LSASS.exe is using 100% CPU usage on my SBS2003 DC.
For the life of me, I can't figure out what's causing it. I've checked the event logs and found a few things. I can't see if any of it is related. Nothing except ActiveSync errors (which started quite some time ago, before this issue has occurred) gets logged on a regular basis.
The few logs that there are;
Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date: 02.05.2013
Time: 5:43:20 p.m.
User: N/A
Computer: SERVER
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
and
Event Type: Error
Event Source: MSExchangeSA
Event Category: RFR Interface
Event ID: 9143
Date: 02.05.2013
Time: 5:42:58 p.m.
User: N/A
Computer: SERVER
Description:
Referral Interface cannot contact any Global Catalog that supports the NSPI Service. Clients making RFR requests will fail to connect until a Global Catalog becomes available again. After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.
For more information, click http://www.microsoft.com/contentredirect.asp.
There's also some other MSExchangeAL errors;
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 02.05.2013
Time: 5:31:32 p.m.
User: N/A
Computer: SERVER
Description:
LDAP Bind was unsuccessful on directory SERVER.etcetera.local for distinguished name ''. Directory returned error:[0x51] Server Down.
For more information, click http://www.microsoft.com/contentredirect.asp.
and
Event Type: Error
Event Source: MSExchangeAL
Event Category: Service Control
Event ID: 8250
Date: 02.05.2013
Time: 5:31:19 p.m.
User: N/A
Computer: SERVER
Description:
The Win32 API call 'DsGetDCNameW' returned error code [0x862] The specified component could not be found in the configuration information. The service could not be initialized. Make sure that the operating system was installed properly.
For more information, click http://www.microsoft.com/contentredirect.asp.
and
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 02.05.2013
Time: 5:31:19 p.m.
User: N/A
Computer: SERVER
Description:
LDAP Bind was unsuccessful on directory SERVER.etcetera.local for distinguished name ''. Directory returned error:[0x51] Server Down.
For more information, click http://www.microsoft.com/contentredirect.asp.
This is the only server in this domain. I've assumed then, that the issue is coming from this machine, so I've been following Part 2 of this;
I've tried a few options I've seen around. I have an entry in Notification Packages in HKLM\System\CurrentControlSet\Control\LSA of 'RASSFM KDCSVC WDIGEST scecli dsrestor'. I've read that the standard entry here is not including the dsrestor entry, though I'm hesitant to say this is the issue (I have an outage time tonight to test removing this + rebooting).
Anyone have any ideas of anything I can try?
Thanks! -Ewan
