locked
100 % CPU on 2008 R2 servers Managed by WSUS RRS feed

  • Question

  • Hi All,

    The problem I am facing is with windows 2003 R2 and Windows 2008 R2 servers hogging up 100 % CPU via the svchost process which is pointing to the wuauserv service which is the windows update service.

    The fix is to  install the latest cumulative security available for the version of IE installed on the server.

    on 2003 servers just the installation of the IE cumulative updates fixes the problem and does not require a reboot , this is rare case in our environment.

    But in the case of a 2008 R2 servers it requires a reboot after installing the regular patches available with the cumulative updates for IE which comes through WSUS itself. But this is happening on a regular basis for past three months.

    My concern is , this is happening in only one particular site with the 2008 R2 servers , the whole site has all 2008 R2 servers and all the servers are affected with the issue , we have very similar WSUS configuration in all the sites and this happening in only one site. we cant afford to reboot the servers before the maintenance window and this is causing a lot of incidents and issues.

    Any help on the above topic is greatly appreciated and thank you in advance.

    Regards

    Techwiz


    • Edited by Shivramkris Thursday, April 2, 2015 5:23 PM
    Thursday, April 2, 2015 5:22 PM

Answers

  • HI Shivamkris,

    Very good clarification. Indeed this makes a difference. When managing WSUS hierarchy needs special attention.

    First, I need to tell you that this is not a tweak or trick on the system, but a maintenance of the WSUS ecosystem. My guideline is just the way to do it avoiding resource consuming during the process.

    Now regarding your hierarchy, indeed there are some considerations, as you can see in this official article from MS:

    https://technet.microsoft.com/en-us/library/dd939856(v=ws.10).aspxIn a WSUS hierarchy, it is strongly recommended that you run the cleanup process on the lower-most, downstream/replica WSUS server first, and then move up the hierarchy. The upstream server should be the last one on which the cleanup is run.

    This is exactly the way you need to do it.

    If you have any concern don't hesitate to comment :)

    Regards,

    Saturday, April 4, 2015 8:39 AM

All replies

  • Hello Shivamkris

    From my experience, any performance issue related to WSUS comes from a lack of maintenances, at least on 90% of the cases. I would like to share with you the next Action Plan that I follow and that I recommend to my customers too, always with success

    Decline all superseded updates.

    a.       Go to the WSUS console-> Updates -> All updates. Select “Approval: Any Except Declined”, and “Status: Any”

    b.      Enable the Superseded column, and order the list to see all Superseeded

     

    c.       Then Select and with right-click, chose “Decline” for all superseded updates.

    d.      Activate the automatic approval/decline in order to prevent to generate more superseded updates:
    - Go to: “Options” on the left menu.
    - Select Automatic Approvals.
    - Go to Advanced and check all the boxes:
     
    Proceed with the WSUS Server cleanup wizard.
    e.      Go to “Options” again.
    f.        Click on “Server Cleanup Wizard
    g.       At this point there is 5 options checked. But in order to not overload the server we are going to do them in the next order
     
    A.      ONLY select “Computers not contacting the server” option and continue. This will remove old computer accounts from WSUS that didn´t contacted in more than 30 Days, for example computers that they don´t exist anymore on the Domain. (NOTE: This step is NOT mandatory, sometimes there are computers that they are still in use, but they are off due to user leave, incident, etc… and some of our customers prefer not to do it)
     
    B.      Open the “Server Cleanup Wizard” and ONLY select “Expired Updates” AND “Superseded Updates”. Continue until it finish the process.
     
    C.      Open again “Server Cleanup Wizard” and select ONLY “Unused updates and update versions”. Continue the process until it finishes.
     
    D.      Open again “Server Cleanup Wizard” and select “Unneeded update files”. Continue the process until it finishes.
     
    As resume, I am leaving the order on screenshot:

     
     
    Repeat the process for Server Cleanup Wizard.
     
    After you completed the previous steps, is recommended to repeat again the process, as some files are going to be still in use the first time. This way we ensure that the CleanUp was successfully made.
     

    Monitoring period
     

                    After performing all the steps before, we would need to wait 24h to let WSUS arrange the content and synchronize successfully. 

    Hope you find it usefull!!

    Friday, April 3, 2015 2:44 PM
  • Hi Alvero,

    Thank you for your response and valuable guidelines , before I tweak the WSUS settings just like to 

    let you know that our setup has a master WSUS from which all settings are pushed to replica WSUS servers.

    The site of concern has a replica WSUS server which gets the complete updates approval and settings from above WSUS root Server , this is the only site which has the above mentioned above though all sites receive WSUS settings from the same root WSUS server , please share your thoughts.

    PS : 100 % CPU drops down the moment windows update service is stopped.

    Regards

    Techwiz 

    Friday, April 3, 2015 7:17 PM
  • HI Shivamkris,

    Very good clarification. Indeed this makes a difference. When managing WSUS hierarchy needs special attention.

    First, I need to tell you that this is not a tweak or trick on the system, but a maintenance of the WSUS ecosystem. My guideline is just the way to do it avoiding resource consuming during the process.

    Now regarding your hierarchy, indeed there are some considerations, as you can see in this official article from MS:

    https://technet.microsoft.com/en-us/library/dd939856(v=ws.10).aspxIn a WSUS hierarchy, it is strongly recommended that you run the cleanup process on the lower-most, downstream/replica WSUS server first, and then move up the hierarchy. The upstream server should be the last one on which the cleanup is run.

    This is exactly the way you need to do it.

    If you have any concern don't hesitate to comment :)

    Regards,

    Saturday, April 4, 2015 8:39 AM
  • Hi Alvaro,

    If a WSUS server is in Replica mode , shouldn't it get all the update approvals from the parent server ?

    https://technet.microsoft.com/en-us/library/cc708511(v=ws.10).aspx

    just want to know before I decline updates and run the cleanup wizard.

    Regards

    Techwiz

    Tuesday, April 7, 2015 3:27 AM
  • Hello

    Any update regarding the issue?

    Thursday, May 7, 2015 12:29 PM