LSASS Process Monitor - Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor (UnitMonitor)

Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor (UnitMonitor)

Monitors the CPU utilization of the lsass process.

Knowledge Base article:

Summary

LSASS Process Monitor. The core process (lsass.exe) for Active Directory Domain Services is consuming a lot of CPU resources.

If the overall CPU utilization on the server is too high, users and services that rely on Active Directory Domain Services may experience delays.

Causes

Possible causes include the following:

The domain controller needs resizing.
The domain controller is a bridgehead server, and it is compressing large amounts of data because a bulk load must be replicated intersite.
The domain controller is a primary domain controller (PDC) emulator operations master, and there are either a large number of password lockouts or a large number of expired user accounts.
One or more other domain controllers failed, and their load transferred to this domain controller because it is now the closest available domain controller.
An application is placing a heavy load on the domain controller. This is usually caused by inefficient, CPU-intensive operations such as non-indexed queries.
The domain controller is critically low on memory.
The domain controller is under a denial-of-service attack.

Resolutions

View the overall system performance of the machine to determine if it needs additional resources.

Add additional domain controllers to help load-balance the load.

Ensure that there are a sufficient number of DCs in the active AD sites.

External

Capacity Planning for Active Directory Domain Services

Element properties:

Target

Microsoft.Windows.Server.2012.AD.DomainControllerRole

Parent Monitor

Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.AggregateMonitor

Category

Custom

Enabled

True

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor.Monitortype

Remotable

False

Accessibility

Public

Alert Message

The LSASS process has exceeded the processor utilization threshold over multiple samples.

{0}

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor" Accessibility="Public" Enabled="true" Target="AD2012Core!Microsoft.Windows.Server.2012.AD.DomainControllerRole" ParentMonitorID="Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.AggregateMonitor" Remotable="false" Priority="Normal" TypeID="Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor.Monitortype" ConfirmDelivery="false"> <Category>Custom</Category> <AlertSettings AlertMessage="Microsoft.Windows.Server.2012.AD.PerformanceEssentialServices.LSASS.Monitor.AlertMessage"> <AlertOnState>Error</AlertOnState> <AutoResolve>true</AutoResolve> <AlertPriority>Normal</AlertPriority> <AlertSeverity>Error</AlertSeverity> <AlertParameters> <AlertParameter1>$Data/Context/Property[@Name='ErrorString']$</AlertParameter1> </AlertParameters> </AlertSettings> <OperationalStates> <OperationalState ID="ADCPUOverloadOk" MonitorTypeStateID="ADCPUOverloadOk" HealthState="Success"/> <OperationalState ID="ADCPUOverloadError" MonitorTypeStateID="ADCPUOverloadError" HealthState="Error"/> </OperationalStates> <Configuration> <Frequency>300</Frequency> <TimeoutSeconds>300</TimeoutSeconds> <Threshold>80</Threshold> <NumSamples>10</NumSamples> </Configuration> </UnitMonitor>