Solved

What is causing lsass.exe process to consume so much cpu?

Posted on 2009-04-02
7
3,115 Views
Last Modified: 2012-05-06
We have a main office with 4 domain controllers.  DC1, DC2, DC3 and DC4.  Our SCOM monitoring system often reports the the LSASS process on DC1 is using a high amount of CPU.  The exact error as reported by SCOM:

The Domain Controller has high processor load on the LSASS process over several polling intervals.

DC1 is the PDC Emulator and RID Master.  

My question is - how can I pinpoint was is causing the LSASS process to use so much CPU?  The other 3 DCs in the site are not having the same problem.
0
Comment
Question by:dreadman2k
  • 4
  • 2
7 Comments
 
LVL 6

Accepted Solution

by:
meugen earned 500 total points
Comment Utility
0
 
LVL 2

Author Comment

by:dreadman2k
Comment Utility
Thanks for the link, definitely could be related to the PDCE role.  We're actually going through a disaster recovery exercise this weekend, so I will let you know what happens when we move the PDCE role.  Thanks for your help.
0
 
LVL 2

Author Comment

by:dreadman2k
Comment Utility
Moved the PDCE role to another DC over the weekend and the cpu load has followed.  I will start a network monitor and see if I can determine where the LDAP traffic is coming from. Anyone have any other troubleshooting advice?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:dreadman2k
Comment Utility
Using Wireshark I was able to pinpoint the source of the traffic and it turned out to be a script that was querying AD for users in a certain group.  This script was running every 15 minutes and causing the lsass.exe load.
0
 
LVL 1

Expert Comment

by:pkjesus
Comment Utility
Hey dreadman,

I have more or less the same problem.
Could you please give some details on what you did exactly?

What did you look for in Wireshark? Was your script connected in any way with Group Policies?

Your help will be highly appreciated.
0
 
LVL 2

Author Comment

by:dreadman2k
Comment Utility
PKjesus,

I will gather some info & post it herre for you. It looks like we're in different time zones & I don't have access to work at the moment. But there will be at least 1 more post here from me. So keep checking or follow the the discusion
0
 
LVL 1

Expert Comment

by:pkjesus
Comment Utility
dreadman;

Thanks very much. I appreciate your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now