Troubleshooting High CPU Usage on a Domain Controller

On This Page

Overview
Troubleshooting High CPU Usage by Processes
Procedures for Troubleshooting Services that Consume High CPU
Troubleshooting High CPU Usage on a PDC Emulator
Procedures for Troubleshooting High CPU Usage on a PDC Emulator
Troubleshooting High CPU Usage on a Global Catalog Server
Procedures for Troubleshooting High CPU Usage on a Global Catalog Server
Troubleshooting High CPU Usage Caused by Excessive Client Load
Procedures for Troubleshooting Client Load-Related High CPU Usage
Troubleshooting Server-Related High CPU Usage
Procedures for Troubleshooting Server-Related High CPU Usage

Overview

If your monitoring system reports high CPU usage on a domain controller, or if you noticed high CPU usage while verifying the health of a domain controller, follow the troubleshooting process in this section. Figure 2.2 shows the high-level process for troubleshooting high CPU usage on a domain controller. This high-level process for troubleshooting high CPU usage on a domain controller helps you determine the cause of high CPU usage and leads to more detailed troubleshooting tasks.

Figure 2.2: Troubleshooting High CPU Usage on a Domain Controller

Figure 2.2: Troubleshooting High CPU Usage on a Domain Controller

Troubleshooting High CPU Usage by Processes

Figure 2.3 shows the process for troubleshooting processes or services that cause high CPU usage.

Bb727054.adop0902(en-us,TechNet.10).gif

Figure 2.3: Troubleshooting High CPU Usage by Processes

Procedures for Troubleshooting Services that Consume High CPU

  1. Using Task Manager, determine whether high CPU usage is caused by Lsass.exe. If it is, go to the next step in the flowchart for troubleshooting high CPU usage on a domain controller, "Troubleshooting High CPU Usage on a PDC Emulator." If high CPU usage is not caused by Lssas.exe, , continue with the following steps.

  2. In Task Manager, determine which service is causing the problem.

  3. If the problem is caused by backup or virus scan software, wait for the service to complete, and consider rescheduling the service for nonpeak usage hours. If possible, change configuration settings on the software to optimize CPU usage.

  4. If another service is consuming high CPU, refer to the product documentation to troubleshoot that service.

Troubleshooting High CPU Usage on a PDC Emulator

If Lsass.exe is causing high CPU usage, determine if the domain controller is the PDC emulator. If it is, follow the process shown in Figure 2.4 for troubleshooting high CPU usage on a PDC emulator. If the domain controller is not the PDC emulator, go to the next step in the flowchart (Figure 2.4) for troubleshooting high CPU usage on a domain controller, "Troubleshooting High CPU Usage on a Global Catalog Server."

Bb727054.adop0903(en-us,TechNet.10).gif

Figure 2.4: Troubleshooting High CPU Usage on a PDC Emulator

Procedures for Troubleshooting High CPU Usage on a PDC Emulator

  1. To determine whether the domain controller is a PDC emulator, view the current operations master role holders. If it is a PDC emulator, continue with the following steps.

  2. Use the procedure to transfer the domain-level operations master roles to transfer the PDC emulator role to another domain controller.

  3. If the problem still exists on the original server after transferring the PDC emulator role, see "Troubleshooting Server-Related High CPU Usage" in this guide.

  4. If the problem still exists on the PDC emulator in its new location, determine whether account lockout policy is defined on this domain.

    If account lockout is defined:

    1. Confirm that all of the available patches are installed. If needed, contact Microsoft Product Support Services for this information.

    2. Enable auditing on the PDC emulator. Find and remove any bad service accounts.

  5. If you are using Systems Management Server (SMS), ensure that you have installed the most current SMS service packs.

  6. If you have Windows NT 4.0based BDCs and clients that are running Windows 2000 Professional or Windows XP Professional, perform the following tasks:

    1. In Performance Monitor, examine the "logon total" and "logon/sec" counters for the server object under System Monitor. Do this on different domain controllers in your environment, especially on subnets that contain both Windows 2000based and Windows NT 4.0based domain controllers. Compare these numbers on the different domain controllers to determine if any Windows 2000based domain controller is overloaded with a large number of authentication requests.

    2. Member computers that are running Windows 2000 and Windows XP authenticate exclusively with Active Directory domain controllers in a domain once the domain controllers are discovered by the member computers. If a Windows 2000based domain controller is overloaded because the number of upgraded domain controllers in the domain is not yet sufficient to withstand requests from all upgraded clients, you can alleviate the problem by adding Windows 2000based domain controllers.

      If necessary, configure Windows NT 4.0 emulation for each Windows 2000based domain controller in order to stop the overloading effect until enough domain controllers have been upgraded. Rejoin the clients that have discovered up-level domain controllers to the domain. During your upgrade process, first upgrade domain controllers in locations with large populations of clients that are running Windows XP and Windows 2000. You also need to rejoin all Windows 2000based and Windows XPbased domain members. In the rejoin procedure, specify a NetBIOS name for the domain. Until the domain members are rejoined, they cannot contact any domain controllers in the domain.

