If you have a single domain, changing from 389 to 3268 really shouldn't have bought you anything.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 23, 2004 1:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LSASS.exe using 99% CPU during multiple LDAP look ups Al, Thanks for the tip... Yes, this is the Exchange Accelerator stuff... LDAP lookups to verify the recipient (SMTP address) actually exists in the org before accepting the mail)... The server I was using was a GC and the only functions it serves are as DC/GC and DNS so it's usually very lightly loaded... Based on a recommendation from Barracuda, I moved the query from the standard port 389 to the GC port 3268. The queries return MUCH faster now and LSASS has settled back to its normal level... Of course the response I got didn't include any wherefore or why... Any tips on when I should use the GC query port vs. the standard query port? Thanks again for the reply. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 12:39 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LSASS.exe using 99% CPU during multiple LDAP look ups Of course you have access to the LDAP query syntax. It's sent to the domain controller where you can either pick it up off the wire else get in the logs (turn up logging). Note this is one way to increase your processor even more. As for suggestions, how about moving the query to a dedicated GC in a separate site vs. one that users use. My inner child would prefer to put that data into ADAM and isolate it against other hosts that do nothing but serve LDAP. But that's more complex and may not be what you want to do. Check with Barracuda and see what they offer in terms of caching, tweaking, etc. I'm assuming this is the Exchange accelerator stuff, but just in case... Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 23, 2004 12:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LSASS.exe using 99% CPU during multiple LDAP lookups We've recently installed a Barracuda Spam Filter for testing purposes... One of the features of this device is the ability to do LDAP lookups of incoming SMTP addresses against Exchange / AD... This sounds like a good feature because we get a lot of junkmail for users who are no longer with the company and it would be nice just to block this junk outright so it never reaches the Exchange server.. The problem I've encountered is that when I activate the LDAP lookups from the Barracuda, the LSASS.exe process on the domain controller takes up 99% of CPU time... As soon as I disable the LDAP lookups, the LSASS.exe process drops back down to nothing... The LDAP query on the Barracuda takes anywhere from 4-10 seconds to return (the two servers are located in the same room on the same switch, so it's not like they're over a WAN or anything) I've done some searching and based on the info I found thought that indexing the proxyAddresses attribute in AD would help speed up the searches. Alas, looking through the AD schema, the proxyAddress attribute is already checked for 'Index this attribute in Active Directory'... Can anyone offer any other suggestions for increasing the performance of the LDAP lookups on the server and decreasing the processor utilization of LSASS... Of course I don't have access to the LDAP query itself on the Barracuda to see what that looks like... TIA for any suggestions! Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
