JSI Tip 6397. High CPU and memory utilization when you add objects to or remove objects from the Active Directory?

Jerold Schulman

March 2, 2003

2 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q315697 contains:

SYMPTOMS

When your server re-creates or imports objects into the Active Directory, you may experience the following symptoms:

  • The CPU utilization is higher than you expect during theoperation. If there are a lot of objects, the CPU utilization may remain at 100percent for the duration of the operation.

  • The Lsass.exe process may use more memory than youexpect.

  • The Lsass.exe memory utilization may not decrease after theoperation is complete.

.

CAUSE

This behavior occurs because the creation of Active Directory objects is a pre-emptive operation. This means that the process takes any available CPU cycles to allocate more threads for creation of new objects. Additionally, Lsass.exe consumes any available RAM on the server, and retains these resources after the operation is completed to be able to respond to incoming queries as efficiently as possible. If memory is required for other processes, the Lsass.exe caches decrease and memory is returned to the system.

STATUS

This behavior is by design.

MORE INFORMATION

In the creation of these objects, the following procedures must occur for the object to be created:

  • Schema Integrity check

  • User rights of process-creating objects

  • Security inheritance applied to the object

  • Group membership checks

  • "Relative distinguished name" check

  • Disable Knowledge Consistency Checker (KCC) during objectcreation periods

  • Do not use Flexible Single Master Operations (FSMO) ownerfor object creation

Windows 2000 is designed to be able to create about 3,000 security principals, or 5,000 non-security principals per hour. Because of this, use a specific domain controller for imports and mass object creations. This domain controller should be a global catalog server with over 2 GB of memory for best LDAP search performance. The domain controller should also be isolated from common authentication traffic, LDAP query traffic, global catalog search traffic, and Key Distribution Center (KDC) traffic for best performance. Microsoft recommends that you follow these practices:

  • Do not use the domain controller or PDC emulator as a DNSserver.

  • When you create a large number of sites and subnets, do sobefore the creation of servers and workstations.

  • Make changes on a domain controller in a hub site of abranch office deployment.

  • Run Offline Garbage Collection more frequently on thedomain controller you designate for object creation.

  • Disable replication during object creation, both ActiveDirectory Replication and FRS.

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

214677 Automatic Detection of Site Membership for Domain Controllers

260857 DFS Site information not updated when W2K servers move AD sites



About the Author

Jerold Schulman

Jerold Schulman

See more from Jerold Schulman
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

the interface of the PowerShell search tool with a hand holding a magnifying glass on a background of a blue sky and clouds in the shape of gears
PowerShell
How I Built My Own PowerShell Multi-File Search Tool
How I Built My Own PowerShell Multi-File Search Tool

Oct 22, 2024

burnout gif featuring a mannequin surrounded by office technology on fire
Career Tips
Am I Burned Out? How To Identify and Address Burnout in IT
Am I Burned Out? How To Identify and Address Burnout in IT

Oct 24, 2024

MLOps
Ops and More
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?
Choosing Between Cloud and On-Prem MLOps: What's Best for Your Needs?

Oct 23, 2024

Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

AI chip
Cloud Computing
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
Cloud vs. On-Prem AI Accelerators: Choosing the Best Fit for Your AI Workloads
SaaS concept on a tablet
Cloud Computing
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
Why SaaS Backup Matters: Protecting Data Beyond Vendor Guarantees
DevOps logo on top of code
DevOps
DevOps: Key to Faster, More Efficient Government Software Development
DevOps: Key to Faster, More Efficient Government Software Development
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

cartoon shows a person next to a checklist and several icons that represent disaster scenarios
Disaster Recovery
BCDR Basics: A Quick Reference Guide for Business Continuity & Disaster RecoveryBCDR Basics: A Quick Reference Guide for IT Pros
technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables