Lsass.exe Spikes at 100 Percent CPU Usage and Then Shows a Typical Load for 60 Minutes Before Spiking Again (811172)



The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

SYMPTOMS

Lsass.exe on the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role holder spikes at 100 percent CPU usage for about 10 minutes. Then it decreases to typical load for 60 minutes before it spikes again.

Even if you disconnect the domain controller from the network, the spikes continue to occur. The performance log shows a high number of "DS Directory Search/s" during this time. If you use NTDS diagnostic logging, you cannot find a source that causes these searches.

The CPU peak duration may vary depending on the number of members and the CPU speed/memory of the domain controller.

CAUSE

These peaks may occur if the administrators group contains many users. The DS Propagator Thread that secures the members of the administrators group runs internally in Lsass.exe. Therefore, it cannot be detected by ordinary NTDS diagnostic logging. It will sleep for one hour before starting again. Typically, the administrators group contains a small number of users. Therefore, the thread finishes quickly and does not cause noticeable CPU usage.

There may be special circumstances when the administrator adds a large number of users to the administrators group. It may also be unintentional. Because of group nesting, adding a single group can result in many members. (Group nesting is available in native mode domains.) In this case, the evaluation of the effective membership and, thereafter, the security checking and setting can cause the hourly spikes.

RESOLUTION

To resolve this behavior, limit the members of the administrators group. Microsoft strongly recommends that you limit the members of the administrators group to a small number of dedicated accounts.

There are other ways to delegate administrative tasks to users and groups:
  • Use the Delegate Control assistant in the MMC Active Directory Users and Computers snap-in to delegate control on an organizational unit base.
  • In a Web-based administration user interface, consider using a proxy user to access the Active Directory. In this case, the effective permissions of the caller must be checked internally by the Web application.

STATUS

This behavior is by design.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199 Description and Update of the Active Directory AdminSDHolder Object

251343 Manually Initializing the SD Propagator Thread to Evaluate Inherited Permissions for Objects in Active Directory


Modification Type:MinorLast Reviewed:5/27/2003
Keywords:kbprb KB811172 kbAudITPRO