Another good way to see what is going on when this occurs is to get your hands on a tool called adperf which was the predecessor to Server Performance Advisor and runs on Windows 2000. It will help analyze what is pegging the CPU. Since you appear to have a support incident open with Microsoft the engineer should be able to provide this and help interpret the report it outputs. Server Performance Advisor can really help at looking at a variety of performance problems on Windows Server 2003 and can be coerced into compiling the output from ADPerf so that it is in a more friendly XML format than what ADPerf spits out however both are very readable and can really cut down the time needed to analyze performance problems. The netlogon logging can help if you know what you are looking for but netlogon is usually just one piece of the pie.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, December 01, 2005 5:03 PM To: [email protected] Subject: RE: [ActiveDir] Slow LDAP responses A couple of things: 1) Have you looked at what AV solution is on your clients? If you are using McAfee VSE 8.0 with Patch 11, they are your problem. There is a patch 11a http://groups.google.com/group/microsoft.public.windows.server.general/b rowse_thread/thread/e12b2c63af204b54/b62bcff6d7e9ce1e?lnk=st&q=dfssvc.ex e+high+cpu&rnum=2&hl=en#b62bcff6d7e9ce1e http://groups.google.com/group/microsoft.public.windows.server.dfs_frs/b rowse_thread/thread/1ec1e082e8880bb1/8b3c12d674c8c1f2?lnk=st&q=dfssvc.ex e+high+cpu&rnum=1&hl=en#8b3c12d674c8c1f2 2)I had another situation going on with high CPU of LSASS and it was virus activity from unprotected workstations, I ended up setting NETLOGON logging: http://support.microsoft.com/?id=109626 a value of 2080ffff (HEX) Then taking the netlogon.log file created in the debug directory and loading that into NLPARSE.EXE to look for clients with tons of failed authentication requests. Everyone of the clients found with lots of failed authentication requests had AV stopped on it and eventually found to be infected with BAT\mumu >From my experience with these events, they are a symptom of something hammering your DCs. Good luck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 3:03 PM To: [email protected] Subject: RE: [ActiveDir] Slow LDAP responses How odd, that jumped offlist and then back onlist... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Wednesday, November 30, 2005 9:45 AM To: [email protected] Subject: FW: [ActiveDir] Slow LDAP responses Thanks Joe. In further research I have found when LDAP response is slow that LSASS.exe is taking up most of the process. I have also seen in other post that there may be a beta patch from MS for lsass.exe high utilization. So know I am waiting for MS to get back to me. Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 7:43 PM To: Whaley, Greg Subject: RE: [ActiveDir] Slow LDAP responses ADFIND will take any standard LDAP query and execute it, you generally just specify the base (-b) and a filter (-f) and add -selapsed to get the timing values. So for instance, you could do Adfind -b dc=domain,dc=com -f ou=* -dn -selapsed To get a list of all DNs of Ous in domain.com joe -----Original Message----- From: Whaley, Greg [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 8:56 AM To: joe Subject: RE: [ActiveDir] Slow LDAP responses Joe, I do not really understand the command syntax any way you can give me an example? Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:30 PM To: [email protected] Subject: RE: [ActiveDir] Slow LDAP responses How do you know the responses are slow? What aspect is slow? Is it the name resolution, the bind, the query itself, what? Usually the first thing I would do in something like this is look at the -selapsed output of adfind which breaks up timing by various things done in the query Elapsed Times: LDAP_OPEN 0.016 ROOT_DSE 0 LDAP_OPEN_2 0 PARTIAL_SCHEMA 0.407 LDAP_UNBIND_2 0 LDAP_SEARCH_INIT 0 LDAP_GET_PAGES 0.062 LDAP_UNBIND 0 That can help narrow it down. If the open is really slow then I get out a network sniff and start watching the name res process, etc and usually find the problem there. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Friday, November 04, 2005 2:24 PM To: [email protected] Subject: RE: [ActiveDir] Slow LDAP responses I am seeing issues with slow LDAP response on a specific Windows 2000 domain Controller. I have looked in the logs and the only thing I can see is that is causeing an issue is in the application log. Here is the event ID 1000: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine. I then go down to the error that was previously logged and see this. Event ID 1000 Windows cannot establish a connection to **Domain**.COM with (0). Anyone have any clues on what might be going on? This error started after the DC was rebooted because of issues with slow LDAP response. Greg Whaley Consulting LAN Engineer CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
