful but we noticed the CPU utilization is always 100%. The service that cause the CPU spike is Windows event logs particularly the security logs, when I clear the security event logs the CPU goes back to normal but once the logs is full and starts to overwritten the CPU hops again to 100%. We have Palo alto firewall that use agentless user-id and utilize winrm over http only. I discuss to the network team that might be have some settings to be adjust from the firewall. Please if anyone who experience this issue and do have solution on it, please reach me out.

Regards,

Henry

Windows for business | Windows Server | Performance | System performance

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2023-09-27T01:23:41+00:00

    Hello

    Thank you for posting in Microsoft Community forum!

    Experiencing 100% CPU utilization on Windows Server 2022 domain controllers after a migration, particularly when dealing with Windows event logs, can be challenging to diagnose. However, here are several steps you can take to investigate and potentially resolve this issue:

    Check Security Event Log Size:

    Ensure that the Security event log size is appropriately configured. If it's too small, it can fill up quickly and cause high CPU utilization when events are overwritten. Adjust the log size as needed to handle the volume of security events generated in your environment.

    Review Event Log Policies:

    Review the event log policies to ensure that the maximum log size and retention settings align with your organization's requirements. You can configure these settings using the Group Policy Editor.

    Check for Event Log Overload:

    Analyze the types and volume of security events being generated. If there's an unusually high number of events, it could be due to an issue with your network, security policies, or applications generating excessive events. Investigate and address the root cause of these events.

    Event Forwarding:

    Consider configuring Event Forwarding to centralize event log data from multiple domain controllers to a dedicated server for log collection and analysis. This can help reduce the local load on domain controllers.

    Check for Software Conflicts:

    Examine the installed software on the domain controllers for any applications or services that might be causing high CPU utilization or generating excessive security events. Consider temporarily disabling or uninstalling suspect software to isolate the issue.

    Update or Reconfigure Monitoring Tools:

    If you're using monitoring or security tools that heavily rely on event log data, ensure they are updated to be compatible with Windows Server 2022. Sometimes, older versions of monitoring software can cause resource issues.

    Network Inspection:

    Since you mentioned the use of Palo Alto firewalls and agentless user-ID, work closely with your network team to review the firewall's configuration, especially any settings related to WinRM over HTTP. Incorrect or aggressive firewall settings could potentially flood the server with traffic, leading to high CPU usage.

    Performance Monitoring:

    Use Windows Performance Monitor (Perfmon) to monitor CPU and memory usage over time. Identify any patterns or spikes that correlate with the high CPU utilization and narrow down potential causes.

    Hardware Resources:

    Ensure that the hardware resources (CPU, RAM, disk space) allocated to your Windows Server 2022 domain controllers are sufficient for the workload. Consider scaling up the hardware if necessary.

    Windows Updates and Drivers:

    Ensure that your servers have the latest Windows updates, including updates related to performance and reliability. Also, make sure that device drivers are up to date.

    Antivirus and Security Software:

    Check if any antivirus or security software on the domain controllers is causing high CPU utilization. Sometimes, real-time scanning or behavioral analysis features can be resource-intensive.

    Log Retention Policies:

    Implement log retention policies that help manage the volume of security events and prevent logs from filling up too quickly.

    Best Regards,

    Wesley Li

    1 person found this answer helpful.
    0 comments No comments
  2. Anonymous
    2023-09-27T12:51:04+00:00

    Hi Wesley,

    Thank you for your time in responding my question. I will follow your suggestions and will let you know the outcome.

    Regards,

    Henry

    0 comments No comments
  3. Anonymous
    2023-09-28T07:00:32+00:00

    I'm so glad that I could provide some help here, it will be great to mark any useful answer so other can easily find it.

    0 comments No comments