| Author | Messages | |
jfigueroa
Posts:11
 | | 12/02/2005 12:10 PM |
| A couple of things:
1) Have you looked at what AV solution is on your clients? If you are
using McAfee VSE 8.0 with Patch 11, they are your problem. There is a
patch 11a
http://groups.google.com/group/microsoft.public.windows.server.general/b
rowse_thread/thread/e12b2c63af204b54/b62bcff6d7e9ce1e?lnk=st&q=dfssvc.ex
e+high+cpu&rnum=2&hl=en#b62bcff6d7e9ce1e
http://groups.google.com/group/microsoft.public.windows.server.dfs_frs/b
rowse_thread/thread/1ec1e082e8880bb1/8b3c12d674c8c1f2?lnk=st&q=dfssvc.ex
e+high+cpu&rnum=1&hl=en#8b3c12d674c8c1f2
2)I had another situation going on with high CPU of LSASS and it was
virus activity from unprotected workstations, I ended up setting
NETLOGON logging:
http://support.microsoft.com/?id=109626 a value of 2080ffff (HEX)
Then taking the netlogon.log file created in the debug directory and
loading that into NLPARSE.EXE to look for clients with tons of failed
authentication requests. Everyone of the clients found with lots of
failed authentication requests had AV stopped on it and eventually found
to be infected with BAT\mumu
>From my experience with these events, they are a symptom of something
hammering your DCs.
Good luck
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
Sent: Thursday, December 01, 2005 3:03 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Slow LDAP responses
How odd, that jumped offlist and then back onlist...
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Whaley, Greg
Sent: Wednesday, November 30, 2005 9:45 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: FW: [ActiveDir] Slow LDAP responses
Thanks Joe. In further research I have found when LDAP response is slow
that LSASS.exe is taking up most of the process. I have also seen in
other post that there may be a beta patch from MS for lsass.exe high
utilization. So know I am waiting for MS to get back to me.
Greg Whaley
Consulting LAN Engineer
St. John Health
586-753-1594
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Tuesday, November 29, 2005 7:43 PM
To: Whaley, Greg
Subject: RE: [ActiveDir] Slow LDAP responses
ADFIND will take any standard LDAP query and execute it, you generally
just specify the base (-b) and a filter (-f) and add -selapsed to get
the timing values. So for instance, you could do
Adfind -b dc=domain,dc=com -f ou=* -dn -selapsed
To get a list of all DNs of Ous in domain.com
joe
-----Original Message-----
From: Whaley, Greg [mailto:Greg.Whaley@xxxxxxxxxx]
Sent: Wednesday, November 23, 2005 8:56 AM
To: joe
Subject: RE: [ActiveDir] Slow LDAP responses
Joe,
I do not really understand the command syntax any way you can give me an
example?
Greg Whaley
Consulting LAN Engineer
St. John Health
586-753-1594
-----Original Message-----
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Friday, November 04, 2005 4:30 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Slow LDAP responses
How do you know the responses are slow? What aspect is slow? Is it the
name resolution, the bind, the query itself, what?
Usually the first thing I would do in something like this is look at the
-selapsed output of adfind which breaks up timing by various things done
in the query
Elapsed Times:
LDAP_OPEN 0.016
ROOT_DSE 0
LDAP_OPEN_2 0
PARTIAL_SCHEMA 0.407
LDAP_UNBIND_2 0
LDAP_SEARCH_INIT 0
LDAP_GET_PAGES 0.062
LDAP_UNBIND 0
That can help narrow it down. If the open is really slow then I get out
a network sniff and start watching the name res process, etc and usually
find the problem there.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Whaley, Greg
Sent: Friday, November 04, 2005 2:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Slow LDAP responses
I am seeing issues with slow LDAP response on a specific Windows 2000
domain Controller. I have looked in the logs and the only thing I can
see is that is causeing an issue is in the application log. Here is the
event ID 1000:
Windows cannot query for the list of Group Policy objects . A message
that describes the reason for this was previously logged by this policy
engine.
I then go down to the error that was previously logged and see this.
Event ID 1000
Windows cannot establish a connection to **Domain**.COM with (0).
Anyone have any clues on what might be going on?
This error started after the DC was rebooted because of issues with slow
LDAP response.
Greg Whaley
Consulting LAN Engineer
CONFIDENTIALITY NOTICE: This email message and any accompanying data are
confidential, and intended only for the named recipient(s). If you are
not the intended recipient(s), you are hereby notified that the
dissemination, distribution, and or copying of this message is strictly
prohibited. If you receive this message in error, or are not the named
recipient(s), please notify the sender at the email address above,
delete this email from your computer, and destroy any copies in any form
immediately.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
CONFIDENTIALITY NOTICE: This email message and any accompanying data are
confidential, and intended only for the named recipient(s). If you are
not the intended recipient(s), you are hereby notified that the
dissemination, distribution, and or copying of this message is strictly
prohibited. If you receive this message in error, or are not the named
recipient(s), please notify the sender at the email address above,
delete this email from your computer, and destroy any copies in any form
immediately.
CONFIDENTIALITY NOTICE: This email message and any accompanying data are
confidential, and intended only for the named recipient(s). If you are
not the intended recipient(s), you are hereby notified that the
dissemination, distribution, and or copying of this message is strictly
prohibited. If you receive this message in error, or are not the named
recipient(s), please notify the sender at the email address above,
delete this email from your computer, and destroy any copies in any form
immediately.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|