Greetings, I am having very high CPU utilization on 3 domain controllers. It appears to be causes by two processes on each, alternating. One is taskhost.exe, the other is lsass.exe. When using procexp against taskhost, I see that it is "Certificate Services Client Task Handler." With lsass.exe, I've run Server Performance Adviser. SPA indicates lsass is using high CPU, but the details of the AD section doesn't give any clues (all low CPU). What further steps can I take to get deeper into the process utilization of these two processes? Thanks!

Please disable the Anti virus and firewall on the server and monitor the server and see if it resolves.http://www.virmansec.com/blogs/skhairuddin

I disabled the firewall on one of the DCs (no AV installed), and it does not appear to have made a difference.

Hi, To better understand the issue, please help check the following: What OS is running on the DCs? Is it Windows Server 2008 R2? Please ensure that the latest update has been installed on the computers. How many DCs and client computers are there in the domain? Is credential roaming being used in the environment? How often does the issue occurs? Does it only occur during the peak hours? Please unplug the DC from the network for at least two minutes. Does the CPU utilization drops? Please understand that we usually need to capture dump to analyze server hang issue. As we cannot help you analyze dump in forum, you may consider contacting Microsoft Customer Support Service (CSS) for assistance so that the crash dump can be analyzed. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/directory/overview.aspThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks! I will answer your questions, but I have also made some additional discoveries. 1) All 2008 R2. 2) 8 DCs, 4 in this problematic site. 450+ PCs 3) Nope 4) It's constant, 100% of the time 5) I did, and no, it does not. Now, my discovery. It appears there is a Task called "SystemTask" under "CertificateServicesClient". It is set to run at system startup and every 1d thereafter. However, according to the history, it's running every 5 minutes. This is the cause, but I don't know why it's running so frequently.

Hi, Do you mean that the issue disappears if you disable the task "\Microsoft\Windows\CertificateServicesClient\SystemTask" on the problematic DCs? If so, please export the TaskScheduler/Operational events and upload to the following space for research: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=8e8a58d8-a180-426a-9506-67581fcd46e4 Password: eF0H]1$#H*%0@Y]{ Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Any update on the issue? If there is anything unclear, please feel free to let me know. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

With some help, I have made more progress. It appears that the task "\Microsoft\Windows\CertificateServicesClient\SystemTask" runs at logon, system startup, and by default every 8h. There is a custom event that triggers it to run on event log 1502 being logged. It appears that 1502 is being logged every 5 minutes, and thus this event triggers and runs for 5 minutes. So, I am now discovering why the event is logged every 5 minutes. Thanks for following up! Anything you would like me to upload still?

Hi, Glad to hear that we are making progress. By default, domain controller updates group policy every 5 minutes. As a result, the event 1502 is logged if some policy setting is changed. Please see http://technet.microsoft.com/en-us/library/cc727320(WS.10).aspx However, it looks abnormal if the event is logged every 5 minutes. A possible cause is that there is some error/warning while the domain controller updates the group policy. I suggest that we have a look at the group policy related event, such as the warning SceCli 1202 in the Application event. Based on my test, it can cause the 1502 event logged again and again. Hope it helps. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I tracked down the events to a bad username on security policies. The policy would not apply, causing 1502 to be logged (and changes attempted every 5 minutes), and the Certificate Services task to run, and the DC to go ballistic! Thanks for the assistance on this one. All is normal now.

Thanks for your update. I am glad that the issue has been resolved. Have a nice day.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.