Mar 20 2010

Identify applications that cause your Domain Controller to decrease in performance

We will describe in this post how to indentify an application that causes a CPU time overconsumption on your Domain Controllers. We will use two tools for this: Server Performance Advisor and Wireshark. The first is used if you have a Windows 2003 DC, if OS is Windows 2008 the tool is already included, you access it with MMC snap-in perfmon.msc, its new name is Windows Reliability and Performance Monitor. Both versions have performance counters dedicated to Active Directory, in this post we will use SPA, because the DC having trouble is running Windows 2003. If you want more details on using Windows RPM for AD you can read this article.

When analysing the CPU graph below we can see that there is something unusual occuring on this DC. Process lsass is consuming a lot of CPU time:

We can see that CPU is really busy during office hours, an application used by client computers might be a good lead for explaining this phenomenon. So we proceed with an anlysis of the DC with SPA and here are the results:

There is a SamEnumUsersInDomain request that consumes 42% of CPU load. Unfortunatly we cannot identify clearly the clients with SPA, so we will use WireShark to monitor DC’s network activity.

After analysing the data we can deduce that communication protocol used by client’s request is MS-SAMR. So we just need to use the appropriate filter (SAMR) with Wireshark to identify the clients. We sent the computers list to the local IT support of the site impacted and it revealed that those clients were laptops with HP ProtectTools security manager installed. This application was uninstalled on most of them because we do not use SMART cards and we could see the results on CPU Load almost immedialty:

If you want to identify the application causing trouble on client’s side by filtering which process uses a particular protocol or sends a request to a particular machine you use can TCPview or CurrPorts, if you want more information on the second application you can read an article of my colleague on CTXBlog (it’s in french).

The issue concerning the HProtectTools application was discussed on this forum. You need to upgrade to Sp41408 to get rid of the problem if you decide to keep the application on your laptops.

This post is also available in: French

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

*

WordPress Themes

Blossom Icon Set

Software Top Blogs