Please try the below workaround on the customers environment.
1. The default behavior for group membership validation process can be modified. This is configured by uncommenting the following line within Web.config
Change the line
<!--<add key="authz_group_lookup_as_logged_on_user" value="true"/>-->
<add key="authz_group_lookup_as_logged_on_user" value="true" />
2. The number of days for which authentication details retrieved in the “Authentication” tab on the Helpdesk page can be configured by creating a new registry key as follows: In the HKEY_LOCAL_MACHINE\SOFTWARE\Quest Software\Defender\Web Interface key, create a DWORD value “AuthenticationDataWindowDays”. Set the decimal value to the required number of days, set the 1.
3. The Active Directory Global Catalog server can be specified in the Web.config configuration file. If configured, all LDAP queries will then be directed to this GC server. Uncomment the below and provide the IP/FQDN of Active Directory Global Catalog server in the value field <!--<add key="RemoteDC" value="ip address or dns name" />-->
For example, change the line
<!--<add key="RemoteDC" value="ip address or dns name" />-->
<add key="RemoteDC" value="192.168.0.1" />-->
The key thing is to ensure that the "RemoteDC" setting points to a global catalog server.
Explicitly setting our secondary DC appears to have resolved the problem. It is possible that there may be an inconsistency on how multiple DCs are configured. Confirm the configuration of each DC to match, and then reconfigure Defender to again point to it, the performance should improve.
Restart IIS and test.