    3. Configure Windows NT 4.0 emulation for some computers. You can configure computers that run Windows 2000 Service Pack 2 (SP2) or later to inform domain controllers that are running in Windows NT 4.0 emulation mode to not use Windows NT 4.0 emulation mode when they respond to requests from those computers.

  7. If you are still experiencing problems, see "Reducing the Workload on the PDC Emulator" in this guide for more information about changing DNS weight or priority registry settings to reduce the workload for the PDC emulator.

Troubleshooting High CPU Usage on a Global Catalog Server

If Lsass.exe is causing high CPU usage on a domain controller that is not the PDC emulator, determine if the domain controller is also a global catalog server. If it is, follow the process shown in Figure 2.5 for troubleshooting high CPU usage on a global catalog server. If the domain controller is not a global catalog server, return to the next step in the high-level flowchart earlier in this section for troubleshooting high CPU usage on a domain controller.

Figure 2.5: Troubleshooting High CPU Usage on a Global Catalog Server

Figure 2.5: Troubleshooting High CPU Usage on a Global Catalog Server

Procedures for Troubleshooting High CPU Usage on a Global Catalog Server

  1. Determine whether the domain controller is a global catalog server. If it is, continue with the following steps.

  2. See "Managing Global Catalog Servers" in this guide for background information and prescriptive guidance about global catalog servers. If you do not have enough global catalog servers in your environment, add a global catalog server.

  3. Determine whether this is a bridgehead server. If Intersite Messaging (ISM) is off, start ISM. If necessary to manage a large number of connections, configure additional bridgehead servers.

Troubleshooting High CPU Usage Caused by Excessive Client Load

If Lsass.exe is causing high CPU usage on a domain controller that is not a PDC emulator or a global catalog server, disconnect the network cable. If CPU usage remains high after disconnecting the network cable, return to the next step in the flowchart for troubleshooting high CPU usage on a domain controller, "Troubleshooting Server-Related High CPU Usage." If CPU usage is at or near 0% after disconnecting the network cable, follow the process shown in Figure 2.6 for troubleshooting high CPU usage caused by excessive client loads.

Figure 2.6: Troubleshooting High CPU Usage Caused by Excessive Client Load

Figure 2.6: Troubleshooting High CPU Usage Caused by Excessive Client Load

  1. Review Best Practice Active Directory Deployment for Managing Windows Networks to determine proper hardware configuration. If your hardware is not adequate, resize the server. To review the best practice guidelines, see the Active Directory link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources/ Search under "Planning & Deployment Guides" and download Best Practice Active Directory Deployment for Managing Windows Networks.

  2. Verify network configuration and ensure that the DNS settings are correct. Ensure that the DNS weight and priority registry settings that are set for load balancing are correct.

  3. Use Adperf.exe to determine the problem.

    1. If Adperf reveals searches that are consuming high CPU, turn on inefficient LDAP queries logging to identify a bad application or indexing.

    2. If Adperf shows that a small set of clients is causing a high server load, troubleshoot the clients. An application problem is most likely causing the high CPU usage.

    3. If Adperf shows that a small set of users is causing a high server load, determine what actions they are performing to cause the load.

  4. If you have Windows NT 4.0 BDCs and Windows 2000 Professional or Windows XP Professional clients, do the following:

    1. Configure Windows NT 4.0 emulation. If a Windows 2000based domain controller is overloaded because the number of upgraded domain controllers in the domain is not yet sufficient to withstand requests from all upgraded clients, and if it is not already configured for Windows NT 4.0 emulation mode, configure the domain controller for Windows NT 4.0 emulation in order to stop the overloading effect until enough domain controllers have been upgraded. During your upgrade process, first upgrade domain controllers in locations with large populations of clients that are running Windows XP and Windows 2000. You also need to rejoin all Windows 2000based and Windows XPbased domain members. In the rejoin procedure, specify a NetBIOS name for the domain. Until the domain members are rejoined, they cannot contact any domain controllers in the domain.

    2. Modify Windows NT 4.0 emulation for some computers. You can configure computers that run Windows 2000 SP2 to inform domain controllers that are running in Windows NT 4.0 emulation mode to not use it when they respond to requests from those computers.

  5. If this is a sudden increase in CPU usage, reconfigure or resize the server.

If CPU usage on the domain controller remains high after disconnecting the network cable, follow the process shown in Figure 2.7 for troubleshooting high CPU usage caused by problems on the server.

Figure 2.7: Troubleshooting Server-Related High CPU Usage

Figure 2.7: Troubleshooting Server-Related High CPU Usage

  1. Enable Active Directory diagnostic event logging for garbage collection and security descriptor propagator (SDProp). If the number of security suboperations per second is greater than zero, wait for the process to complete. Depending on the number of objects, the amount of time it takes to complete can vary.

  2. Use Adperf.exe to determine the problem.

  3. Either determine what process is causing the problem, or resize the server if inadequate hardware resources are causing the problem.