Microsoft KB Archive/315697

= High CPU and Memory Utilization When You Add Objects to or Remove Objects From the Active Directory =

Article ID: 315697

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q315697





SYMPTOMS
When your server re-creates or imports objects into the Active Directory, you may experience the following symptoms:
 * The CPU utilization is higher than you expect during the operation. If there are a lot of objects, the CPU utilization may remain at 100 percent for the duration of the operation.
 * The Lsass.exe process may use more memory than you expect.
 * The Lsass.exe memory utilization may not decrease after the operation is complete.

.



CAUSE
This behavior occurs because the creation of Active Directory objects is a pre-emptive operation. This means that the process takes any available CPU cycles to allocate more threads for creation of new objects. Additionally, Lsass.exe consumes any available RAM on the server, and retains these resources after the operation is completed to be able to respond to incoming queries as efficiently as possible. If memory is required for other processes, the Lsass.exe caches decrease and memory is returned to the system.



STATUS
This behavior is by design.



MORE INFORMATION
In the creation of these objects, the following procedures must occur for the object to be created:
 * Schema Integrity check
 * User rights of process-creating objects
 * Security inheritance applied to the object
 * Group membership checks
 * &quot;Relative distinguished name&quot; check
 * Disable Knowledge Consistency Checker (KCC) during object creation periods
 * Do not use Flexible Single Master Operations (FSMO) owner for object creation

Windows 2000 is designed to be able to create about 3,000 security principals, or 5,000 non-security principals per hour. Because of this, use a specific domain controller for imports and mass object creations. This domain controller should be a global catalog server with over 2 GB of memory for best LDAP search performance. The domain controller should also be isolated from common authentication traffic, LDAP query traffic, global catalog search traffic, and Key Distribution Center (KDC) traffic for best performance. Microsoft recommends that you follow these practices:
 * Do not use the domain controller or PDC emulator as a DNS server.
 * When you create a large number of sites and subnets, do so before the creation of servers and workstations.
 * Make changes on a domain controller in a hub site of a branch office deployment.
 * Run Offline Garbage Collection more frequently on the domain controller you designate for object creation.
 * Disable replication during object creation, both Active Directory Replication and FRS.

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

214677 Automatic Detection of Site Membership for Domain Controllers

260857 DFS Site information not updated when W2K servers move AD sites

Keywords: kbprb KB315697

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.