Article ID: 811172 - Last Review: October 30, 2006 - Revision: 1.2

Lsass.exe Spikes at 100 Percent CPU Usage and Then Shows a Typical Load for 60 Minutes Before Spiking Again

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Lsass.exe on the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role holder spikes at 100 percent CPU usage for about 10 minutes. Then it decreases to typical load for 60 minutes before it spikes again.

Even if you disconnect the domain controller from the network, the spikes continue to occur. The performance log shows a high number of "DS Directory Search/s" during this time. If you use NTDS diagnostic logging, you cannot find a source that causes these searches.

The CPU peak duration may vary depending on the number of members and the CPU speed/memory of the domain controller.
Back to the top

CAUSE

These peaks may occur if the administrators group contains many users. The DS Propagator Thread that secures the members of the administrators group runs internally in Lsass.exe. Therefore, it cannot be detected by ordinary NTDS diagnostic logging. It will sleep for one hour before starting again. Typically, the administrators group contains a small number of users. Therefore, the thread finishes quickly and does not cause noticeable CPU usage.

There may be special circumstances when the administrator adds a large number of users to the administrators group. It may also be unintentional. Because of group nesting, adding a single group can result in many members. (Group nesting is available in native mode domains.) In this case, the evaluation of the effective membership and, thereafter, the security checking and setting can cause the hourly spikes.
Back to the top

RESOLUTION

To resolve this behavior, limit the members of the administrators group. Microsoft strongly recommends that you limit the members of the administrators group to a small number of dedicated accounts.

There are other ways to delegate administrative tasks to users and groups:
  • Use the Delegate Control assistant in the MMC Active Directory Users and Computers snap-in to delegate control on an organizational unit base.
  • In a Web-based administration user interface, consider using a proxy user to access the Active Directory. In this case, the effective permissions of the caller must be checked internally by the Web application.
Back to the top

STATUS

This behavior is by design.
Back to the top

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
232199  (http://support.microsoft.com/kb/232199/EN-US/ ) Description and Update of the Active Directory AdminSDHolder Object
251343  (http://support.microsoft.com/kb/251343/EN-US/ ) Manually Initializing the SD Propagator Thread to Evaluate Inherited Permissions for Objects in Active Directory
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
Back to the top
Keywords: 
kbprb KB811172
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers