What is causing lsass.exe process to consume so much cpu?

We have a main office with 4 domain controllers.  DC1, DC2, DC3 and DC4.  Our SCOM monitoring system often reports the the LSASS process on DC1 is using a high amount of CPU.  The exact error as reported by SCOM:

The Domain Controller has high processor load on the LSASS process over several polling intervals.

DC1 is the PDC Emulator and RID Master.  

My question is - how can I pinpoint was is causing the LSASS process to use so much CPU?  The other 3 DCs in the site are not having the same problem.
LVL 2
dreadman2kAsked:
Who is Participating?
 
dreadman2kAuthor Commented:
Thanks for the link, definitely could be related to the PDCE role.  We're actually going through a disaster recovery exercise this weekend, so I will let you know what happens when we move the PDCE role.  Thanks for your help.
0
 
dreadman2kAuthor Commented:
Moved the PDCE role to another DC over the weekend and the cpu load has followed.  I will start a network monitor and see if I can determine where the LDAP traffic is coming from. Anyone have any other troubleshooting advice?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
dreadman2kAuthor Commented:
Using Wireshark I was able to pinpoint the source of the traffic and it turned out to be a script that was querying AD for users in a certain group.  This script was running every 15 minutes and causing the lsass.exe load.
0
 
pkjesusCommented:
Hey dreadman,

I have more or less the same problem.
Could you please give some details on what you did exactly?

What did you look for in Wireshark? Was your script connected in any way with Group Policies?

Your help will be highly appreciated.
0
 
dreadman2kAuthor Commented:
PKjesus,

I will gather some info & post it herre for you. It looks like we're in different time zones & I don't have access to work at the moment. But there will be at least 1 more post here from me. So keep checking or follow the the discusion
0
 
pkjesusCommented:
dreadman;

Thanks very much. I appreciate your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.