locked
Help! My 2008 R2 Server has gone crazy RRS feed

  • Question

  • I am running a Windows Server 2008 R2, fully updated on a Dell T320 hardware.  I have about 24GB of RAM and 1TB drive.  I'm not low on RAM or drive space.  Running DNS and AD.  Typical processes that come w/those.  The server is for a small office of about 10-12 users who use one client/server app and mostly for file storage.  I don't have the DRAC Card in my server either (that remote mgt card you can get from Dell).  The server has 2 drives that are RAID-1.

    The server has gone crazy.  100% CPU has been running for about a week, non-stop.  When I check the task manager, it's not one process running.  It's multiple processes.  Some running 5%, others running 20%, while others running 50%.  And they alternate.  Processes just bouncing around hogging up the CPU.  If I close them, they come back.  I haven't started disabling services just yet (except my Symantec Backup Exec services, since those were a biggy in hogging up the CPU).

    When I try to restart the server in safe mode, Windows says it can't do that.  Same with Safe mode w/networking.

    i'm really inclined to just reinstall windows and start over, but I don't know how that'll mess w/the domain and user accounts (reinstalling software and getting file services back up and running is the easy part).

    The processes running and hogging up the CPU are so random too.  I can't narrow down just one process that is killing the server.  It's always about 10-15 processes, small CPU usage, but enough of them combined to keep the CPU running 100% all day and night.

    I wonder if it could be hardware related and driver gone crazy.  But how would I tell?

    I don't know what do w/this server.  Any suggestions here?  Anything will be greatly appreciated.

    Thank you

    Saturday, March 19, 2016 9:38 PM

Answers

  • I think you'll have to approach the processes individually. May need to contact the application vendor in the case of third party. If they are system processes you may be able to wireshark, Process Monitor (or some other method) to see what is on the other end. As far as reinstalling as long as you can migrate the roles to another DC it should be fairly simple to demote, rebuild, patch fully, join domain, promote again.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Leo Han Monday, April 4, 2016 2:18 PM
    • Marked as answer by Leo Han Wednesday, April 6, 2016 11:55 AM
    Sunday, March 20, 2016 12:15 AM
  • In addition, I would recommend running Microsoft Safety Scanner as the behavior may be caused by a malware too.

    In some situations, re-installing servers may the quickest and most efficient way to proceed. If this is what you would like to do, you can use a Virtual machine to promote a new DC/DNS/GC server and migrate your files from this server. Once done, demote the server, re-install it then promote it as a DC/DNS/GC server again and migrate back your services.

    As your server seems to be powerful enough, you may think about using Hyper-V and separate the roles and services you would like to run on different VMs - That way, you do a better isolation and master better your environment.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Leo Han Monday, April 4, 2016 2:18 PM
    • Marked as answer by Leo Han Wednesday, April 6, 2016 11:55 AM
    Sunday, March 20, 2016 9:43 PM

All replies

  • I think you'll have to approach the processes individually. May need to contact the application vendor in the case of third party. If they are system processes you may be able to wireshark, Process Monitor (or some other method) to see what is on the other end. As far as reinstalling as long as you can migrate the roles to another DC it should be fairly simple to demote, rebuild, patch fully, join domain, promote again.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Leo Han Monday, April 4, 2016 2:18 PM
    • Marked as answer by Leo Han Wednesday, April 6, 2016 11:55 AM
    Sunday, March 20, 2016 12:15 AM
  • In addition, I would recommend running Microsoft Safety Scanner as the behavior may be caused by a malware too.

    In some situations, re-installing servers may the quickest and most efficient way to proceed. If this is what you would like to do, you can use a Virtual machine to promote a new DC/DNS/GC server and migrate your files from this server. Once done, demote the server, re-install it then promote it as a DC/DNS/GC server again and migrate back your services.

    As your server seems to be powerful enough, you may think about using Hyper-V and separate the roles and services you would like to run on different VMs - That way, you do a better isolation and master better your environment.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Leo Han Monday, April 4, 2016 2:18 PM
    • Marked as answer by Leo Han Wednesday, April 6, 2016 11:55 AM
    Sunday, March 20, 2016 9:43 PM
  • Hi Steve,

    I suppose you could open the task manager, right click on the process and open file location.

    Check if the file is your application, you may ensure the app is safe by use Microsoft safe software.

    If it’s not, you could uninstall it.

    Best regards

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 21, 2016 2:36 AM
  • I just completed a quick and full scan of the MS Safety Scanner.  And full scan using malwarebytes and my installed McAfee software.  Zero issues found.

    I'll be speaking with Dell support in the morning where I am and see if it's driver issue causing all this.  I'll keep this thread updated too.

    Thanks

    Monday, March 21, 2016 6:22 AM
  • If nothing is found, then the malware or virus might have bypass all the AV's.

    Have you checked Task Manager whether the Networking tab the bandwidth is very high?

    Have you tried this:

    netstat -ano

    checked for unusual sockets established and listening, do this with all the browser closed.

    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, March 21, 2016 9:35 AM
  • Last night, I disabled a bunch of non-windows services and apps that were starting up.  Restarted the server.  Super fast!  No more 100% CPU.  So now I have to narrow down which service or app was causing this chain reaction of craziness.  And really, everything I disabled hasn't had any negative impact on the server.  My backups still work - that's the most important to me.  I did disable the McAfee AV software.  I'll re-enable that later and see how the server works.  

    I'll also run the netstat -ano and see what those results are.

    Monday, March 21, 2016 11:19 PM