Active Directory Authentication causing DNS Server HIGH CPU Usage

Lock007
Comes here often

Active Directory Authentication causing DNS Server HIGH CPU Usage

I have a MX100 deployed in my work environment. All features have been working smoothly until we decided to integrate the Active directory function using our DNS servers and group policies on the MX.

Ever since we enabled the Active Directory we have noted that the CPU usage would go up 100%.

I have tested this repeatedly and know that when i disable the Active Directory function on the MX the CPU level on my DNS server drops to 5%. I now know for a fact that it is the Active Directory authentication and whatever process is running on the DNS server that results in High CPU Usage. I would like to know why there is high cpu usage when i enable the Active Directory authentication. I have about 4 other remote sites that i want to enable Active Directory but this will make my CPU usage to up to 100%. The DNS server is running on a VM Ware virtual machine is using about 12 cores of CPU already. I will not keep increasing my CPU capacity as this is not practically suitable. Please help i need solutions.

10 Replies 10
Bruce
Kind of a big deal

@Lock007 I'm assuming that your DNS server also runs your AD Domain Controller function, as its the DC function that the MX integrates with. The MX integration has two parts to it, it binds to the DC to gather group memberships via LDAP, and it scrapes the security logs for logon events using WMI to match users to IP addresses.

 

I'd check both the Windows server event logs and MX event logs for errors to see if there is something not working correctly. I'd also check the permissions of the user account you are using to connect to the AD DC - maybe temporarily use a domain admin account to see if there is a rights issue, and then switch is back to a more restricted account if it works with the domain admin account (the permissions that are needed are given in this document, https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Direc...)

 

Also, check the memory usage on the server too. If this gets high and results in a  lot of swap file activity this may be driving the CPU usage up.

Lock007
Comes here often

Bruce,

 

I checked the CPU Usage. The is high CPU Usage on the event log service.

Lock007
Comes here often

@Bruce I got Meraki Support to check out my Active Directory integration. They said there is nothing wrong with the current setup. Use of domain admin to connect to DC is fine. There is no rights issue. The memory usage on the server is pretty low at about 20%. I suspect where the MX scrapes the security logs for logon events and using WMI to match users to IP address is what is causing the high CPU Usage. Are you able to confirm this?

Bruce
Kind of a big deal

You'll need to have a look through the Windows server and see if you can ascertain what is going on from the windows event log or performance monitors. What is the memory utilisation doing? Is it running out of memory (as well as the CPU peaking)? Do you see the WMI provider take CPU or Memory (the MX scrapes the Security Log every 5 seconds). Is the Security Log large, open it and see how many records are there (are there any logs there at all?).

Lock007
Comes here often

@Bruce I have monitored the memory utilization and it does not peak over 50%.Most of the memory is consumed by the Domain Name System service and also the Netwrix Auditor service as well.  The CPU does peak every 5 seconds and this peak goes up to 100% and stays there for some time. The security log is 8GB and there are plenty of records there. There also records generated every second on the logs and i have to constantly hit refresh to see the new events. I will try to monitor using performance monitors but am not sure what i will achieve.

PhillT
Conversationalist

I had the same issue with two MX100's  with  active Directory enabled. Hitting the AD servers with WMI request and ponding the CPU's at a constant 98%.

Logged a call to Meraki TAC with the issue. Resolution was to request Meraki TAC to reduce the WMI polling time from the MX to AD server from 5 seconds to 30 seconds.

This has reduced AD server CPU's to 50 -58% utilization and the AD Meraki MX status now shows green OK and no yellow warning.

 

Hope this helps.

TimWPA
New here

I think Meraki did this for us too, even using a much higher time frame and I still have the primary server pegging near 100%. It does not seem to have received the WMI traffic with any less frequency even after Meraki changed it. Even after reboots, it sees traffic frequently. More so than the updated setting.

TimWPA
New here

Exact same issue I have been fighting for years. Meraki is no help on resolving the issue. Would LOVE to hear from someone who was able to resolve this!

GMJCJ
New here

Reading this thread makes me sad to see that others appear to be facing this issue and no resolution has been found 😞

 

I too am suffering with this issue. We have an MX250 that has our primary and secondary DC set up for AD auth and the primary DC is constantly pegged due to the WMIPrvSE.exe task running as NETWORK SERVICE and we have errors visible within event viewer for WMI-activity that mention the user we have used for the AD integration.

alankevinr
Here to help

We had this issue last year after years of it working flawlessly WMI Provider Host pins teh CPU to 100% with minutes of it being enabled on teh Firewall. This was raised is with Meraki support,

 

Server spiking

 

 There was at ticket logged back last year by my colleague Phil Case 09464777

 

I enabled Ad authentication using groups polices within the firewall for a certain member of the social network group, up until last year this was working flawlessly, then we noticed that the WMI service had pinned the server to 100%

This is without AD authentication running on the firewall

 

alankevinr_1-1724164179959.png

 

 

alankevinr_7-1724164278729.png

 

 

 

As soon as I enable AD authentication using WMI the CPU starts spiking

 

alankevinr_8-1724164337354.png

 

 

 

 

alankevinr_4-1724164179971.png

 

 

Less than 2 minutes after enabling the AD authentication the WMI Provider Host spike the server to 100% CPU

 

alankevinr_5-1724164179986.png

 

We have then disable AD authentication and the task kill the WMI Provider host service

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels