Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » LSASS Bleeding Over
LSASS Bleeding Over [message #156945] Fri, 26 June 2009 17:59 Go to next message
JoshP  is currently offline JoshP
Messages: 4
Registered: June 2009
Junior Member
Would anyone have a clue as to why I am having this particular issue with
LSASS? What happens is that LSASS process (CPU) on one domain controller
spikes up to 80% and rides there. Within 30 seconds of the first DC LSASS
spiking about three or four other DC's LSASS begin spiking to 80%? This
occurs randomly but at least a couple times an hour. I have read many
documents related to LSASS but cannot seem to find an answer. Please help.
Re: LSASS Bleeding Over [message #156949 is a reply to message #156945] Sat, 27 June 2009 03:57 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

JoshP schrieb:
> Would anyone have a clue as to why I am having this particular issue with
> LSASS? What happens is that LSASS process (CPU) on one domain controller
> spikes up to 80% and rides there. Within 30 seconds of the first DC LSASS
> spiking about three or four other DC's LSASS begin spiking to 80%? This
> occurs randomly but at least a couple times an hour. I have read many
> documents related to LSASS but cannot seem to find an answer. Please help.

What does your environment look like? LSASS is the process most Active
Directory components run in.
Have you checked Ned's article on AskDS?
http://blogs.technet.com/askds/archive/2007/08/20/troublesho oting-high-lsass-cpu-utilization-on-a-domain-controller-part -1-of-2.aspx
?

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: LSASS Bleeding Over [message #156964 is a reply to message #156945] Sun, 28 June 2009 05:59 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello JoshP,

What OS version and SP/patch level are you running? Make sure the server
has latest version installed.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Would anyone have a clue as to why I am having this particular issue
> with LSASS? What happens is that LSASS process (CPU) on one domain
> controller spikes up to 80% and rides there. Within 30 seconds of the
> first DC LSASS spiking about three or four other DC's LSASS begin
> spiking to 80%? This occurs randomly but at least a couple times an
> hour. I have read many documents related to LSASS but cannot seem to
> find an answer. Please help.
>
Re: LSASS Bleeding Over [message #156982 is a reply to message #156964] Sun, 28 June 2009 15:50 Go to previous messageGo to next message
JoshP  is currently offline JoshP
Messages: 4
Registered: June 2009
Junior Member
8 domain controllers running Windows Server 2003 SP2 (fully patched). Four
of the eight are DNS server (ad integrated) and also are gc's. The fsmo
rolles are split according to microsoft best practices.

"Meinolf Weber [MVP-DS]" wrote:

> Hello JoshP,
>
> What OS version and SP/patch level are you running? Make sure the server
> has latest version installed.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Would anyone have a clue as to why I am having this particular issue
> > with LSASS? What happens is that LSASS process (CPU) on one domain
> > controller spikes up to 80% and rides there. Within 30 seconds of the
> > first DC LSASS spiking about three or four other DC's LSASS begin
> > spiking to 80%? This occurs randomly but at least a couple times an
> > hour. I have read many documents related to LSASS but cannot seem to
> > find an answer. Please help.
> >
>
>
>
Re: LSASS Bleeding Over [message #156999 is a reply to message #156982] Mon, 29 June 2009 04:39 Go to previous messageGo to next message
Syed Khairuddin  is currently offline Syed Khairuddin  Saudi Arabia
Messages: 77
Registered: June 2009
Member
Hello,

You can try process monitor to see whats causing the LSASS.EXE
process to generate the high cpu spikes and also take the dumps from
dr watson or adplus for a particular process and anlayze.

http://www.dumpanalysis.org/blog/index.php/2008/09/12/adplus -in-21-seconds-and-13-steps/
Re: LSASS Bleeding Over [message #157000 is a reply to message #156945] Mon, 29 June 2009 04:53 Go to previous messageGo to next message
Syed Khairuddin  is currently offline Syed Khairuddin  Saudi Arabia
Messages: 77
Registered: June 2009
Member
Please also refer to this articles listed below.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;308356
http://blogs.technet.com/ad/archive/2008/10/13/troubleshooti ng-a-memory-leak-in-lsass-exe.aspx

Thanks
Re: LSASS Bleeding Over [message #157008 is a reply to message #156945] Mon, 29 June 2009 07:24 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Search at MS Support for LSASS 100% CPU. You'll find some articles related
with that behavior, additionally check the Antivirus configuration at
http://support.microsoft.com/kb/822158.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"JoshP" <JoshP@discussions.microsoft.com> wrote in message
news:FFD13ED4-1EA4-467A-A543-B2835675662D@microsoft.com...
> Would anyone have a clue as to why I am having this particular issue with
> LSASS? What happens is that LSASS process (CPU) on one domain controller
> spikes up to 80% and rides there. Within 30 seconds of the first DC LSASS
> spiking about three or four other DC's LSASS begin spiking to 80%? This
> occurs randomly but at least a couple times an hour. I have read many
> documents related to LSASS but cannot seem to find an answer. Please
> help.
Re: LSASS Bleeding Over [message #157032 is a reply to message #157008] Mon, 29 June 2009 14:34 Go to previous messageGo to next message
JoshP  is currently offline JoshP
Messages: 4
Registered: June 2009
Junior Member
I have some additional information. During the LSASS spikes on the dc's
authentication requests and directory reads goes up substantially on all
DC's. For example, say a DC normally provides 10-12 authtications per
second, during LSASS spikes we see 30+ authentications (kerberos) per second
(on all affected DC's). Also, the number of directory reads shoots up to
about 13,000 reads per second from about 7,000 reads per second. What
logging would help me determine what the increased authentications and
directory reads are coming from?

"Jorge Silva" wrote:

> Hi
> Search at MS Support for LSASS 100% CPU. You'll find some articles related
> with that behavior, additionally check the Antivirus configuration at
> http://support.microsoft.com/kb/822158.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "JoshP" <JoshP@discussions.microsoft.com> wrote in message
> news:FFD13ED4-1EA4-467A-A543-B2835675662D@microsoft.com...
> > Would anyone have a clue as to why I am having this particular issue with
> > LSASS? What happens is that LSASS process (CPU) on one domain controller
> > spikes up to 80% and rides there. Within 30 seconds of the first DC LSASS
> > spiking about three or four other DC's LSASS begin spiking to 80%? This
> > occurs randomly but at least a couple times an hour. I have read many
> > documents related to LSASS but cannot seem to find an answer. Please
> > help.
>
Re: LSASS Bleeding Over [message #157033 is a reply to message #157032] Mon, 29 June 2009 15:26 Go to previous messageGo to next message
millin  is currently offline millin
Messages: 29
Registered: July 2009
Junior Member
Hi Josh,

I am just wondering as you said it's only happening couple of times per
hour,may be some batch files or backup of D.C running behind the screens.
Have you got any particular scheduled task isrunning every 20 mts or
something like that?

Just a thought!!!
mill

"JoshP" wrote:

> I have some additional information. During the LSASS spikes on the dc's
> authentication requests and directory reads goes up substantially on all
> DC's. For example, say a DC normally provides 10-12 authtications per
> second, during LSASS spikes we see 30+ authentications (kerberos) per second
> (on all affected DC's). Also, the number of directory reads shoots up to
> about 13,000 reads per second from about 7,000 reads per second. What
> logging would help me determine what the increased authentications and
> directory reads are coming from?
>
> "Jorge Silva" wrote:
>
> > Hi
> > Search at MS Support for LSASS 100% CPU. You'll find some articles related
> > with that behavior, additionally check the Antivirus configuration at
> > http://support.microsoft.com/kb/822158.
> >
> > --
> > I hope that the information above helps you.
> > Have a Nice day.
> >
> > Jorge Silva
> > MVP Directory Services
> > "JoshP" <JoshP@discussions.microsoft.com> wrote in message
> > news:FFD13ED4-1EA4-467A-A543-B2835675662D@microsoft.com...
> > > Would anyone have a clue as to why I am having this particular issue with
> > > LSASS? What happens is that LSASS process (CPU) on one domain controller
> > > spikes up to 80% and rides there. Within 30 seconds of the first DC LSASS
> > > spiking about three or four other DC's LSASS begin spiking to 80%? This
> > > occurs randomly but at least a couple times an hour. I have read many
> > > documents related to LSASS but cannot seem to find an answer. Please
> > > help.
> >
Re: LSASS Bleeding Over [message #157091 is a reply to message #157032] Tue, 30 June 2009 08:43 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Have you considered using WireShark? If you think you are getting
overwhelmed, there could be clients out there running some type of DOS
attack against the dc's.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JoshP" <JoshP@discussions.microsoft.com> wrote in message
news:B73A2498-99C8-4DAB-811F-9069B1A27D7A@microsoft.com...
>I have some additional information. During the LSASS spikes on the dc's
> authentication requests and directory reads goes up substantially on all
> DC's. For example, say a DC normally provides 10-12 authtications per
> second, during LSASS spikes we see 30+ authentications (kerberos) per
> second
> (on all affected DC's). Also, the number of directory reads shoots up to
> about 13,000 reads per second from about 7,000 reads per second. What
> logging would help me determine what the increased authentications and
> directory reads are coming from?
>
> "Jorge Silva" wrote:
>
>> Hi
>> Search at MS Support for LSASS 100% CPU. You'll find some articles
>> related
>> with that behavior, additionally check the Antivirus configuration at
>> http://support.microsoft.com/kb/822158.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "JoshP" <JoshP@discussions.microsoft.com> wrote in message
>> news:FFD13ED4-1EA4-467A-A543-B2835675662D@microsoft.com...
>> > Would anyone have a clue as to why I am having this particular issue
>> > with
>> > LSASS? What happens is that LSASS process (CPU) on one domain
>> > controller
>> > spikes up to 80% and rides there. Within 30 seconds of the first DC
>> > LSASS
>> > spiking about three or four other DC's LSASS begin spiking to 80%?
>> > This
>> > occurs randomly but at least a couple times an hour. I have read many
>> > documents related to LSASS but cannot seem to find an answer. Please
>> > help.
>>
Previous Topic:Active Directory is down
Next Topic:Re: sysvol folders missing
Goto Forum:
  


Current Time: Wed Oct 18 01:27:55 EDT 2017

Total time taken to generate the page: 0.04934 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software