Question about Performance Monitor Results

  • Last Post 04 November 2015
SmitaCarneiro posted this 02 November 2015

Recently we had a domain controller show high CPU usage. One of the server guys ran Performance monitor and I’m now looking at the results. In the right hand pane I get a warning about the top client taking up ~23% of CPU.If I click on that it takes me down to that client. Under the box titled Clients with the Most CPU Usage I see a list of IPs with Requests/sec. However the top 2 are not IP addresses butSAM and NTDSAPI, like so:  What exactly does this mean and how do I find out which client caused the load?If I click on the plus sign next to ‘SAM’ , I get queries of the form sAMAccountType=805306368 which according to this website is supposed to be an efficient query. So I’m guessing that whoever the client was just had a lot of queries. But how do I find out which client that was?My Google searching has not helped. Thanks,  Smita Carneiro, GCWNActive Directory Systems EngineerIT Security and PolicyRoss Enterprise Center3495 Kent Avenue, Suite 100West Lafayette, IN 47906 

Order By: Standard | Newest | Votes
dddugan posted this 02 November 2015

While there can be a variety of causes, I suggest logging expensive LDAP queries to start. There’s also a nice little summary PowerShell script once you’ve captured some data.





SmitaCarneiro posted this 04 November 2015

Thanks Darin, that’s a nice tool! Smita