User ID causing heavy load on domain controllers
Showing results for 
Search instead for 
Did you mean: 

User ID causing heavy load on domain controllers

L3 Networker

My domain controller is seeing very high CPU and RAM usage caused by the event log settings (as required by User ID). It's currently at 427,000 events and it's using up about 60% CPU.



Is this normal?


L4 Transporter

Eventually yes,


 Number of logs per seconds (not just logon events but all events) and resource constraints (CPU+RAM) on your domain controller may explain this.


 I suppose you are using FW embdded agent, Windows agent works differently and shall put less pressure on your domain controller.

Yes, I started using the firewall agent after the standalone agent stopped communicating with the PA. For some reason the PA doesn't appear in the list, and I have tried re-installing it

do you have stats of logs/second on your Domain Controller ?


can you describe its hardware ?

It is a virtual machine, Win2008 R2, with 1vCPU and 8 GB ram. I was hoping not to throw more resources at it, especially since there are a total of 4 domain controllers. The other 3 do not seem to have this issue with the amount of logs, which leads me to believe there may be a configuration issue

It's common to see some DC take a lot more load than others. many factors can explain that.


anyway, you may want to add at least 1vCPU to your DC VM. if it's really busy then it's going to help it.


but you are right, you should keep investigating what is being logged there, and the volume/hour

L4 Transporter

Hi Max,


Agentless User-ID utilizes WMI to connect directly from the Palo Alto Networks firewall to an AD server (or servers) and obtain user IP information.
On some older servers (for example, Windows 2003), the memory allocation for WMI may be constrained, which then prevents the system from parsing the server security logs.
Do take a look at the below article :

You also have the option to use the User-ID Agent, which is a software application that runs on your DCs if agentless User-ID is not feasible for your network

You can install the agent directly on domain controller or another server where security logs will be read from.
This is much lesser resource intensive for both the PA firewall and the Domain Controller, as it uses Microsoft RPC- which is native to Microsoft unlike WMI.

I was going through a Microsoft sites and came across issues being reported with "wmiprvse.exe" service in Windows server 2003 and ntdll.dll service when an external service tried to interact with these services. There is hot fix released to address wmiprvse service causing high CPU usage.
The link for the fix is below:

For the ntdll.dll service, there have been reported crashes of this service in windows 2008 R2 server and necessary steps and links to the documents addressing this issue has been provided in the following link:
There have been issues reported with these processes.  Check for any errors related to ntdll.dll service in the windows 2008 server ?

Thanks and Regards,


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!