- A System Center Advisor alert has triggered which calls out that the Lsass.exe process is utilizing a consistently large percentage of the CPU's capabilities (CPU utilization counter).
- During normal operation, a domain controller is responding slowly or not at all to client service requests for authentication or directory lookups.
- Active Directory domain clients consistently or frequently stop requesting service from a domain controller and instead locate a different domain controller to gain services from.
- Performance monitoring using Perfmon.msc or Task Manager reveals that the Lsass.exe process is utilizing a consistently large percentage of the CPU's capabilities (Process Object, % Processor Time counter).
To run the Active Directory Data Collector follow these steps:
- Open Server Manager on a Full version of Windows Server 2008 or later, or go to Start > Run > Perfmon.msc and then press enter.
- Expand Diagnostics > Reliability and Performance > Data Collector Sets > System
- Right-click on Active Directory Diagnostics and then click Start in the menu which appears.
- The default setting will gather data for the report for 300 seconds (5 minutes), after which it will take an additional period to compile the report. The amount of time needed to compile the report is proportional to how much data has been gathered during the period.
The report contains eight broad categories under Diagnostic Results which will contain information and conclusions in the report. These will not always tell the exact cause of the problem but can be used to determine where to investigate in order to find the exact cause.
Items to look at when facing high CPU utilization by Lsass.exe are the Diagnostic Results portion of the report, which will show general performance concerns. In addition, examining the Active Directory category will detail what actions-such as what LDAP queries are effecting performance-the domain controller is busy doing at that time.
Domain controllers are often most effected by remote queries from computers in the environment asking "expensive" queries, or subjecting them to a higher volume of queries. The Network portion of the report can be useful in determining the remote clients which are communicating most with the domain controller while the diagnostic was gathering data.
Additional information on how to troubleshoot the Lsass.exe process using a great deal of CPU utilization on an Active Directory domain controller is available at the AskDS Team Blog Post:
"Son of SPA: AD Data Collector Sets in Win2008 and beyond"