Have 3 DCs in 3 sites, RA on each one & 672 client as well. RAs are all running the HTTP mirror. On one of these machines only, the ekrn.exe process seems to get out of control and users of this site experience frequent problems with responsiveness of this server - affecting authentication at times. The CPU usage is fine, hovers around the usual 5-10% but currently it has 57,000 open handles and a Virtual Memory size of around 500Mb - which is 10x more than the next process. The open handles though is the biggest problem as the VM size will be a result of the number of open handles. Using Process Explorer I can see that all the excess handles are of type "Token" with name "NT AUTHORITY/SYSTEM:3e7", which does not appear on either of the other two DCs running the same combination of Eset apps. Additionally, the era.exe & ehttpserv processes regularly spike to 50% CPU usage and usually remain there until killed, though sometimes recede on their own - but not the ekrn process, this remains at low CPU usage. We also get the following errors in the Event Log on this server quite frequently: Error: "UploadData: Remote select failed, code -103" Error: "FireEvents internal_renaming_event failed (RES code -103)" Error: "CCServiceRoutine(HandleInformation): unable to get configuration (Client - Configuration) for '%client name removed%' (connection '%client IP removed%:13067', code 9)" On top of this the ekrn process produces application faults from time to time and the era process crashes on occasion as well. This is all less than a couple of weeks after installing the 3.0 client over the top of the 2.7 version. I've already tried removing & reinstalling & that hasn't helped the situation. This machine also has WSUS & therefore SQL Express, whose databases are excluded from scanning. Any thoughts would be much appreciated..