AD Processor Overload (lsass) Monitor - AD_CPU_Overload.Monitor (UnitMonitor)

AD_CPU_Overload.Monitor (UnitMonitor)

Knowledge Base article:

Summary

AD Processor overload (lsass). The core process (Lsass.exe) for the Active Directory directory service is consuming a lot of CPU resources.

Configuration

Possible causes include the following:

The domain controller needs resizing.
The domain controller is a bridgehead server, and it is compressing large amounts of data because a bulk load must be replicated intersite.
The domain controller is a primary domain controller (PDC) emulator operations master, and there are either a large number of password lockouts or a large number of expired user accounts.
One or more other domain controllers failed, and their load transferred to this domain controller because it is now the closest available domain controller.
An application is placing a heavy load on the domain controller. This is usually caused by inefficient, CPU-intensive operations such as nonindexed queries.
The domain controller is critically low on memory.
The domain controller is under a denial-of-service attack.

Element properties:

Target

Microsoft.Windows.Server.2008.AD.DomainControllerRole

Parent Monitor

System.Health.PerformanceState

Category

AvailabilityHealth

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

AD_CPU_Overload.Monitortype

Remotable

False

Accessibility

Public

Alert Message

The LSASS process has exceeded the processor utilization threshold

{0}

RunAs

Default

Source Code:

<UnitMonitor ID="AD_CPU_Overload.Monitor" Accessibility="Public" Enabled="onStandardMonitoring" Target="AD2008Core!Microsoft.Windows.Server.2008.AD.DomainControllerRole" ParentMonitorID="SystemHealth!System.Health.PerformanceState" Remotable="false" Priority="Normal" TypeID="AD_CPU_Overload.Monitortype" ConfirmDelivery="false"> <Category>AvailabilityHealth</Category> <AlertSettings AlertMessage="AD_CPU_Overload.Monitor.AlertMessage"> <AlertOnState>Error</AlertOnState> <AutoResolve>true</AutoResolve> <AlertPriority>Normal</AlertPriority> <AlertSeverity>Error</AlertSeverity> <AlertParameters> <AlertParameter1>$Data/Context/Property[@Name='ErrorString']$</AlertParameter1> </AlertParameters> </AlertSettings> <OperationalStates> <OperationalState ID="ADCPUOverloadOk" MonitorTypeStateID="ADCPUOverloadOk" HealthState="Success"/> <OperationalState ID="ADCPUOverloadError" MonitorTypeStateID="ADCPUOverloadError" HealthState="Error"/> </OperationalStates> <Configuration> <Frequency>300</Frequency> <TimeoutSeconds>300</TimeoutSeconds> <Threshold>80</Threshold> <NumSamples>10</NumSamples> </Configuration> </UnitMonitor>