We faced the problem that “lsass.exe” caused a 100% CPU load for some days on a Domain Controller.
Here is how to analyze it with the Performance monitor and data collector.
Server Performance Advisor (SPA) and Active Directory Diagnostics
First we started eliminating possible causes, like free memory, driver of the network controller, CPU added and so forth. We were positive that the problem could be solved by adding a CPU and updating the driver of the network controller but that didn’t work. So we started digging deeper.
Under Windows Server 2003 you could use “Server Performance Advisor (SPA)” but not under Windows Server 2008. However there are some already integrated possibilities which can substitute the “Server Performance Advisor (SPA)”.
Link to the SPA:
In the Performance Monitor under Windows 2008 we have so called “Data Collector Sets” with one for “Active Directory Diagnostics”:
You can either start the record of the “Data Collector” via the context menu or by pressing the green play button. It runs for 5 minutes (standard) and provides you with an automatic analysis of the result under “Reports”. To be able to start the “Data Collector” you should best have Domain Admin- and “Logon as a batch job” rights.
The result is categorized as follows:
- “Diagnostic Results – Warnings / Performance”
- “Active Directory”
- “Hardware Configuration” and
- “Report Statistics”, the result of the automatic analysis
In our case we looked at “Active Direcory Searches”:
- Client IP:Port
- Object Name
- LDAP Filter
It enabled us to find the Client and inquiry which caused the 100% CPU-workload of the “lsass.exe”.
I find this a really nice integrated performance analysis. Even when you don’t have an actual problem, it is good to take a look at such a report.
Lsass.exe (Local Security Authority Subsystem Service) handles domain authentification etc. on the client.
You can find an introduction here.